IPSec VPN

配置加密策略

 

 

管加密策略同时控制进入和发出的连接,它须被配置成为一个向外的策略。一 个向外的策略具有一个内部网络的源地址和一个外部网络上的目的地址。源地址标识 VPN 在内部网络中的部分。目的地址标识了 VPN 在远程网络中的部分。型的向外策略 包括内部到外部的策略和 DMZ 到外部的策略。

注意:目的地址可以是互联网上的一个 VPN 客户端地址或是一个远程 VPN 网关后边的一个网络中 的地址。

除了用定义 VPN 成员的地址之外,您可以配置加密策略的服务,例如 DNS、FTP 和 POP3,以及根据预定义的时间表 (根据一当中的时间或者一周、月或年当中的日 期)来接受连接。您还可以配置加密策略的以下内容:

·向内 NAT 可以转换进入的数据包的源地址。

·向外 NAT 可以转换向外发出的数据包的源地址。

·流量控制 可以控制 VPN 可用的带宽和 VPN 的优先级。

·内容配置文件 可以对 VPN 中的网页、文件传输和电子邮件服务应用防病毒保护、网

页过滤和电子邮件过滤。

·日记记录 可以使 FortiGate 设备对所有使用 VPN 的连接记录日志。

策略须包含您所创建的用来和远程 FortiGateVPN 网关通讯的 VPN 通道。当您的 内部网络中的用户试图连接到远程 VPN 网关后面的网络中的时候,加密策略获这个 连接企图并发一个添加到这个策略的 VPN 通道。这个通道使用添加到它的配置中的 远程网关来连接到连接到远程 VPN 网关。当远程 VPN 网关接收到连接请求时,它检查 自的策略,网关和通道配置。如果配置允许,将在这两个 VPN 端点之间协商一个 IPSec VPN 通道。

·添加源地址 ·添加目的地址 ·添加一个加密策略

添加源地址

源地址是本地 VPN 端点所在的网络中的地址。它可以是一个单独的电脑的地址或是 一个网络的地址。

1 进入 防火墙 > 地址

2 选择一个内部接口。(根据 FortiGate 型号的不同,方法别。)

3 单击新建以添加一个地址。

4 输入本地 VPN 端点的内部接口上的单独电脑或是整个子网的地址名,IP 地址和网络

码。

5 单击确定以保存源地址。

添加目的地址

目的地址可以是互联网上的一个 VPN 客户端或是远程 VPN 网关后边的一个网络的地 址。

1 进入 防火墙 > 地址

2 选择一个外部接口。(根据 FortiGate 型号的不同,方法别。)

3 单击新建以添加一个地址。

FortiGate-500 安装和配置指南

195

Page 207
Image 207
Fortinet 500 manual 195, ·添加源地址 ·添加目的地址 ·添加一个加密策略

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.