Firewall
Policy options
FortiGate-100A Administration Guide
01-28007-0068-20041203
193
Action
Select how you want the firewall to respond when the policy matches
a connection attempt.
•
ACCEPT: Select accept to accept connections matched by the
policy. You can also configure NAT and Authentication for the policy.
•
DENY: Select deny to reject connections matched by the policy.
the connection. The only other policy option that you can configure is
Log Traffic, to log the connections denied by this policy.
•
ENCRYPT: Select encrypt to make this policy an IPSec VPN
policy. When encrypt is selected the VPN Tunnel Options appear. You
can select an AutoIKE Key or Manual Key VPN tunnel for the policy
and configure other IPSec settings. You cannot add authentication to
an ENCRYPT policy.
VPN Tunnel
Select a VPN tunnel for an ENCRYPT policy. You can select an
AutoIKE key or Manual Key tunnel.
•
Allow Inbound: Select Allow inbound so that users behind the
remote VPN gateway can connect to the source address.
•
Allow outbound: Select Allow outbound so that users can connect
to the destination address behind the remote VPN gateway.
•
Inbound NAT: Select Inbound NAT to translate the source address
of incoming packets to the FortiGate internal IP address.
•
Outbound NAT: Select Outbound NAT to translate the source
address of outgoing packets to the FortiGate external IP address.
NAT
Select NAT to enable Network Address Translation for the policy. NAT
translates the source address and port of packets accepted by the
policy. If you select NAT, you can also select Dynamic IP Pool and
Fixed Port. NAT is not available in Transparent mode.
•
Dynamic IP Pool: Select Dynamic IP Pool to translate the source
address to an address randomly selected from the IP pool. An IP pool
dropdown list appears when the policy destination interface is the
same as the IP pool interface.
You cannot select Dynamic IP Pool if the destination interface or
VLAN subinterface is configured using DHCP or PPPoE.
See
“IP pool” on page 219
.
•
Fixed Port: Select Fixed Port to prevent NAT from translating the
source port. Some applications do not function correctly if the source
port is changed. If you select Fixed Port, you must also select
Dynamic IP Pool and add a dynamic IP pool address range to the
destination interface of the policy. If you do not select Dynamic IP
Pool, a policy with Fixed Port selected can only allow one connection
at a time for this port or service.
Protection Profile
Select a protection profile to configure how antivirus and IPS
protection, web, web content, and spam filtering are applied to the
policy. See
“Protection profile” on page 222
. If you are configuring
authentication in the advanced settings, you do not need to choose a
protection profile since the user group chosen for authentication are
already tied to protection profiles.
Log Traffic
Select Log Traffic to record messages to the traffic log whenever the
policy processes a connection. You must also enable traffic log for a
logging location (syslog, WebTrends, local disk if available, memory,
or FortiLog) and set the logging severity level to Notification or lower.
For information about logging see
“Log & Report” on page 339
.
Advanced
Select advanced to show more options.
Содержание FortiGate 100A
Страница 12: ...Contents 12 01 28007 0068 20041203 Fortinet Inc ...
Страница 24: ...24 01 28007 0068 20041203 Fortinet Inc FortiLog documentation Introduction ...
Страница 46: ...46 01 28007 0068 20041203 Fortinet Inc Installing and using a backup firmware image System status ...
Страница 72: ...72 01 28007 0068 20041203 Fortinet Inc Transparent mode VLAN settings System network ...
Страница 80: ...80 01 28007 0068 20041203 Fortinet Inc DHCP IP MAC binding settings System DHCP ...
Страница 114: ...114 01 28007 0068 20041203 Fortinet Inc Access profile options System administration ...
Страница 232: ...232 01 28007 0068 20041203 Fortinet Inc Profile CLI configuration Firewall ...
Страница 244: ...244 01 28007 0068 20041203 Fortinet Inc peergrp Users and authentication ...
Страница 276: ...276 01 28007 0068 20041203 Fortinet Inc ipsec vip VPN ...
Страница 338: ...338 01 28007 0068 20041203 Fortinet Inc Configuring the banned word list Spam filter ...
Страница 356: ...356 01 28007 0068 20041203 Fortinet Inc syslogd setting Log Report ...
Страница 374: ...374 01 28007 0068 20041203 Fortinet Inc Index ...