Virtual IPs

Firewall configuration

 

 

Adding a schedule to a policy

After you have created schedules, you can add them to policies to schedule when the policies are active. You can add the new schedules to policies when you create the policy, or you can edit existing policies and add a new schedule to them.

1Go to Firewall > Policy.

2Select the tab corresponding to the type of policy to add.

3Select New to add a policy or select Edit to edit a policy to change its schedule.

4Configure the policy as required.

5Add a schedule by selecting it from the Schedule list.

6Select OK to save the policy.

7Arrange the policy in the policy list to have the effect that you expect.

For example, to use a one-time schedule to deny access to a policy, add a policy that matches the policy to be denied in every way. Choose the one-time schedule that you added and set Action to DENY. Then place the policy containing the one-time schedule in the policy list above the policy to be denied.

Virtual IPs

Use virtual IPs to access IP addresses on a destination network that are hidden from the source network by NAT security policies. To allow connections between these networks, you must create a mapping between an address on the source network and the real address on the destination network. This mapping is called a virtual IP.

For example, if the computer hosting your web server is located on the network connected to port3, it could have a private IP address such as 10.10.10.3. If port2 connects to the Internet, to get packets from the Internet to the web server, you must have an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on the port3 network. To allow connections from the Internet to the web server, you must then add a port2->port3 firewall policy and set Destination to the virtual IP.

You can create two types of virtual IPs:

Static NAT Used in to translate an address on a source network to a hidden address on a destination network. Static NAT translates the source address of return packets to the address on the source network.

Port Forwarding Used to translate an address and a port number on a source network to a hidden address and, optionally, a different port number on a destination network. Using port forwarding you can also route packets with a specific port number and a destination address that matches the IP address of the interface that receives the packets. This technique is called port forwarding or port address translation (PAT). You can also use port forwarding to change the destination port of the forwarded packets.

188

Fortinet Inc.

Page 188
Image 188
Fortinet 400 manual Virtual IPs, Adding a schedule to a policy, 188