Firewall Policy Configuring firewall policies
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424 333
http://docs.fortinet.com/ • Feedback
To create an identity based firewall policy, select the Enable Identity Based Policy check
box. A table opens below the check box. Select Add. The New Authentication Rule dialog
opens (see Figure 197).
Destination Address Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see “Configuring addresses” on
page 347.
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The
applied translation varies by the settings specified in the virtual IP, and
whether you select NAT (below). For more information on using virtual
IPs, see “Firewall Virtual IP” on page 365.
If Action is set to IPSEC, the address is the private IP address to
which packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Action Select SSL-VPN to configure the firewall encryption policy to accept
SSL VPN traffic. This option is available only after you have added a
SSL-VPN user group.
SSL Client Certificate
Restrictive
Allow traffic generated by holders of a (shared) group certificate. The
holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the
Allowed field.
Cipher Strength Select the bit level of SSL encryption. The web browser on the remote
client must be capable of matching the level that you select: Any,
High >= 164, or Medium >= 128.
User Authentication
Method
Select the authentication server type by which the user will be
authenticated:
Any For all of the above authentication methods. Local is attempted first,
then RADIUS, then LDAP.
Local For a local user group that will be bound to this firewall policy.
RADIUS For remote clients that will be authenticated by an external RADIUS
server.
LDAP For remote clients that will be authenticated by an external LDAP
server.
TACACS+ For remote clients that will be authenticated by an external TACACS+
server.
NAT Enable or disable Network Address Translation (NAT) of the source
address and port of packets accepted by the policy. When NAT is
enabled, you can also configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select
the NAT option, the FortiGate unit performs destination NAT (DNAT)
rather than full NAT. Source NAT (SNAT) is not performed.
Fixed Port Select Fixed
Port to prevent NAT from translating the source port.
Enable Identity Based
Policy
Select to configure a SSL-VPN firewall policy that requires
authentication.
Add Select to configure the valid authentication methods, user group
names, and services. For more information, see “User Group” on
page 583.
Comments Add information about the policy. The maximum length is 63
characters.
To Next Page
Loading...