Fortinet 400 manual Traffic Shaping, Authentication, 175

Allow inbound Select Allow inbound so that users behind the remote VPN gateway can connect to the source address.

Allow outbound Select Allow outbound so that users can connect to the destination address behind the remote VPN gateway.

Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the FortiGate internal IP address.

Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to the FortiGate external IP address.

Traffic Shaping

Traffic Shaping controls the bandwidth available to and sets the priority of the traffic processed by the policy. Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate device. For example, the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. An employee who needs unusually high-speed Internet access could have a special outgoing policy set up with higher bandwidth.

If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does not allow any traffic.

Guaranteed You can use traffic shaping to guarantee the amount of bandwidth available

Bandwidth through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make sure that there is enough bandwidth available for a high-priority service.

Maximum You can also use traffic shaping to limit the amount of bandwidth available

Bandwidth through the firewall for a policy. Limit bandwidth to keep less important services from using bandwidth needed for more important services.

Traffic Priority Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low- priority connections only when bandwidth is not needed for high-priority connections.

Authentication

Select Authentication and select a user group to require users to enter a user name and password before the firewall accepts the connection. Select the user group to control the users that can authenticate with this policy. To add and configure user groups, see “Configuring user groups” on page 207. You must add user groups before you can select Authentication.

You can select Authentication for any service. Users can authenticate with the firewall using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password.

If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication as well as HTTP, Telnet, and FTP. Then users could authenticate with the policy using HTTP, Telnet, or FTP before using the other service.