Firewall Policy Configuring firewall policies
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 221
Dynamic IP Pool Select to translate the source address to an
address randomly selected from an IP Pool. An IP
Pool can be a single IP address or an IP address
range. An IP pool list appears if IP Pool addresses
have been added to the destination interface.
Select the name of an IP Pool added to the
destination interface to cause the FortiGate unit to
translate the source address to one of the
addresses defined by this IP Pool.
Dynamic IP Pool cannot be selected if the
destination interface, VLAN subinterface, or one of
the interfaces or VLAN subinterfaces in the
destination zone is configured using DHCP or
PPPoE.
You cannot use IP pools when using zones. An IP
pool can only be associated with an interface.
For information about adding IP Pools, see “IP
pools” on page 269.
Fixed Port Select Fixed Port to prevent NAT from translating
the source port.
Some applications do not function correctly if the
source port is changed. In most cases, if Fixed
Port is selected, Dynamic IP pool is also selected.
If Dynamic IP pool is not selected, a policy with
Fixed Port selected can only allow one connection
at a time.
Protection
Profile
Select a protection profile to configure how antivirus, web filtering, web
category filtering, spam filtering, IPS, content archiving, and logging are
applied to a firewall policy. Protection profiles can be created in
advance or during profile configuration. Profiles created at this point
appear in the protection profile list. For information about adding and
configuring Protection profiles, see “Firewall Protection Profile” on
page 271.
For authentication in the advanced settings, the protection profile
option is disabled because the user group chosen for authentication ia
already tied to a protection profile. For more information about adding
authentication to firewall policies, see “Adding authentication to firewall
policies” on page 222.
Log Allowed
Traffic
Select Log Allowed Traffic, for Accept, IPSEC or SSL-VPN policies to
record messages to the traffic log whenever the policy processes a
connection. Enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set
the logging severity level to Notification or lower. For information about
logging, see “Log&Report” on page 407.
Log Violation
Traffic
Select Log Violation Traffic, for Deny policies, to record messages to
the traffic log whenever the policy processes a connection. Enable
traffic log for a logging location (syslog, WebTrends, local disk if
available, memory, or FortiAnalyzer) and set the logging severity level
to Notification or lower. For information about logging, see
“Log&Report” on page 407.
Authentication Add users and a firewall protection profile to a user group before
selecting Authentication. For information about adding and configuring
user groups, see “User group” on page 327. Authentication is available
if Action is set to Accept or SSLVPN. For more information about
adding authentication to firewall policies, see “Adding authentication to
firewall policies” on page 222.
Check FortiClient
is Installed and
Running
On the FortiGate model 1000A, 3600A, and 5005FA2, firewall policies
can deny access for hosts that do not have FortiClient Host Security
software installed and operating. See “Options to check FortiClient on
hosts” on page 227.
To Next Page
Loading...
Need help?
General