Firewall Policy
Configuring firewall policies
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
325
•
Destination
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone to which IP packets are forwarded. Interfaces and zones are configured
on the System Network page. For more information, see
“Configuring zones” on page 138
If you select
Any
as the destination interface, the policy matches all interfaces as
destination.
If
Action
is set to
IPSEC
, the interface is associated with the entrance to the VPN
tunnel.
If
Action
is set to
SSL-VPN
, the interface is associated with the local private
network.
Destination
Address
Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting
Create New
from this list.
“Configuring addresses” on page 347
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select
Multiple
. In the
dialog box, move the firewall addresses or address groups from the
Available
Addresses
section to the
Members
section, then select
OK
.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see
.
If
Action
is set to
IPSEC
, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If
Action
is set to
SSL-VPN
, select the name of the IP address that corresponds
to the host, server, or network that remote clients need to access behind the
FortiGate unit.
Schedule
Select a one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting
Create New
from this list. For more
information, see
“Firewall Schedule” on page 361
Service
Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting
Create New
from this list.
“Configuring custom services” on page 357
and
“Configuring service groups” on page 359
.
By selecting the
Multiple
button beside
Service
, you can select multiple services
or service groups.
Action
Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT
Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY
Reject traffic matched by the policy. The only other configurable policy options
are
Log Violation Traffic
to log the connections denied by this policy and adding
a
Comment
.
IPSEC
You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See
“IPSec firewall policy options” on page 330
.
SSL-VPN
You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or
add a comment to the policy. See
“Configuring SSL VPN identity-based firewall
.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...