Configuring firewall policies Firewall Policy
FortiGate Version 4.0 Administration Guide
326 01-400-89802-20090424
http://docs.fortinet.com/ • Feedback
NAT Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable
Network Address Translation (NAT) of the source address and port of packets
accepted by the policy. When NAT is enabled, you can also configure Dynamic
IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the NAT
option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT.
Source NAT (SNAT) is not performed.
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to
an IP address randomly selected from addresses in the IP Pool.
IP Pool cannot be selected if the destination interface, VLAN subinterface, or
one of the interfaces or VLAN subinterfaces in the destination zone is configured
using DHCP or PPPoE, or if you have selected a Destination Interface to which
no IP Pools are bound.
You cannot use IP pools when using zones. An IP pool can only be associated
with an interface.
For details, see “IP pools” on page 381.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is translated. In
most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If
Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only
one connection to that service at a time.
Enable Identity
Based Policy
Select to configure firewall policies that require authentication. For more
information, see “Adding authentication to firewall policies” on page 327.
Enable Endpoint
Compliance
Check
Firewall policies can deny access for hosts that do not have FortiClient Endpoint
Security software installed and operating. For more information, see “Endpoint
Compliance Check options” on page 336.
You cannot enable Endpoint Compliance Check in firewall policies if Redirect
HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options >
Authentication.
User
Authentication
Disclaimer
Available only on some models and only if Action is set to ACCEPT. Select this
option to display the Authentication Disclaimer page (a replacement message)
to the user. The user must accept the disclaimer to connect to the destination.
You can use the disclaimer together with authentication or a protection profile.
Redirect URL Available only on some models and only if Action is set to ACCEPT. If you
enter
a URL, the user is redirected to the URL after authenticating and/or accepting
the user authentication disclaimer.
Protection
Profile
Select a protection profile to apply antivirus, web filtering, web category filtering,
spam filtering, IPS, content archiving, and logging to a firewall policy. You can
also create a protection profile by selecting Create New from this list. For more
information, see “Firewall Protection Profile” on page 397.
If you intend to apply authentication to this policy, do not make a Protection
Profile selection. The user group you choose for authentication is already linked
to a protection profile. For more information, see “Adding authentication to
firewall policies” on page 327.
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a new traffic
shaper. Traffic Shaping controls the bandwidth available to, and sets the priority
of the traffic processed by, the policy.
For information about traffic shaping, see “Traffic Shaping” on page 423.
Note: To ensure that traffic shaping is working at its best, make sure that the
interface ethernet statistics show no errors, collisions, or buffer overruns. If any
of these problems do appear, then FortiGate and switch settings may require
adjusting.
Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0
(zero), or the policy will not allow any traffic.
Guaranteed
Bandwidth
Select a value to ensure there is enough bandwidth available for a high-priority
service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies
is significantly less than the bandwidth capacity of the interface.
Maximum
Bandwidth
Select to limit bandwidth in order to keep less important services from using
bandwidth needed for more important ones.
To Next Page
Loading...