Fortinet FortiGate Series Administration Manual page 394

Configuring firewall policies
394
Destination Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone to which IP packets are forwarded. Interfaces and zones are configured
Interface/Zone
on the System Network page. For more information, see
on page 177
If you select Any as the destination interface, the policy matches all interfaces as
destination.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN
tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private
network.
Destination Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address matching
Address
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select Multiple. In the
dialog box, move the firewall addresses or address groups from the Available
Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see
Virtual IP" on page
If Action is set to IPSEC, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds
to the host, server, or network that remote clients need to access behind the
FortiGate unit.
Schedule Select a one-time or recurring schedule or a schedule group that controls when
the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see
Service Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting Create New from this list.
For more information, see
"Configuring service groups" on page
By selecting the Multiple button beside Service, you can select multiple services
or service groups.
Action Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY Reject traffic matched by the policy. The only other configurable policy options
are Log Violation Traffic to log the connections denied by this policy and adding
a Comment.
IPSEC You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See
SSL-VPN You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or
add a comment to the policy. See
policies" on page
and "Configuring zones" on page
"Configuring addresses" on page
447.
"Firewall Schedule" on page
"Configuring custom services" on page 433
435.
"IPSec firewall policy options" on page
"Configuring SSL VPN identity-based firewall
400.
FortiGate Version 4.0 MR1 Administration Guide
Firewall Policy
"Configuring interfaces"
198.
423.
"Firewall
437.
and
399.
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback