Firewall Policy
Configuring firewall policies
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
333
•
To create an identity based firewall policy, select the
Enable Identity Based Policy
check
box. A table opens below the check box. Select
Add
. The
New Authentication Rule
dialog
opens (see
Figure 197
).
Destination Address
Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting
Create New
from
this list. For more information, see
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple
. In the dialog box, move the firewall addresses or address
groups from the
Available Addresses
section to the
Members
section,
then select
OK
.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The
applied translation varies by the settings specified in the virtual IP, and
whether you select NAT (below). For more information on using virtual
IPs, see
“Firewall Virtual IP” on page 365
If
Action
is set to
IPSEC
, the address is the private IP address to
which packets may be delivered at the remote end of the VPN tunnel.
If
Action
is set to
SSL-VPN
, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Action
Select SSL-VPN to configure the firewall encryption policy to accept
SSL VPN traffic. This option is available only after you have added a
SSL-VPN user group.
SSL Client Certificate
Restrictive
Allow traffic generated by holders of a (shared) group certificate. The
holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the
Allowed field.
Cipher Strength
Select the bit level of SSL encryption. The web browser on the remote
client must be capable of matching the level that you select: Any,
High >= 164, or Medium >= 128.
User Authentication
Method
Select the authentication server type by which the user will be
authenticated:
Any
For all of the above authentication methods. Local is attempted first,
then RADIUS, then LDAP.
Local
For a local user group that will be bound to this firewall policy.
RADIUS
For remote clients that will be authenticated by an external RADIUS
server.
LDAP
For remote clients that will be authenticated by an external LDAP
server.
For remote clients that will be authenticated by an external
server.
NAT
Enable or disable Network Address Translation (NAT) of the source
address and port of packets accepted by the policy. When
NAT
is
enabled, you can also configure
Dynamic IP Pool
and
Fixed Port
.
If you select a virtual IP as the
Destination Address
, but do not select
the
NAT
option, the FortiGate unit performs destination NAT (DNAT)
rather than full NAT. Source NAT (SNAT) is not performed.
Fixed Port
Select
Fixed Port
to prevent NAT from translating the source port.
Enable Identity Based
Policy
Select to configure a SSL-VPN firewall policy that requires
authentication.
Add
Select to configure the valid authentication methods, user group
names, and services. For more information, see
Comments
Add information about the policy. The maximum length is 63
characters.
Содержание Gate 60D
Страница 678: ...Reports Log Report FortiGate Version 4 0 Administration Guide 678 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 704: ...Index FortiGate Version 4 0 Administration Guide 704 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 705: ...www fortinet com...
Страница 706: ...www fortinet com...