Fortinet 400 174 , Schedule, Service, Action, NAT, VPN Tunnel

174 Fortinet Inc.

Adding firewall policies Firewall configuration

For NAT/Route mode policies where the address on the destination network is hidden

from the source network using NAT, the destination can also be a virtual IP that maps

the destination address of the packet to a hidden destination address. See “Virtual

IPs” on page 188.

Schedule

Select a schedule that controls when the policy is available to be matched with

connections. See “Schedules” on page 186.

Service

Select a service that matches the service (port number) of the packet. You can select

from a wide range of predefined services or add custom services and service groups.

See “Services” on page 182.

Action

Select how the firewall should respond when the policy matches a connection attempt.

NAT

Configure the policy for NAT. NAT translates the source address and the source port

of packets accepted by the policy. If you select NAT, you can also select Dynamic IP

Pool and Fixed Port. NAT is not available in Transparent mode.

VPN Tunnel

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or

Manual Key tunnel. VPN Tunnel is not available in Transparent mode.

ACCEPT Accept the connection. If you select ACCEPT, you can also configure NAT

and Authentication for the policy.

DENY Deny the connection. The only other policy option that you can configure is

log traffic, to log the connections denied by this policy.

ENCRYPT Make this policy an IPSec VPN policy. If you select ENCRYPT, you can

select an AutoIKE key or Manual Key VPN tunnel for the policy and configure

other IPSec settings. You cannot add authentication to an ENCRYPT policy.

ENCRYPT is not available in Transparent mode. See “Configuring encrypt

policies” on page 224.

Dynamic IP

Pool

Select Dynamic IP Pool to translate the source address to an address

randomly selected from an IP pool added to the destination interface of the

policy. To add IP pools, see “IP pools” on page192.

Fixed Port Select Fixed Port to prevent NAT from translating the source port. Some

applications do not function correctly if the source port is changed. If you

select Fixed Port, you must also select Dynamic IP Pool and add a dynamic

IP pool address range to the destination interface of the policy. If you do not

select Dynamic IP Pool, a policy with Fixed Port selected can only allow one

connection at a time for this port or service.