Fortinet 620B manual Firewall policies

Page 34

Firewall policies

Advanced configuration

Web Apply virus scanning and web content blocking to HTTP traffic.

Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected.

The best way to begin creating your own protection profile is to open a predefined profile. This way you can see how a profile is set up, and then modify it suit your requirements. You access Protection profile options by going to Firewall > Protection Profile, and selecting Edit for one of the predefined profiles.

Protection profiles are used by the firewall policies to determine how network and Internet traffic is controlled, scanned and when necessary, rejected. The Protection Profiles can be considered the rules of the firewall policy. Because of this, you should take some time to review the various options to consider what you want the firewall policies to do. If, after setting the protection profile and firewall policies, traffic is not flowing or flowing too much, verify your profile settings.

The number of options and configuration for the protection profile is too vast for this document. For details on each protection profile feature and setting, see the FortiGate Administration Guide or the FortiGate Online Help.

Firewall policies

Firewall policies are instructions the FortiGate unit uses to decide what to do with a connection request. When the firewall receives a connection request, it analyzes it to extract its source address, destination address, and port number.

For the connection through the FortiGate unit to be successful, the source address, destination address, and service of the connection must match a firewall policy. The policy directs the firewall action for the connection. The action can be to allow the connection, deny the connection, require authentication before the connection is allowed, or process the packet as an IPSec VPN connection.

You can configure each firewall policy to route connections or apply network address translation (NAT) to translate source and destination IP addresses and ports. You also add protection profiles to firewall policies to apply different protection settings for the traffic controlled by firewall policies.

The FortiGate unit matches firewall policies by searching from the top of the firewall policy list and moving down until it finds the first match, then performs the required address translation, blocking and so on described by the protection profile, then passes on the packet information. This is important, because once the FortiGate unit finds a match to a policy, it will not continue down the list. You need to arrange policies in the policy list from more specific to more general.

For example, if you have two policies, one that blocks specific URLs or IP addresses, and another general policy that lets traffic through. If you put the general policy at the top, the FortiGate unit will act on the general policy, figuring the policy has been matched and potentially let the URLs or IPs you wanted blocked through.

Note: No traffic will flow through a FortiGate unit until at least one firewall policy is added.

 

FortiGate-620B FortiOS 3.0 MR6 Install Guide

34

01-30006-83054-20081015

Page 33 Page 35
Image 34
Page 33 Page 35
Contents Install G U I D E Trademarks Regulatory complianceContents Advanced configuration AMC modulesTesting new firmware before installing Using the web-based managerInstalling firmware from a system reboot using the CLI FortiGate FirmwarePage Introduction Register your FortiGate unitAbout the FortiGate-620B Lacp configurationAbout this document Typographic conventions Further ReadingDocument conventions Addressipv4FortiGate Administration Guide Fortinet Knowledge CenterCustomer service and technical support Comments on Fortinet technical documentationCustomer service and technical support Installing Environmental specificationsGrounding Rack mount instructionsTo install the FortiGate unit into a rack MountingTo power off the FortiGate unit Connecting to the networkTo power on the FortiGate unit Plugging in the FortiGateNAT vs. Transparent mode ConfiguringNAT mode Connecting to the web-based manager Connecting to the FortiGate unitTransparent mode To connect to the web-based managerConnecting to the CLI To connect to the CLIConfigure the interfaces Configuring NAT modeUsing the web-based manager To configure interfaces Go to System Network InterfaceConfigure a DNS server Adding a default route and gatewayTo modify the default gateway Go to Router Static Adding firewall policiesTo set an interface to use a static address Using the CLITo set an interface to use Dhcp addressing To configure DNS server settings To set an interface to use PPPoE addressingTo modify the default gateway To add an outgoing traffic firewall policySwitching to Transparent mode Configuring Transparent modeTo switch to Transparent mode Go to System Status Source Address All Destination Interface To switch to Transparent mode Verify the configuration Backing up the configurationSet the Administrator password Restoring a configurationAdditional configuration Set the time and dateConfigure FortiGuard Updating antivirus and IPS signaturesAdditional configuration Advanced configuration Protection profilesFirewall policies Firewall policiesConfiguring firewall policies Antivirus optionsAntiSpam options Web filtering Logging To install the filler module Installing AMC filler unitsInstalling modules AMC modulesHard disk module Using the AMC modulesRemoving modules To insert a module into a FortiGate chassisFormatting the hard disk Log configuration using the web-based managerTo format the ASM-S08 hard disk enter the following command Execute formatlogdiskFortiAnalyzer command config log disk setting enable Log configuration using the CLIChanging interfaces to operate in Sgmii or SerDes mode Viewing logsConfigure the speed Config system interface edit AMC-SW1/1 Set speed auto EndUsing the AMC modules FortiGate Firmware Downloading firmwareUpgrading the firmware Using the web-based managerReverting to a previous version Using the USB Auto-Install Backup and Restore from a USB keyTo revert to a previous firmware version To upgrade the firmware using the CLI Using the CLIExecute ping Execute update-now Execute restore image namestr tftpip4Execute restore image image.out To revert to a previous firmware version using the CLIExecute restore image image28.out Installing firmware from a system reboot using the CLIExecute restore image namestr tftpipv4 Execute restore config namestr tftpip4Press any key to display configuration menu To install firmware from a system rebootExecute reboot Enter Tftp server addressEnter Local Address Restoring the previous configurationTo backup configuration using the CLI Enter File Name image.outTo restore configuration using the CLI Additional CLI Commands for a USB keyTo configure the USB Auto-Install using the CLI Testing new firmware before installing To test the new firmware imageTesting new firmware before installing Testing new firmware before installing Index Web filtering 37 web-based manager Page Page

620B specifications

The Fortinet 620B is a state-of-the-art security appliance designed to provide comprehensive cybersecurity solutions for medium to large enterprises. As part of Fortinet's FortiGate series, the 620B combines advanced security features with robust performance capabilities, ensuring that organizations can protect their networks against an evolving threat landscape.

One of the standout features of the Fortinet 620B is its exceptional threat protection capabilities. The device utilizes Fortinet's proprietary FortiOS operating system, which integrates multiple security functions, including firewall, intrusion prevention system (IPS), virtual private network (VPN), and antivirus. This unified approach enables organizations to enforce consistent security policies across their network without compromising performance.

The FortiGate 620B is powered by Fortinet's purpose-built security processing unit (SPU) architecture, which significantly accelerates threat detection and mitigation processes. With multi-core processing capabilities, the device can handle high volumes of traffic while maintaining low latency, making it suitable for environments with heavy data flows. This performance is critical for organizations requiring real-time inspection of encrypted traffic, as the 620B offers strong decryption capabilities without sacrificing throughput.

In addition to its security features, the Fortinet 620B includes advanced networking technologies. The device supports software-defined networking (SDN) and integrates with Fortinet’s Security Fabric, allowing for enhanced visibility and control across the entire network ecosystem. This fabric architecture enables seamless communication between multiple devices, streamlining the management of security policies and improving overall network efficiency.

Another key characteristic of the FortiGate 620B is its scalability. Organizations can easily scale their deployment to meet growing demands by utilizing additional Fortinet appliances and services. The device also provides extensive reporting and analytics features, offering insights into network usage and security incidents, empowering security teams to make informed decisions.

Overall, the Fortinet 620B is an exceptional solution for organizations looking to strengthen their network security posture. With its combination of powerful threat protection, high performance, and advanced networking capabilities, it stands out as a reliable choice for safeguarding critical business operations in today's digital landscape. Its comprehensive feature set, combined with Fortinet's commitment to innovation, makes the FortiGate 620B a formidable asset for any cybersecurity strategy.
Top Page Image Contents