Firewall Policy Configuring firewall policies
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 219
You can use the remaining firewall policy options (NAT, Protection Profile, Log
Allowed Traffic, Log Violation Traffic, Authentication, and Traffic shaping) to set
additional features. Log Violation Traffic can be applied to policies that deny
traffic. Differentiated services can be configured through CLI commands (see the
“firewall” chapter of the FortiGate CLI Reference).
Firewall policy options
Go to Firewall > Policy and select Create New to add a firewall policy. You can
configure the following firewall policy options:
Source Specify the origination characteristics of IP packets that will be subject to
the policy.
Interface/Zone Select the name of the FortiGate interface or zone on
which IP packets are received. Interfaces and zones are
configured on the System Network page. See “Interface”
on page 69 for information about interfaces. See “Zone”
on page 87 for information about zones.
If Action is set to IPSEC, the interface is associated with
the local private network.
If Action is set to SSL-VPN, the interface is associated
with connections from remote SSL VPN clients.
Address Name Select the name of a previously defined IP address to
associate with the source interface or zone, or select
Create New to define a new IP address. A packet must
have the associated IP address in its header to be
subject to the policy. Addresses can be created in
advance. See“Configuring addresses” on page 237.
If Action is set to IPSEC, the address is the private IP
address of the host, server, or network behind the
FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only
mode clients, select all.
If Action is set to SSL-VPN and the policy is for tunnel
mode clients, select the name of the address that you
reserved for tunnel mode clients.
Destination Specify the destination characteristics of IP packets that will be subject to
the policy.
Interface/Zone Select the name of the FortiGate interface or zone to
which IP packets are forwarded. Interfaces and zones
are configured on the System Network page. See
“Interface” on page 69 for information about interfaces.
See “Zone” on page 87 for information about zones.
If Action is set to IPSEC, the interface is associated with
the entrance to the VPN tunnel.
If Action is set to SSL-VPN, the interface is associated
with the local private network.
Address Name Select the name of a previously defined IP address to
associate with the destination interface or zone, or select
Create New to define a new IP address. A packet must
have the associated IP address in its header to be
subject to the policy. Addresses can be created in
advance. See“Configuring addresses” on page 237.
If Action is set to IPSEC, the address is the private IP
address to which packets may be delivered at the remote
end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP
address that corresponds to the host, server, or network
that remote clients need to access behind the FortiGate
unit.
To Next Page
Loading...
Need help?
General