Fortinet FortiGate Series Administration Manual page 401

Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Source Interface/Zone
Source Address
Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain
Destination Address
Action
SSL Client Certificate
Restrictive
Cipher Strength
User Authentication
Method
Any
Local
RADIUS
LDAP
TACACS+
Select the name of the FortiGate network interface, virtual domain
(VDOM) link, or zone on which IP packets are received.
Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see
page 423.
If Action is set to SSL-VPN and the policy is for web-only mode clients,
select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients,
select the name of the address that you reserved for tunnel mode
clients.
(VDOM) link, or zone to which IP packets are forwarded. If Action is
set to SSL-VPN, the interface is associated with the local private
network.
Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see
page 423.
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The
applied translation varies by the settings specified in the virtual IP, and
whether you select NAT (below). For more information on using virtual
IPs, see "Firewall Virtual IP" on page
If Action is set to IPSEC, the address is the private IP address to
which packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Select SSL-VPN to configure the firewall encryption policy to accept
SSL VPN traffic. This option is available only after you have added a
SSL-VPN user group.
Allow traffic generated by holders of a (shared) group certificate. The
holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the
Allowed field.
Select the bit level of SSL encryption. The web browser on the remote
client must be capable of matching the level that you select: Any,
High >= 164, or Medium >= 128.
Select the authentication server type by which the user will be
authenticated:
For all of the above authentication methods. Local is attempted first,
then RADIUS, then LDAP.
For a local user group that will be bound to this firewall policy.
For remote clients that will be authenticated by an external RADIUS
server.
For remote clients that will be authenticated by an external LDAP
server.
For remote clients that will be authenticated by an external TACACS+
server.
Configuring firewall policies
"Configuring addresses" on
"Configuring addresses" on
447.
401