Firewall configuration | Adding firewall policies |
|
|
Destination
Select an address or address group that matches the destination address of the packet. Before you can add this address to a policy, you must add it to the destination interface, VLAN subinterface, or zone. For information about adding an address, see “Addresses” on page 197.
For NAT/Route mode policies where the address on the destination network is hidden from the source network using NAT, the destination can also be a virtual IP that maps the destination address of the packet to a hidden destination address. See “Virtual IPs” on page 208.
Schedule
Select a schedule that controls when the policy is available to be matched with connections. See “Schedules” on page 205.
Service
Select a service that matches the service (port number) of the packet. You can select from a wide range of predefined services or add custom services and service groups. See “Services” on page 200.
Action
Select how you want the firewall to respond when the policy matches a connection attempt.
ACCEPT | Accept the connection. If you select ACCEPT, you can also configure NAT |
| and Authentication for the policy. |
DENY | Deny the connection. The only other policy option that you can configure is |
| Log Traffic, to log the connections denied by this policy. |
ENCRYPT | Make this policy an IPSec VPN policy. If you select ENCRYPT, you can |
| select an AutoIKE Key or Manual Key VPN tunnel for the policy and |
| configure other IPSec settings. You cannot add authentication to an |
| ENCRYPT policy. ENCRYPT is not available in Transparent mode. See |
| “Configuring encrypt policies” on page 245. |
191 |