FortiGate Administration Guide - FirewallShop.com

Firewall Policy
Configuring firewall policies
Destination
Interface/Zone
Destination
Address
Schedule
Service
Action
Select the name of the FortiGate interface or zone to which IP packets
are forwarded. Interfaces and zones are configured on the System
Network page. See “Interface” on page 79 for information about
interfaces. See “Zone” on page 98 for information about zones.
If Action is set to IPSEC, the interface is associated with the entrance
to the VPN tunnel.
If Action is set to SSL-VPN, the interface is associated with the local
private network.
Select the name of a previously defined IP address to associate with
the destination interface or zone, or select Create New to define a new
IP address.
f you want to associate multiple addresses or address groups to the
interface/zone, select Multiple beside Destination Address. In the popup
window, move the addresses or address groups from the Available
Addresses box to the Members box, then select OK.
A packet must have the associated IP address in its header to be
subject to the policy. Addresses can be created in advance.
See “Configuring addresses” on page 291.
If Action is set to IPSEC, the address is the private IP address to which
packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Select a one-time or recurring schedule that controls when the policy is
available to be matched with communication sessions. Schedules can
be created in advance by going to Firewall > Schedule. See “Firewall
Schedule” on page 301.
You can also select Create New to create a Recurring or One-time
schedule during policy configuration. Add the information required for
the recurring or one-time schedule and select OK. The new schedule is
added to the Schedule list.
Select the name of a service or service group that matches the service
or protocol of the packets to be matched with this policy. Select from a
wide range of predefined services. Custom services can be created in
advanced by going to Firewall > Service > Custom. Service groups can
be created in advance by going to Firewall > Service > Group. See
“Configuring custom services” on page 297 and “Configuring service
groups” on page 300.
You can select Create New to create a custom service or a service
group during policy configuration. Add the information required for the
custom service or service group and select OK. The new custom
service or service group is added to the Service list.
By selecting the Multiple button beside Service, you can select multiple
services or service groups.
Select how you want the firewall to respond when a packet matches the
conditions of the policy.
ACCEPT
DENY
IPSEC
SSL-VPN
Accept traffic matched by the policy. You can configure
NAT, protection profiles, log traffic, shape traffic, set
authentication options, or add a comment to the policy.
Reject traffic matched by the policy. The only other
configurable policy options are to log traffic (to log the
connections denied by this policy) or add a comment.
Configure an IPSec firewall encryption policy, which
causes the FortiGate unit to process IPSec VPN packets.
See “IPSec firewall policy options” on page 280.
Configure an SSL-VPN firewall encryption policy, which
causes the FortiGate unit to accept SSL VPN traffic. This
option is available only after you have added a SSL-VPN
user group. See “SSL-VPN firewall policy options” on
page 281.
FortiGate Version 3.0 MR5 Administration Guide
01-30005-0203-20070830 273