Adding firewall policies

Firewall configuration

 

 

For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See “Virtual IPs” on page 188.

Schedule

Select a schedule that controls when the policy is available to be matched with connections. See “Schedules” on page 186.

Service

Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See “Services” on page 182.

Action

Select how the firewall should respond when the policy matches a connection attempt.

ACCEPT

Accept the connection. If you select ACCEPT, you can also configure NAT

 

and Authentication for the policy.

DENY

Deny the connection. The only other policy option that you can configure is

 

log traffic, to log the connections denied by this policy.

ENCRYPT

Make this policy an IPSec VPN policy. If you select ENCRYPT, you can

 

select an AutoIKE key or Manual Key VPN tunnel for the policy and configure

 

other IPSec settings. You cannot add authentication to an ENCRYPT policy.

 

ENCRYPT is not available in Transparent mode. See “Configuring encrypt

 

policies” on page 224.

NAT

Configure the policy for NAT. NAT translates the source address and the source port of packets accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port. NAT is not available in Transparent mode.

Dynamic IP Pool

Fixed Port

Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy. To add IP pools, see “IP pools” on page 192.

Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is changed. If you select Fixed Port, you must also select Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one connection at a time for this port or service.

VPN Tunnel

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or Manual Key tunnel. VPN Tunnel is not available in Transparent mode.

174

Fortinet Inc.

Page 174
Image 174
Fortinet 400 manual Schedule, Service, Action, VPN Tunnel, 174