Configuring Firewall Policies - Fortinet FortiGate Series Administration Manual

Firewall Policy

Configuring firewall policies

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Profile The protection profile that is associated with the policy.
Action The response to make when the policy matches a connection attempt.
Status Select the checkbox to enable a policy or deselect it to disable a policy. See
"Enabling and disabling policies" on page
From The source interface.
To The destination interface.
VPN Tunnel The VPN tunnel the VPN policy uses.
Authentication The user authentication method the policy uses.
Comments Comments entered when creating or editing the policy.
Log A green check mark indicates traffic logging is enabled for the policy; a grey
cross mark indicates traffic logging is disabled for the policy.
Count The FortiGate unit counts the number of packets and bytes that hit the firewall
policy.
For example, 5/50B means that five packets and 50 bytes in total have hit the
policy.
The counter is reset when the FortiGate unit is restarted or the policy is deleted
and re-configured.
Delete icon Delete the policy from the list.
Edit icon Edit the policy.
Insert Policy Add a new policy above the corresponding policy (the New Policy screen
appears).
Before icon
Move To icon Move the corresponding policy before or after another policy in the list. For more
information, see
page 388.
You can configure firewall policies to define which sessions will match the policy and what
actions the FortiGate unit will perform with packets from matching sessions.
Sessions are matched to a firewall policy by considering these features of both the packet
and policy:
• Source Interface/Zone
• Source Address
• Destination Interface/Zone
• Destination Address
• schedule and time of the session's initiation
• service and the packet's port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
• ACCEPT policy actions permit communication sessions, and may optionally include
other packet processing instructions, such as requiring authentication to use the policy,
or specifying a protection profile to apply features such as virus scanning to packets in
the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if
either the selected source or destination interface is an IPSec virtual interface. For
more information, see
• DENY policy actions block communication sessions, and may optionally log the denied
traffic.
"Moving a policy to a different position in the policy list" on
"Overview of IPSec VPN configuration" on page
Configuring firewall policies
389.
611.
391