Firewall Policy Configuring firewall policies
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424 323
http://docs.fortinet.com/ • Feedback
Configuring firewall policies
You can configure firewall policies to define which sessions will match the policy and what
actions the FortiGate unit will perform with packets from matching sessions.
Sessions are matched to a firewall policy by considering these features of both the packet
and policy:
• Source Interface/Zone
• Source Address
• Destination Interface/Zone
• Destination Address
• schedule and time of the session’s initiation
• service and the packet’s port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
• ACCEPT policy actions permit communication sessions, and may optionally include
other packet processing instructions, such as requiring authentication to use the policy,
or specifying a protection profile to apply features such as virus scanning to packets in
the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if
either the selected source or destination interface is an IPSec virtual interface. For
more information, see “Overview of IPSec VPN configuration” on page 531.
• DENY policy actions block communication sessions, and may optionally log the denied
traffic.
• IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN
tunnel, respectively, and may optionally apply NAT and allow traffic for one or both
directions. If permitted by the firewall encryption policy, a tunnel may be initiated
automatically whenever a packet matching the policy arrives on the specified network
interface, destined for the local private network. For more information, see “IPSec
firewall policy options” on page 330 and “Configuring SSL VPN identity-based firewall
policies” on page 331.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy
or select the edit icon beside an existing firewall policy. Configure the settings as
described in the following table and in the references to specific features for IPSec, SSL
VPN and other specialized settings, and then select OK.
If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the
settings according to the following table. For more information, see “DoS policies” on
page 337.
If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin
> Settings. Select “IPv6 Support on GUI”. Then go to Firewall > Policy > IPv6 Policy, and
configure the settings according to the following table.
Firewall policy order affects policy matching. Each time that you create or edit a policy,
make sure that you position it in the correct location in the list. You can create a new policy
and position it right away before an existing one in the firewall policy list, by selecting
Insert Policy before (see “Viewing the firewall policy list” on page 321).
Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the “firewall” chapter of the FortiGate CLI Reference.
To Next Page
Loading...