Firewall Policy Configuring firewall policies
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 395
http://docs.fortinet.com/ • Feedback
NAT Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable
Network Address Translation (NAT) of the source address and port of packets
accepted by the policy. When NAT is enabled, you can also configure Dynamic
IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the NAT
option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT.
Source NAT (SNAT) is not performed.
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to
an IP address randomly selected from addresses in the IP Pool.
IP Pool cannot be selected if the destination interface, VLAN subinterface, or
one of the interfaces or VLAN subinterfaces in the destination zone is configured
using DHCP or PPPoE, or if you have selected a Destination Interface to which
no IP Pools are bound.
You cannot use IP pools when using zones. An IP pool can only be associated
with an interface.
For details, see “IP pools” on page 463.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is translated. In
most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If
Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only
one connection to that service at a time.
Note: Fixed Port is only visible if enabled from the CLI.
Enable Identity
Based Policy
Select to configure firewall policies that require authentication. For more
information, see “Adding authentication to firewall policies” on page 396.
User
Authentication
Disclaimer
Available only on some models and only if Action is set to ACCEPT. Select this
option to display the Authentication Disclaimer page (a replacement message)
to the user. The user must accept the disclaimer to connect to the destination.
You can use the disclaimer together with authentication or a protection profile.
Redirect URL Available only on some models and only if Action is set to ACCEPT. If you enter
a URL, the user is redirected to the URL after authenticating and/or accepting
the user authentication disclaimer.
Protection
Profile
Select a protection profile to apply to a firewall policy. You can also create a
protection profile by selecting Create New from this list. For more information,
see
“Firewall Protection Profile” on page 479.
If you intend to apply authentication to this policy, do not make a Protection
Profile selection. The user group you choose for authentication is already linked
to a protection profile. For more information, see “Adding authentication to
firewall policies” on page 396.
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a new traffic
shaper. Traffic Shaping controls the bandwidth available to, and sets the priority
of the traffic processed by, the policy.
For information about traffic shaping, see “Traffic Shaping” on page 441.
Note: To ensure that traffic shaping is working at its best, make sure that the
interface ethernet statistics show no errors, collisions, or buffer overruns. If any
of these problems do appear, then FortiGate and switch settings may require
adjusting.
Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0
(zero), or the policy will not allow any traffic.
Guaranteed
Bandwidth
Select a value to ensure there is enough bandwidth available for a high-priority
service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies
is significantly less than the bandwidth capacity of the interface.
Maximum
Bandwidth
Select to limit bandwidth in order to keep less important services from using
bandwidth needed for more important ones.
To Next Page
Loading...
Need help?
General
