Fortinet 100 146 , VPN Tunnel, Traffic Shaping

146 Fortinet Inc.

Firewall policy options Firewall configuration

VPN Tunnel

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or

Manual Key tunnel. VPN Tunnel is not available in Transparent mode.

Traffic Shaping

Traffic Shaping controls the bandwidth available to and sets the priority of the traffic

processed by the policy. Traffic Shaping makes it possible to control which policies

have the highest priority when large amounts of data are moving through the

FortiGate device. For example, the policy for the corporate web server might be given

higher priority than the policies for most employees’ computers. An employee who

needs unusually high-speed Internet access could have a special outgoing policy set

up with higher bandwidth.

If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does

not allow any traffic.

Dynamic IP

Pool

You cannot select Dynamic IP Pool for Int->Ext or DMZ->Ext policies if the

external interface is configured using DHCP or PPPoE.

Select Dynamic IP Pool to translate the source address to an address

randomly selected from an IP pool added to the destination interface of the

policy. To add IP pools, see “IP pools” on page164.

Fixed Port Select Fixed Port to prevent NAT from translating the source port. Some

applications do not function correctly if the source port is changed. If you

select Fixed Port, you must also select Dynamic IP Pool and add a dynamic

IP pool address range to the destination interface of the policy. If you do not

select Dynamic IP Pool, a policy with Fixed Port selected can only allow one

connection at a time for this port or service.

Allow inbound Select Allow inbound so that users behind the remote VPN gateway can

connect to the source address.

Allow outbound Select Allow outbound so that users can connect to the destination address

behind the remote VPN gateway.

Inbound NAT Sel ect Inbound NAT to translate the source address of incoming packets to

the FortiGate internal IP address.

Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to

the FortiGate external IP address.

Guaranteed

Bandwidth

You can use traffic shaping to guarantee the amount of bandwidth available

through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make

sure that there is enough bandwidth available for a high-priority service.

Maximum

Bandwidth

You can also use traffic shaping to limit the amount of bandwidth available

through the firewall for a policy. Limit bandwidth to keep less important

services from using bandwidth needed for more important services.

Traff ic Pri ority Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit

manages the relative priorities of different types of traffic. For example, a

policy for connecting to a secure web server needed to support e-commerce

traffic should be assigned a high traffic priority. Less important services

should be assigned a low priority. The firewall provides bandwidth to low-

priority connections only when bandwidth is not needed for high-priority

connections.