IPSec VPN

冗余 IPSec VPN

 

 

向内 NAT 如果需要,选择向内 NAT。

向外 NAT 如果需要,选择向外的 NAT。

请见 第 196 页 添加一个加密策略

6 按照如下顺序排列策略:

·向外加密策略 ·向内加密策略

·默认的非加密策略 (内部 _ 全部 -> 外部 _ 全部)

注意:为了允许 VPN 辐条访问其他网络,例如互联网,默认的非加密策略是须的。

冗余 IPSec VPN

为了保证一个 IPSec VPN 通道的连续有效,您可以配置本地 FortiGate 设备和远程 VPN 端点 (远程网关)之间的多重连接。使用了冗余配置后,如果一个连接失败了, FortiGate 设备将使用其他连接建立通道。

配置由每个 VPN 端点拥有的到互联网的连接数量决定。例如,如果本地 VPN 端点有 两个到互联网的连接,那么它可以提供两个到远程 VPN 端点的冗余连接。

单独一个 VPN 端点最多可以配置三个冗余连接。

VPN 连接双方不需要具有相同的互联网连接数。例如,在两个 VPN 端点之间,一个 可以有多个到互联网的连接,而另一个可以只有一个到互联网的连接。当然,使用不 对称的配置的情况下,VPN 的一端的冗余级别和另一端不同。

注意:IPSec 冗余只能应用于有静态 IP 地址和使用预置密钥或数字证书此认证的 VPN 端点。 它不能应用于使用动态分配 IP 地址 (拨号用户)的 VPN 端点。它也不能应用于使用手工密钥的 VPN 端点。

配置冗余 IPSec VPN

在配置 VPN 之前,确保两个 FortiGate 设备都有到互联网的多重连接。对于每个设 备,首先添加多个 (两个或更多)外部接口。然后将每个接口分配到一个外部区域。 最后,为每个接口添加到互联网的路由。

使用对称的设置配置两个 FortiGate 设备到互联网的连接。例如,如果远程 FortiGate 设备有两个外部接口并被分组到同一区域内,那么本地的 FortiGate 设备应 当也有两个在同一区域内的外部接口。

类似地,如果远程 FortiGate 设备有两个外部接口并且在不同的区域中,那么本地 FortiGate 设备应当也有两个在不同区域中的外部接口。

如果所有的外部接口都分组在同一区域内,配置将比接口在不同区域内简单。然 而,处于安全角度考虑,或者其他原因,可能无法这样配置。

当您定义完了两个 FortiGate 设备到互联网的连接后,您可以开始配置 VPN 通道。

FortiGate-500 安装和配置指南

201

Page 213
Image 213
Fortinet 500 manual 配置冗余 IPSec VPN, 201, 请见 第 196 页 添加一个加密策略 。

500 specifications

Fortinet 500 is a next-generation firewall (NGFW) that is part of Fortinet's acclaimed FortiGate family, designed to provide advanced security for medium to large enterprises. This appliance is known for its high performance, flexibility, and ability to protect networks from a variety of cyber threats through its robust features and technologies.

One of the main features of the Fortinet 500 is its integrated security capabilities. It combines multiple security functions into a single device, allowing organizations to manage everything from intrusion prevention and antivirus to web filtering and application control. This integration leads to simplified management and increased efficiency, as users can address multiple security needs without deploying multiple devices.

The Fortinet 500 runs on the FortiOS operating system, which is known for its simplicity and user-friendliness. FortiOS provides a centralized management interface that allows for the easy configuration and monitoring of security policies across the entire network. Additionally, the Fortinet management tools, such as FortiManager and FortiAnalyzer, enable detailed insights and reporting capabilities, helping organizations stay compliant with their security mandates.

Another characteristic that sets Fortinet 500 apart is its advanced threat intelligence, powered by the FortiGuard Labs. This global threat intelligence system continuously updates the firewall with the latest threat signatures and attack vectors, ensuring that organizations stay ahead of emerging threats. The firewall also employs machine learning and artificial intelligence to detect and mitigate sophisticated attacks in real-time.

Performance is crucial in any security appliance, and the Fortinet 500 does not disappoint. With hardware acceleration and purpose-built security processors, it delivers high throughput levels, enabling organizations to maintain productivity without sacrificing security. This level of performance is particularly beneficial in environments with heavy traffic and bandwidth demands.

In addition to these core features, the Fortinet 500 supports seamless integration with other security solutions within the Fortinet Security Fabric. This comprehensive approach allows for greater visibility and control over the entire security posture of an organization.

Overall, the Fortinet 500 is a powerful NGFW that offers a blend of advanced security features, ease of management, top-notch performance, and robust threat intelligence. Its ability to adapt to the ever-evolving landscape of cybersecurity makes it a valuable asset for businesses seeking to safeguard their digital assets and ensure seamless network operation.