IPSec VPN

自动 IKE IPSec VPN

 

 

加密方

选择 XAuth 客户端、FortiGate 设备和认证服务器之间的加密方法。

 

PAP ——密码认证协议。

 

CHAP ——挑战 - 握手认证协议。

 

——选择混合可以在 XAuth 客户端和 FortiGate 设备之间使用 PAP,

 

在 FortiGate 设备和认证服务器之间使用 CHAP。

 

只要可能就能使用 CHAP。如果认证服务器不支持 CHAP 则使用 PAP。(所有

 

的 LDAP 和部分微软 RADIUS 使用 PAP)。如果认证服务器支持 CHAP 但是

 

XAuth 客户端不支持 CHAP,就使用混合 (Fortinet 远程 VPN 客户端使用混

 

合)。

用户组

选择 XAuth 认证的一组用户。这个用户组中的单独的一个用户可以由本地认

 

证或者由一个或多个 LDAP 或 RADIUS 服务器认证。

 

在用户组被选中之前它必须被添加到 FortiGate 的配置中。

4 (可选的) NAT 跨越。

启用

选择启用,如果您希望 IPSec VPN 的数据流通过一个执行 NAT 的网关。如果

 

没有检测到 NAT 设备,启用 NAT 穿越功能不会有任何效果。在网关的两端必

 

须使用相同的 NAT 穿越设置。

如果启用了 NAT 穿越,则可以修改保持活动的时间间隔,以秒为单位。这个

 

时间间隔指定了空 UDP 包发送的频率,这个 UDP 包穿过 NAT 设备,以保证

 

NAT 映象不会改变,直到第一阶段和第二阶段的密钥过期。保持活动的时间

 

间隔可以从 0 一直到 900 秒。

5 (可选的)配置端点失效检测。

使用这些设置可以监视 VPN 双方的连接状态。DPD 允许清除已经失效的连接并建立新的 VPN 通道。不是所有的销商都支持 DPD。

启用

选择启用可以启用本地和远程端点之间的 DPD。

短时空闲

设置以秒为单位的时间。这是本地 VPN 端点需要考虑连接是否空闲之前所经

 

历的时间。在这段时间之后,当本地端点要向远程 VPN 端点发送通讯时,它

 

必须同时发送一个 DPD 探测,以判断连接的状态。要控制 FortiGate 设备用

 

来使用 DPD 探测检测失效端点的时间的长度,配置重试累计和重试间隔。

重试

设置本地 VPN 端点认为通道已经失效并断开安全联结之前使用 DPD 探测的重

 

复次数。根据您的网络的具体情况,将重试累计设置得足够高可以避免网络

 

拥塞或其他传输问题带来的影响。

重试间隔

设置以秒为单位的时间,它是本地 VPN 端点设备在两次 DPD 探测之间等待的

 

时间。

长时空闲

设置以秒为单位的时间。这是本地 VPN 端点在探测连接的状态之前需要等待

 

的时间。如果在本地端点和远程端点之间没有通讯,在经历了这段时间之后

 

本地端点将发送 DPD 探测以判断通道的状态。

6 单击确定以保存第一阶段参数。

FortiGate-500 安装和配置指南

187

Page 199
Image 199
Fortinet 500 manual 187, (可选的) Nat 跨越。, 单击确定以保存第一阶段参数。

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.