Adding firewall policies | Firewall configuration |
|
|
For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See “Virtual IPs” on page 188.
Schedule
Select a schedule that controls when the policy is available to be matched with connections. See “Schedules” on page 186.
Service
Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See “Services” on page 182.
Action
Select how the firewall should respond when the policy matches a connection attempt.
ACCEPT | Accept the connection. If you select ACCEPT, you can also configure NAT |
| and Authentication for the policy. |
DENY | Deny the connection. The only other policy option that you can configure is |
| log traffic, to log the connections denied by this policy. |
ENCRYPT | Make this policy an IPSec VPN policy. If you select ENCRYPT, you can |
| select an AutoIKE key or Manual Key VPN tunnel for the policy and configure |
| other IPSec settings. You cannot add authentication to an ENCRYPT policy. |
| ENCRYPT is not available in Transparent mode. See “Configuring encrypt |
| policies” on page 224. |
NAT
Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent mode.
Dynamic IP Pool
Fixed Port
Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy. To add IP pools, see “IP pools” on page 192.
Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. If you select Fixed Port, you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one connection at a time for this port or service.
VPN Tunnel
Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or Manual Key tunnel. VPN Tunnel is not available in Transparent mode.
174 | Fortinet Inc. |
