防火墙配置

配置策略列表

 

 

本节讨论了以下内容: ·策略匹配的细节 ·更改策略列表中策略的顺序 ·启用和禁用策略

策略匹配的细节

当 FortiGate 从网络接口上收到一个连接请求时,它首先要选择一个策略列表,在 这个策略列表中查找与这个连接请求匹配的策略。FortiGate 根据连接请求的源地址和 目的地址决定使用哪个策略列表。

随后 FortiGate 从选定的策略列表的顶端开始向下搜索策略列表,查找第一个与连 接请求的源地址、目的地址、服务端口以及接收到连接请求的日期和时间相匹配的策 略。匹配的第一个策略将被应用于连接。如果没有找到匹配的策略,连接将被丢弃。

默认的策略接受所有的从内部网络到互联网的连接请求。用户可以从内部网络浏览 网页、使用 POP3 接收邮件、使用 FTP 通过 FortiGate 下载文件等等。如果 默认的策 略在内部 -> 外部策略列表的顶端,防火墙将允许全部从内部网络到互联网的连接,因 为所有的连接都和默认策略匹配。如果有其他特殊策略被添加到了策略列表并处在默 认策略的下方,他们永远也不会被匹配。

对于默认策略的例外策略,例如,一个阻塞 FTP 连接的策略,必须在内部 -> 外部 策略列表中位于默认策略的上方。在这个例子中,所有来自内部网络的 FTP 连接尝试 都与这个 FTP 策略匹配,于是被阻塞。而其它类型服务的连接请求将不会被这个 FTP 策略所匹配,但是它们能够匹配默认策略。于是,防火墙仍然接受来自内部网络的所 有其它连接。

注意:需要认证的策略必添加策略列表中不需认证的策略前面则,不需要认证的策略 先被匹配。

改策略列表中策略

1

进入 防火墙 > 策略

 

2

选择所要重新排序的策略列表的标签。

 

3

选择要移动的策略然后单击

以改变这个策略在策略列表中的位置。

4

动到 一栏输入一个数字以指定这个策略要移动到策略列表中的位置,单击

 

 

启用和策略

您可以启用和禁用策略列表中的策略以控制这个策略是否生效。FortiGate 匹配已 被启用了的策略,而不匹配被禁用的策略。

用一个策略

禁用一个策略可以暂时防止防火墙试图匹配这个策略。禁用一个策略不会中断当前 由这个策略建立的通讯会话。要中断活动的会话,请见 第 90 页 系统状态

1 进入 防火墙 > 策略

2 选择含有要禁用的策略的策略列表的标签。

3 清除要禁用的策略的选中标志。

FortiGate-500 安装和配置指南

151

Page 163
Image 163
Fortinet 500 manual 策略匹配的细节, 更改策略列表中策略的顺序, 启用和禁用策略, 禁用一个策略, 151

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.