虚拟 IP

防火墙配置

 

 

虚拟 IP

NAT 模式的安全策略可以对较不安全的网络隐藏较安全的网络中的地址。要允许从 一个较不安全的网络连接到一个较安全的网络中的某个地址上,您必须创建一个从较 不安全的网络中的地址到较安全的网络中的地址的映射。这个映射称为虚拟 IP。

例如,如果在您的 DMZ 网络中有一台提供 Web 服务的电脑,它可以使用一个诸如

10.10.10.3的私有 IP。为了让互联网内的数据包能够达到网页服务器,您必须为网页 服务器提供一个互联网上的外部地址。然后需要添加一个虚拟 IP 地址把 Web 服务器的 外部地址映射到位于 DMZ 网络中的 Web 服务器的真实地址上。为了允许从互联网到网 页服务器的连接,必须添加一个外部 ->DMZ 的防火墙策略并把目的地址设置为这个虚 拟 IP。

您可以创建两种类型的虚拟 IP:

静态 NAT

用于把源网络中的地址转换成目的网络中的隐藏的地址。静态 NAT 把返回的

 

数据包的源地址转换为源网络中的地址。

端口转发

把一个源网络中的地址和端口号转换成一个目的网络中的隐藏的地址,并且

 

可以选择是使用不同的端口号。使用端口转发功能,您还可以路由发往特

 

定端口和目的地址上的,与接收数据包的网络接口相匹配的数据包。这个技

 

做端口转发或者端口地址转换 (PAT)。也可以使用端口转发功能改变被

 

转发的数据包的目的端口。

本节讨论了以下内容: ·添加静态 NAT 虚拟 IP ·添加端口转发虚拟 IP ·添加使用虚拟 IP 的策略

添加静态 NAT 虚拟 IP

1 进入 防火墙 > 虚拟 IP

2 单击 新建 以添加一个虚拟 IP。

3 输入虚拟 IP 的

这个名字可以包含数字 (0-9),大写或者小写字母 (A-Z,a-z),以及特殊字符 - 和 _。不允许使用其它特殊字符和空格符。

4 选择这个虚拟 IP 的外部网络接口。

外部接口是安全程度较低的区域中的网络接口。它接收数据包,并转发到安全程度较 高的区域中。

您可以选择一个防火墙接口或者一个 VLAN 子接口。

5 确保类型被设置为 静态 NAT

6 外部 IP 地址 一栏,输入影射到网络中的地址的那个外部 IP 地址。

例如,如果虚拟 IP 提供了从互联网到 DMZ 网络或者内部网络上的一台 Web 服务器的访 问,那么外部 IP 地址应当是从您的 ISP 那里获得的一个为 Web 服务器准备的静态 IP 地址。这个地址必须是唯一的,不能被其它主机使用,也不能跟步骤 4 中选择的外部 网络接口的地址相同。而且,这个地址必须是可以在这个网络接口中路由的。

7 到 IP 栏,输入在目的网络中的真实 IP。例如,您的内部网络中的 Web 服务器 的 IP 地址。

162

美国飞塔有限公司

Page 174
Image 174
Fortinet 500 manual 162, 本节讨论了以下内容: ·添加静态 Nat 虚拟 Ip ·添加端口转发虚拟 Ip ·添加使用虚拟 Ip 的策略

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.