Fortinet 100A 196 , Comments, Configuring firewall policies

196 01-28007-0068-20041203 Fortinet Inc.

Configuring firewall policies Firewall

.

Comments

You can add a description or other information about the policy. The comment can be

up to 63 characters long, including spaces.

Configuring firewall policies

Use the following procedures to add, delete, edit, re-order, disable, and enable a

firewall policy.

To add a firewall policy

1Go to Firewall > Policy.

2Select Create New.

You can also select the Insert Policy before icon beside a policy in the list to add the

new policy above that policy.

3Select the source and destination interfaces.

4Select the source and destination addresses.

5Configure the policy.

For information about configuring the policy, see “Policy options” on page191.

6Select OK to add the policy.

7Arrange policies in the policy list so that they have the results that you expect.

For information about arranging policies in a policy list, see “How policy matching

works” on page 190.

To delete a policy

1Go to Firewall > Policy.

2Select the Delete icon beside the policy you want to delete.

3Select OK.

To edit a policy

1Go to Firewall > Policy.

2Select the Edit icon beside the policy you want to edit.

3Edit the policy as required.

4Select OK.

To change the position of a policy in the list

1Go to Firewall > Policy.

2Select the Move To icon beside the policy you want to move.

Original

(forward) DSCP

value

Set the DSCP value for packets accepted by the policy. For example, for an

Internal->External policy the value is applied to outgoing packets as they

exit the external interface and are forwarded to their destination.

Reverse (reply)

DSCP value

Set the DSCP value for reply packets. For example, for an

Internal->External policy the value is applied to incoming reply packets

before they exit the internal interface and returned to the originator.

Contents

Main FortiGate 100A Administration Guide Page Table of Contents 4 Page 6 Page 8 Page 10 Page Page Introduction About FortiGate Antivirus Firewalls 14 Antivirus protection Web content filtering Spam filtering Firewall 16 NAT/Route mode Transparent mode VLANs and virtual domains Intrusion Prevention System (IPS) VPN 18 High availability Secure installation, configuration, and management Web-based manager Command line interface Document conventions 20 FortiGate documentation Fortinet Knowledge Center Comments on Fortinet technical documentation 22 Related documentation FortiManager documentation FortiClient documentation FortiMail documentation FortiLog documentation Customer service and technical support Page System status Console access 26 Status Viewing system status System status Unit Information Recent Virus Detections Content Summary 28 Interface Status System Resources All interfaces in the FortiGate unit are listed in the table. History Recent Intrusion Detections Changing unit information Page Page Session list Changing the FortiGate firmware Upgrading to a new firmware version Use the following procedures to upgrade the FortiGate unit to a newer firmware version. Upgrading the firmware using the web-based manager 34 Upgrading the firmware using the CLI Reverting to a previous firmware version Reverting to a previous firmware version using the web-based manager 36 Reverting to a previous firmware version using the CLI Page 38 Installing firmware images from a system reboot using the CLI Page 40 Restoring the previous configuration Testing a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image 44 Switching to the backup firmware image Switching back to the default firmware image Page System network Interface 48 Interface settings Name Interface VLAN ID 50 Virtual Domain Addressing mode Manual DHCP PPPoE 52 DDNS Ping server Administrative access MTU Log Configuring interfaces Page Page Page Page 58 Zone Zone settings Management Page DNS 62 Routing table (Transparent Mode) Routing table list Transparent mode route settings VLAN overview 64 FortiGate units and VLANs VLANs in NAT/Route mode Rules for VLAN IDs Rules for VLAN IP addresses Adding VLAN subinterfaces VLANs in Transparent mode Page 68 Rules for VLAN IDs Transparent mode VLAN list Transparent mode VLAN settings Page FortiGate IPv6 support Page System DHCP Service 74 DHCP service settings Server 76 DHCP server settings Exclude range 78 DHCP exclude range settings IP/MAC binding DHCP IP/MAC binding settings Dynamic IP Page System config System time Options Page HA HA configuration Standalone Mode High Availability 86 Cluster Members Mode Group ID Unit Priority Override Master Password 88 Schedule Priorities of Heartbeat Device Heartbeat device IP addresses 90 Monitor priorities Configuring an HA cluster Page Page Internal Network 94 Managing an HA cluster Page Page SNMP 98 Configuring SNMP SNMP community Page FortiGate MIBs 102 FortiGate traps Fortinet MIB fields Page Page 106 Replacement messages Replacement messages list Changing replacement messages FortiManager System administration Administrators 110 Administrators list Administrators options Using trusted hosts Access profiles 112 Access profile list Access profile options Page Page System maintenance Backup and restore 116 Backing up and Restoring Page Update center Page 120 Updating antivirus and attack definitions Page Page Enabling push updates Push updates when FortiGate IP addresses change 124 Enabling push updates through a NAT device Support 126 Sending a bug report Use the Report Bug form to send bug information to Fortinet support. Registering a FortiGate unit Page Shutdown Page System virtual domain 132 Virtual domain properties Exclusive virtual domain properties Shared configuration settings 134 Administration and management Virtual domains Adding a virtual domain Selecting a virtual domain Selecting a management virtual domain 136 Configuring virtual domains Adding interfaces, VLAN subinterfaces, and zones to a virtual domain Page 138 Configuring routing for a virtual domain Configuring firewall policies for a virtual domain Page Page Router Static Page Static route list 144 Static route options Policy Policy route list 146 Policy route options RIP General 148 Networks list Networks options Interface list 150 Interface options Distribute list 152 Distribute list options Offset list Use offset lists to add the specified offset to the metric of a route. Offset list options 154 Router objects Access list New access list New access list entry Prefix list 156 New Prefix list New prefix list entry Route-map list 158 New Route-map Route-map list entry 160 Key chain list New key chain Key chain list entry 162 Monitor Routing monitor list Page 164 get router info rip Command syntax Examples config router ospf ospf command keywords and variables 166 ospf command keywords and variables (Continued) config area config area command syntax pattern 168 area command keywords and variables area command keywords and variables (Continued) 170 config filter-list config filter-list command syntax pattern filter-list command keywords and variables config range config range command syntax pattern 172 range command keywords and variables config virtual-link config virtual link command syntax pattern 174 virtual-link command keywords and variables config distribute-list virtual-link command keywords and variables (Continued) 176 config distribute-list command syntax pattern distribute-list command keywords and variables config neighbor config neighbor command syntax pattern 178 neighbor command keywords and variables config network config network command syntax pattern network command keywords and variables 180 config ospf-interface config ospf-interface command syntax pattern ospf-interface command keywords and variables 182 ospf-interface command keywords and variables (Continued) 184 config redistribute config redistribute command syntax pattern config summary-address redistribute command keywords and variables 186 config summary-address command syntax pattern summary-address command keywords and variables config router static6 static6 command keywords and variables Page Firewall 190 Policy How policy matching works Policy list The policy list has the following icons and features. Policy options Policy options are configurable when creating or editing a firewall policy. Policy has the following standard options: Page 194 Advanced policy options Authentication Traffic Shaping Differentiated Services 196 Comments Configuring firewall policies Policy CLI configuration 198 Address firewall policy command keywords and variables Address list Address options 200 Configuring addresses Address group list Address group options 202 Configuring address groups Service Predefined service list Page Page 206 Custom service list The custom services list has the following icons and features. Page 208 IP custom service options Configuring custom services Service group list Service group options 210 Configuring service groups Schedule One-time schedule list 212 One-time schedule options Configuring one-time schedules Recurring schedule list Recurring schedule options 214 Configuring recurring schedules Virtual IP Virtual IP list Virtual IP options 216 Virtual IP has the following options. Configuring virtual IPs Page Page IP pool 220 IP pool list IP pool options Configuring IP pools IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT 222 Protection profile Protection profile list Default protection profiles The FortiGate unit comes preconfigured with four protection profiles. You can configure the following options when creating or editing a protection profile. Protection profile options 224 Configuring antivirus options Configuring web filtering options Configuring web category filtering options 226 Configuring spam filtering options Configuring IPS options Configuring content archive options 228 Configuring protection profiles Profile CLI configuration 230 firewall profile command keywords and variables firewall profile command keywords and variables (Continued) Page Users and authentication 234 Setting authentication timeout Local Local user list Local user options RADIUS RADIUS server list 236 RADIUS server options LDAP LDAP server list LDAP server options Page User group User group list 240 User group options peer radius command keywords and variables 242 peergrp radius command keywords and variables Page Page VPN 246 Phase 1 Phase 1 list Phase 1 basic settings Page Phase 1 advanced settings Phase 2 Phase 2 list Phase 2 basic settings 252 Phase 2 advanced options Manual key 254 Manual key list Manual key options 256 Concentrator Concentrator list Concentrator options Ping Generator 258 Ping generator options Monitor Dialup monitor Static IP and dynamic DNS monitor 260 PPTP PPTP range L2TP L2TP range 262 Certificates Local certificate list Page 264 Importing signed certificates CA certificate list Importing CA certificates 266 VPN configuration procedures IPSec configuration procedures Adding firewall policies for IPSec VPN tunnels Page 268 PPTP configuration procedures L2TP configuration procedures ipsec phase1 ipsec phase1 command keywords and variables 270 ipsec phase1 command keywords and variables (Continued) ipsec phase2 ipsec phase2 command keywords and variables 272 ipsec vip ipsec phase2 command keywords and variables (Continued) ipsec vip command keywords and variables 274 Configuring IPSec virtual IP addresses Page Page IPS IPS updates and information 278 Signature Predefined Predefined signature list Tabl e 24 describes each possible action you can select for predefined signatures. 280 Configuring predefined signatures Configuring parameters for dissector signatures 282 Custom Custom signature list Adding custom signatures Backing up and restoring custom signature files 284 Anomaly Anomaly list Configuring an anomaly Page Anomaly CLI configuration (config ips anomaly) config limit limit command keywords and variables Configuring IPS logging and alert email Default fail open setting Antivirus 290 Order of antivirus operations Virus list updates and information File block File block list 292 Configuring the file block list Quarantine Quarantined files list Quarantined files list options 294 AutoSubmit list AutoSubmit list options Configuring the AutoSubmit list Config Quarantine configuration has the following options: 296 Config Virus list Config Grayware Grayware options Page config antivirus heuristic 300 config antivirus quarantine config antivirus service http antivirus quarantine command keywords and variables antivirus service http command keywords and variables 302 config antivirus service ftp antivirus service ftp command keywords and variables 304 config antivirus service pop3 antivirus service pop3 command keywords and variables config antivirus service imap 306 antivirus service imap command keywords and variables config antivirus service smtp antivirus service smtp command keywords and variables Page Web filter 310 Order of web filter operations Content block Web content block list Web content block options 312 Configuring the web content block list URL block Web URL block list Web URL block options 314 Configuring the web URL block list Web pattern block list Web pattern block options Configuring web pattern block URL exempt 316 URL exempt list URL exempt list options Configuring URL exempt Category block FortiGuard managed web filtering service FortiGuard categories and ratings FortiGuard Service Points 318 FortiGuard licensing FortiGuard configuration Category block configuration options Configuring web category block Category block reports 320 Category block reports options Generating a category block report Category block CLI configuration Script filter catblock command keywords and variables Page Spam filter Page Order of spam filter operations FortiShield 326 FortiShield options Configuring the FortiShield cache IP address IP address list IP address options 328 Configuring the IP address list RBL & ORDBL RBL & ORDBL list RBL & ORDBL options Configuring the RBL & ORDBL list 330 Email address Email address list Email address options Configuring the email address list MIME headers 332 MIME headers list MIME headers options Configuring the MIME headers list Banned word 334 Banned word list Banned word options Configuring the banned word list Using Perl regular expressions 336 Regular expression vs. wildcard match pattern Word boundary Case sensitivity Examples Page Log & Report 340 Log config Log Setting options FortiLog settings 342 Disk settings Memory settings Syslog settings WebTrends settings 344 Alert E-mail options Log filter options 346 Traffic log Event log Anti-virus log Web filter log 348 Attack log Spam filter log Configuring log filters Enabling traffic logging Log access Viewing log messages 350 Choosing columns Searching log messages 352 fortilog setting log fortilog setting command keywords and variables 354 syslogd setting log syslogd setting command keywords and variables Page Page FortiGuard categories Page Page Page Page Page Glossary Page Page Page Index A B C 368 D E F G H I K 370 L M N O Q R S 372 T U V W X