Table of Contents
Advertisement
You can also select Insert Policy before
specific policy.
•
Configure the policy:
Select an address or address group that matches the source address of the packet. Before you
Source
can add this address to a policy, you must add it to the source interface. To add an address, see
Addresses.
Select an address or address group that matches the destination address of the packet. Before
you can add this address to a policy, you must add it to the source interface. To add an address,
Destination
see Addresses.
For an Ext -> Int NAT mode policy, the destination can also be a virtual IP that maps the
destination address to a hidden destination address on the internal network. See
Select a schedule that controls when the policy is available to be matched with connections. See
Schedule
Schedules.
Select a service that matches the service (or port number) of the packet. You can select from a
Service
wide range of predefined services or add custom services and service groups. See Services.
Action
Select how the firewall should respond when the policy matches a connection attempt.
Accept the connection. If you select ACCEPT, you can also configure NAT and Authentication for
ACCEPT
the policy.
DENY
Deny the connection.
Make this policy an IPSec VPN policy. If you select ENCRYPT, you can select an AutoIKE key or
ENCRYPT
Manual Key VPN tunnel for the policy and configure other IPSec settings. For ENCRYPT policies,
service is set to ANY and authentication is not supported
Configure the policy for NAT. NAT translates the source address and the source port of packets
NAT
accepted by the policy. If you select NAT, you can also select Dynamic IP Pool and Fixed Port.
Select Dynamic IP Pool to translate the source address to an address randomly selected from an
Dynamic IP
IP pool added to the destination interface of the policy. To add IP pools, see
Pool
You cannot select Dynamic IP Pool for Int -> Ext policies if the external interface is configured
using DHCP or PPPoE.
Select Fixed Port to prevent NAT from translating the source port. Some applications do not
function correctly if the source port is changed. If you select Fixed Port, you must also select
Fixed Port
Dynamic IP Pool and add a dynamic IP pool address range to the destination interface of the
policy. If you do not select Dynamic IP Pool, a policy with Fixed Port selected can only allow one
connection at a time for this port or service.
Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or Manual Key
VPN Tunnel
tunnel.
Allow
Select Allow inbound so that users behind the remote VPN gateway can connect to the source
inbound
address.
Allow
Select Allow outbound so that users can connect to the destination address behind the remote
outbound
VPN gateway.
Inbound
Select Inbound NAT to translate the source address of incoming packets to the DFL-500 NPG
NAT
internal IP address.
Outbound
Select Inbound NAT to translate the source address of outgoing packets to the DFL-500 NPG
NAT
external IP address.
Log Traffic
Select Log Traffic to write messages to the traffic log whenever the policy processes a connection.
Select Authentication and select a user group to require users to enter a user name and password
before the firewall accepts the connection. Select the user group to select the users that can
Authentication
authenticate with this policy. To add and configure user groups, see
must add user groups before you can select authentication.
You can select Authentication for any service. Users can authenticate with the firewall using HTTP,
DFL-500 User Manual
on a policy in the list to add the new policy above a
Virtual
IPs.
IP
pools.
Users and
authentication. You
25
Advertisement
Table of Contents
