Firewall configuration

Adding firewall policies

 

 

Destination

Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface, VLAN subinterface, or zone. For information about adding an address, see “Addresses” on page 197.

For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See “Virtual IPs” on page 208.

Schedule

Select a schedule that controls when the policy is available to be matched with connections. See “Schedules” on page 205.

Service

Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See “Services” on page 200.

Action

Select how you want the firewall to respond when the policy matches a connection attempt.

ACCEPT

Accept the connection. If you select ACCEPT, you can also configure NAT

 

and Authentication for the policy.

DENY

Deny the connection. The only other policy option that you can configure is

 

Log Traffic, to log the connections denied by this policy.

ENCRYPT

Make this policy an IPSec VPN policy. If you select ENCRYPT, you can

 

select an AutoIKE Key or Manual Key VPN tunnel for the policy and

 

configure other IPSec settings. You cannot add authentication to an

 

ENCRYPT policy. ENCRYPT is not available in Transparent mode. See

 

“Configuring encrypt policies” on page 245.

FortiGate-800 Installation and Configuration Guide

191

Page 191
Image 191
Fortinet FortiGate-800 manual Destination, Schedule, Service, Action, 191