Firewall Policies - Fortinet FortiGate Series Install Manual

Firewall policies

Firewall policies
30
Table 2: Default protection profiles
Strict Applies maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The strict
protection profile may not be useful under normal circumstances but it is available
when maximum protection is required.
Scan Applies virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic.
Web Applies virus scanning and web content blocking to HTTP traffic.
Unfiltered Applies no scanning, blocking or IPS. Use the unfiltered content profile if no content
protection for content traffic is required. Add this protection profile to firewall policies for
connections between highly trusted or highly secure networks where content does not
need to be protected.
The best way to begin creating your own protection profile is to open a predefined profile.
This way you can see how a profile is set up, and then modify it to suit your requirements.
You access protection profile options by going to Firewall > Protection Profile, and
selecting Edit for one of the predefined profiles.
Protection profiles are used by the firewall policies to determine how network and Internet
traffic is controlled, scanned and, when necessary, rejected. The protection profiles can be
considered the rules of the firewall policy. Because of this, you should take some time to
review the various options to consider what you want the firewall policies to do. If, after
setting the protection profile and firewall policies, traffic is not flowing or flowing too much,
verify your profile settings.
The number of options and configuration settings for the protection profile is too vast for
this document. For details on each protection profile feature and setting, see the
Administration Guide or the
Firewall policies are the instructions the Fortinet unit uses to decide what to do with a
connection request. When the firewall receives a connection request, it analyzes it to
extract its source address, destination address, and port number.
For the connection through the Fortinet unit to be successful, the source address,
destination address, and service of the connection must match a firewall policy. The policy
directs the firewall action for the connection. The action can be to allow the connection,
deny the connection, require authentication before the connection is allowed, or process
the packet as an IPSec VPN connection.
You can configure each firewall policy to route connections or apply network address
translation (NAT) to translate source and destination IP addresses and ports. You also add
protection profiles to firewall policies to apply different protection settings for the traffic
controlled by firewall policies.
The Fortinet unit matches firewall policies by searching from the top of the firewall policy
list and moving down until it finds the first match it, then implements the required address
translation, blocking and other rules defined by the protection profile, and then passes on
the packet information. This list order is important, because once the Fortinet unit finds a
match to a policy, it will not continue down the list. You need to arrange policies in the
policy list from more specific to more general.
For example, you may have two policies, one that blocks specific URLs or IP addresses,
and another general policy that lets traffic through. If you put the general policy at the top,
the Fortinet unit will act on the general policy, having calculated that the policy has been
matched, and then stop. The second policy will be ignored and the Fortinet unit will let the
URLs or IPs you wanted blocked get through.
Fortinet Online Help.
Advanced configuration
FortiGate Version 4.0 Desktop Install Guide
01-400-95522-20090501
http://docs.fortinet.com/
FortiGate
• Feedback