Configuring firewall policies Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
394 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Destination
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone to which IP packets are forwarded. Interfaces and zones are configured
on the System Network page. For more information, see “Configuring interfaces”
on page 177 and “Configuring zones” on page 198.
If you select Any as the destination interface, the policy matches all interfaces as
destination.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN
tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private
network.
Destination
Address
Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see “Configuring addresses” on page 423.
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select Multiple. In the
dialog box, move the firewall addresses or address groups from the Available
Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see “Firewall
Virtual IP” on page 447.
If Action is set to IPSEC, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds
to the host, server, or network that remote clients need to access behind the
FortiGate unit.
Schedule Select a one-time or recurring schedule or a schedule group that controls when
the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see “Firewall Schedule” on page 437.
Service Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting Create New from this list.
For more information, see “Configuring custom services” on page 433 and
“Configuring service groups” on page 435.
By selecting the Multiple button beside Service
, you can select multiple services
or service groups.
Action Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY Reject traffic matched by the policy. The only other configurable policy options
are Log Violation Traffic to log the connections denied by this policy and adding
a Comment.
IPSEC You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See “IPSec firewall policy options” on page 399.
SSL-VPN You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or
add a comment to the policy. See “Configuring SSL VPN identity-based firewall
policies” on page 400.
To Next Page
Loading...
Need help?
General
