Firewall Policy Configuring firewall policies
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 223
The Firewall authentication method includes locally defined user groups, as well
as LDAP, and RADIUS users. Select Active Directory from the drop-down list to
choose Active Directory groups defined in User > User Group. Authentication
with Active Directory groups and other groups cannot be combined in the same
policy.
For users to authenticate using other services (for example POP3 or IMAP),
create a service group that includes the services for which to require
authentication, as well as HTTP, Telnet, and FTP. Users can then authenticate
with the policy using HTTP, Telnet, or FTP before using the other service.
In most cases, ensure users can use DNS through the firewall without
authentication. If DNS is not available, users cannot connect to a web, FTP, or
Telnet server using a domain name.
Adding traffic shaping to firewall policies
Traffic Shaping controls the bandwidth available to, and sets the priority of the
traffic processed by, the policy. Traffic Shaping makes it possible to control which
policies have the highest priority when large amounts of data are moving through
the FortiGate device. For example, the policy for the corporate web server might
be given higher priority than the policies for most employees’ computers. An
employee who needs unusually high-speed Internet access could have a special
outgoing policy set up with higher bandwidth.
Traffic shaping is available for Accept, IPSEC, and SSL-VPN policies. It is also
available for all supported services, including H.323, TCP, UDP, ICMP, and ESP.
Guaranteed and maximum bandwidth in combination with queuing ensures
minimum and maximum bandwidth is available for traffic.
Traffic shaping cannot increase the total amount of bandwidth available, but it can
be used to improve the quality of bandwidth-intensive and sensitive traffic.
Guaranteed bandwidth and maximum bandwidth
When you enter a value in the Guaranteed Bandwidth field of a firewall policy you
guarantee the amount of bandwidth available for selected network traffic (in
Kbytes/sec). For example, you may want to give a higher guaranteed bandwidth
to your e-commerce traffic.
When you enter a value in the Maximum Bandwidth field of a firewall policy you
limit the amount of bandwidth available for selected network traffic
(in Kbytes/sec). For example, you may want to limit the bandwidth of IM traffic
usage, so as to save some bandwidth for the more important e-commerce traffic.
Note: To allow the FortiGate unit to authenticate with an Active Directory server, the
Fortinet Server Authentication Extensions (FSAE) must be installed on the Active Directory
Domain Controller. FSAE is available from Fortinet Technical Support.
Note: Policies that require authentication must be added to the policy list above matching
policies that do not; otherwise, the policy that does not require authentication is selected
first.
Note: For more information would traffic shaping you can also see the FortiGate Traffic
Shaping Technical Note.
To Next Page
Loading...
Need help?
General