添加防火墙策略

防火墙配置

 

 

任务计划

选择任务计划可以控制策略生效和用于匹配连接的时间,见 第 159 页 任务 计划

服务

选择一个服务与数据包的服务 (端口)相对应。您可以从大量的预定义服务中选 择,或者添加自己定制的服务类型和服务组。 见 第 155 页 服务

动作

选择当策略与连接尝试相匹配时防火墙的响应方式。

接受

接受连接。如果您选择接受,可以配置这个策略的 NAT 和认证选项。

拒绝

拒绝连接。在这种情况下您唯一能配置的其他选项就是记录日志。记录日志

 

选项 将此策略拒绝的连接记录到日志中。

加密

把这个策略设置为 IPSec VPN 策略。如果选择了 加密,可以为这个策略选择

 

一个自动密钥交换的 VPN 通道或者一个手工密钥的 VPN 通道,并配置其它

 

IPSec 设置。您不能为加密策略设置认证。并且加密在透明模式下不可用。请

 

第 194 页 配置加密策略

NAT

配置策略的 NAT 选项。NAT 把策略接收到的数据包的源地址和源端口进行转换。如 果您选择了 NAT,您还可以选择一个动态 IP 池和一个固定的端口。NAT 在透明模式下 不可用。

动态 IP 池 选择动态 IP 池可以将源地址转换为从此策略添加到目的接口的 IP 池中随机

选择的一个地址。要添加 IP 池,请见 第 165 页 IP 池

固定端口 选择固定端口可以防止 NAT 转换源端口。如果源端口改变了,有些应用程序 将无法工作。如果选择了固定端口,必须也选择动态 IP 池并为策略的目的网 络接口上添加一个动态 IP 池的地址范围。如果没有选择动态 IP 池,使用固 定端口的策略一次只允许一个连接使用某个端口的服务。

VPN 通道

为加密策略选择 VPN 通道。可以选择一个自动密钥交换的 VPN 通道或者手工密钥交 换的 VPN 通道。VPN 通道在透明模式下不可用。

允许向内 选择允许向内 可以使远程 VPN 网关后面的用户能够连接到策略的源地址

上。

允许向外 选择允许向外 可以使用户能够连接到远程 VPN 网关后面的目的地址上。

向内 NAT 选择向内 NAT 可以把向内传输的数据包的源地址转换为 FortiGate 的内部

IP 地址。

向外 NAT 选择向外 NAT 可以把向外发送的数据包的源地址转换为 FortiGate 的外部 IP 地址。

148

美国飞塔有限公司

Page 160
Image 160
Fortinet 500 manual Vpn 通道, 148

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.