Fortinet 800/800F manual Firewall policies

Page 32

Firewall policies

Advanced configuration

Web Apply virus scanning and web content blocking to HTTP traffic.

Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.

The best way to begin creating your own protection profile is to open a predefined profile. This way you can see how a profile is set up, and then modify it suit your requirements. You access Protection profile options by going to Firewall > Protection Profile, and selecting Edit for one of the predefined profiles.

Protection profiles are used by the firewall policies to determine how network and Internet traffic is controlled, scanned and when necessary, rejected. The Protection Profiles can be considered the rules of the firewall policy. Because of this, you should take some time to review the various options to consider what you want the firewall policies to do. If, after setting the protection profile and firewall policies, traffic is not flowing or flowing too much, verify your profile settings.

The number of options and configuration for the protection profile is too vast for this document. For details on each protection profile feature and setting, see the FortiGate Administration Guide or the FortiGate Online Help.

Firewall policies

Firewall policies are instructions the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request, it analyzes it to extract its source address, destination address, and port number.

For the connection through the FortiGate unit to be successful, the source address, destination address, and service of the connection must match a firewall policy. The policy directs the firewall action for the connection. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN connection.

You can configure each firewall policy to route connections or apply network address translation (NAT) to translate source and destination IP addresses and ports. You also add protection profiles to firewall policies to apply different protection settings for the traffic controlled by firewall policies.

The FortiGate unit matches firewall policies by searching from the top of the firewall policy list and moving down until it finds the first match, then performs the required address translation, blocking and so on described by the protection profile, then passes on the packet information. This is important, because once the FortiGate unit finds a match to a policy, it will not continue down the list. You need to arrange policies in the policy list from more specific to more general.

For example, if you have two policies, one that blocks specific URLs or IP addresses, and another general policy that lets traffic through. If you put the general policy at the top, the FortiGate unit will act on the general policy, figuring the policy has been matched and potentially let the URLs or IPs you wanted blocked through.

Note: No traffic will flow through a FortiGate unit until at least one firewall policy is added.

 

FortiGate-800 and FortiGate-800F FortiOS 3.0 MR6 Install Guide

32

01-30006-0455-20080910

Page 31 Page 33
Image 32
Page 31 Page 33
Contents Install G U I D E Trademarks Regulatory complianceContents Advanced configuration FortiGate FirmwareIndex Installing firmware from a system reboot using the CLITesting new firmware before installing Page Introduction Register your FortiGate unitDocument conventions About the FortiGate-800/800FAbout this document Further Reading Typographic conventionsComments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center Installing Environmental specificationsGrounding Rack mount instructionsTo install the FortiGate unit into a rack MountingConnecting to the network To power on the FortiGate unitTo power off the FortiGate unit Plugging in the FortiGateNAT vs. Transparent mode NAT modeConnecting to the FortiGate unit Transparent modeConnecting to the web-based manager To connect to the web-based managerConnecting to the CLI To connect to the CLIConfiguring NAT mode Using the web-based managerConfigure the interfaces To configure interfaces Go to System Network InterfaceConfigure a DNS server Adding a default route and gatewayTo modify the default gateway Go to Router Static Adding firewall policiesTo set an interface to use Dhcp addressing Using the CLITo set an interface to use a static address To configure DNS server settings To set an interface to use PPPoE addressingTo modify the default gateway To add an outgoing traffic firewall policyTo switch to Transparent mode Go to System Status Configuring Transparent modeSwitching to Transparent mode Source Address All Destination Interface To switch to Transparent mode Verify the configuration Backing up the configurationRestoring a configuration Additional configurationSet the Administrator password Set the time and dateConfigure FortiGuard Updating antivirus and IPS signaturesAdditional configuration Advanced configuration Protection profilesFirewall policies Firewall policiesConfiguring firewall policies Antivirus optionsAntiSpam options Web filtering Logging FortiGate Firmware Downloading firmwareReverting to a previous version Using the web-based managerUpgrading the firmware To revert to a previous firmware version Backup and Restore from a USB keyUsing the USB Auto-Install Using the CLI To upgrade the firmware using the CLIExecute restore image namestr tftpip4 To revert to a previous firmware version using the CLIInstalling firmware from a system reboot using the CLI Execute restore image namestr tftpipv4To install firmware from a system reboot Press any key to display configuration menuRestoring the previous configuration To backup configuration using the CLITo configure the USB Auto-Install using the CLI Additional CLI Commands for a USB keyTo restore configuration using the CLI Testing new firmware before installing To test the new firmware imageTesting new firmware before installing Testing new firmware before installing Index Web filtering 35 web-based manager Page Page

800/800F specifications

Fortinet has established itself as a leader in cybersecurity solutions, and the FortiGate 800/800F series is a testament to this reputation. These next-generation firewalls are designed to deliver high-performance security for enterprise-level networks, providing a robust defense against a multitude of cyber threats.

One of the standout features of the FortiGate 800/800F is its advanced security processing unit (SPU) architecture, which ensures unparalleled threat detection and prevention capabilities. The inclusion of purpose-built chips allows for deep packet inspection at high speeds without hindering network performance. This architecture enables organizations to maintain high throughput while applying comprehensive security policies.

The FortiGate 800/800F series supports a wide array of security features, including intrusion prevention system (IPS), web filtering, and antivirus capabilities. These functionalities work together to monitor and protect against a range of cyber threats, from malware to sophisticated DDoS attacks. Additionally, the firewalls are equipped with FortiSandbox integration, providing automated malware analysis and ensuring that zero-day threats are effectively identified and neutralized in real-time.

In terms of networking capabilities, the FortiGate firewalls support advanced routing protocols, enabling seamless integration into existing network infrastructures. The series also includes support for VPN functionalities, which are crucial for secure remote access. With features like SSL inspection and secure SD-WAN, businesses can leverage flexible connectivity options while ensuring that sensitive data remains protected.

The FortiOS operating system enhances the FortiGate 800/800F series with centralized management capabilities, allowing administrators to configure and monitor security policies with ease. The intuitive user interface simplifies complex tasks, aiding in the rapid deployment and scalability of security measures across large networks.

High availability and redundancy features are also integral to the FortiGate 800/800F design. The series supports active-active and active-passive configurations, ensuring continuous protection and minimizing downtime during maintenance or unexpected failures.

In summary, the FortiGate 800/800F series stands out for its powerful performance, advanced security features, and robust networking capabilities. Organizations seeking to bolster their cybersecurity posture will find these firewalls to be invaluable tools in safeguarding their digital environments and ensuring business continuity in an increasingly complex threat landscape.
Top Page Image Contents