Fortinet FortiGate Series Administration Manual page 395

Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
NAT Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable
Network Address Translation (NAT) of the source address and port of packets
accepted by the policy. When NAT is enabled, you can also configure Dynamic
IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the NAT
option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT.
Source NAT (SNAT) is not performed.
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to
an IP address randomly selected from addresses in the IP Pool.
IP Pool cannot be selected if the destination interface, VLAN subinterface, or
one of the interfaces or VLAN subinterfaces in the destination zone is configured
using DHCP or PPPoE, or if you have selected a Destination Interface to which
no IP Pools are bound.
You cannot use IP pools when using zones. An IP pool can only be associated
with an interface.
For details, see
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is translated. In
most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If
Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only
one connection to that service at a time.
Note: Fixed Port is only visible if enabled from the CLI.
Enable Identity Select to configure firewall policies that require authentication. For more
information, see
Based Policy
User Available only on some models and only if Action is set to ACCEPT. Select this
option to display the Authentication Disclaimer page (a replacement message)
Authentication
to the user. The user must accept the disclaimer to connect to the destination.
Disclaimer
You can use the disclaimer together with authentication or a protection profile.
Redirect URL Available only on some models and only if Action is set to ACCEPT. If you enter
a URL, the user is redirected to the URL after authenticating and/or accepting
the user authentication disclaimer.
Protection Select a protection profile to apply to a firewall policy. You can also create a
protection profile by selecting Create New from this list. For more information,
Profile
see "Firewall Protection Profile" on page
If you intend to apply authentication to this policy, do not make a Protection
Profile selection. The user group you choose for authentication is already linked
to a protection profile. For more information, see
firewall policies" on page
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a new traffic
shaper. Traffic Shaping controls the bandwidth available to, and sets the priority
of the traffic processed by, the policy.
For information about traffic shaping, see
Note: To ensure that traffic shaping is working at its best, make sure that the
interface ethernet statistics show no errors, collisions, or buffer overruns. If any
of these problems do appear, then FortiGate and switch settings may require
adjusting.
Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0
(zero), or the policy will not allow any traffic.
Guaranteed Select a value to ensure there is enough bandwidth available for a high-priority
service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies
Bandwidth
is significantly less than the bandwidth capacity of the interface.
Maximum Select to limit bandwidth in order to keep less important services from using
bandwidth needed for more important ones.
Bandwidth
"IP pools" on page 463.
"Adding authentication to firewall policies" on page
479.
396.
"Traffic Shaping" on page
Configuring firewall policies
396.
"Adding authentication to
441.
395