Fortinet 400 Traffic Shaping, Authentication

Firewall configuration Adding firewall policies

FortiGate-400 Installation and Configuration Guide 175

Traffic Shaping

Traffic Shaping controls the bandwidth available to and sets the priority of the traffic

processed by the policy. Traffic Shaping makes it possible to control which policies

have the highest priority when large amounts of data are moving through the

FortiGate device. For example, the policy for the corporate web server might be given

higher priority than the policies for most employees’ computers. An employee who

needs unusually high-speed Internet access could have a special outgoing policy set

up with higher bandwidth.

If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does

not allow any traffic.

Authentication

Select Authentication and select a user group to require users to enter a user name

and password before the firewall accepts the connection. Select the user group to

control the users that can authenticate with this policy. To add and configure user

groups, see “Configuring user groups” on page207. You must add user groups before

you can select Authentication.

You can select Authentication for any service. Users can authenticate with the firewall

using HTTP, Telnet, or FTP. For users to be able to authenticate you must add an

HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt

to connect through the firewall using this policy they are prompted to enter a firewall

username and password.

If you want users to authenticate to use other services (for example POP3 or IMAP)

you can create a service group that includes the services for which you want to

require authentication as well as HTTP, Telnet, and FTP. Then users could

authenticate with the policy using HTTP, Telnet, or FTP before using the other service.

Allow inbound Select Allow inbound so that users behind the remote VPN gateway can

connect to the source address.

Allow outbound Select Allow outbound so that users can connect to the destination address

behind the remote VPN gateway.

Inbound NAT Select Inbound NAT to translate the source address of incoming packets to

the FortiGate internal IP address.

Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to

the FortiGate external IP address.

Guaranteed

Bandwidth

You can use traffic shaping to guarantee the amount of bandwidth available

through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make

sure that there is enough bandwidth available for a high-priority service.

Maximum

Bandwidth

You can also use traffic shaping to limit the amount of bandwidth available

through the firewall for a policy. Limit bandwidth to keep less important

services from using bandwidth needed for more important services.

Traff ic Pri ority Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit

manages the relative priorities of different types of traffic. For example, a

policy for connecting to a secure web server needed to support e-commerce

traffic should be assigned a high traffic priority. Less important services

should be assigned a low priority. The firewall provides bandwidth to low-

priority connections only when bandwidth is not needed for high-priority

connections.