Firewall policy options

Firewall configuration

 

 

Dynamic IP Pool

Fixed Port

You cannot select Dynamic IP Pool for Int->Ext or DMZ->Ext policies if the external interface is configured using DHCP or PPPoE.

Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy. To add IP pools, see “IP pools” on page 164.

Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. If you select Fixed Port, you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one connection at a time for this port or service.

VPN Tunnel

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or Manual Key tunnel. VPN Tunnel is not available in Transparent mode.

Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address.

Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway.

Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address.

Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to the FortiGate external IP address.

Traffic Shaping

Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. For example, the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth.

If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does not allow any traffic.

Guaranteed You can use traffic shaping to guarantee the amount of bandwidth available

Bandwidth through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service.

Maximum You can also use traffic shaping to limit the amount of bandwidth available

Bandwidth through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services.

Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections.

146

Fortinet Inc.

Page 146
Image 146
Fortinet 100 user manual VPN Tunnel, Traffic Shaping, 146, Dynamic IP Pool Fixed Port