Fortinet 100A User Manual
Page 193
Firewall
Policy options
FortiGate-100A Administration Guide
01-28007-0068-20041203
193
Action
Select how you want the firewall to respond when the policy matches
a connection attempt.
•
ACCEPT: Select accept to accept connections matched by the
policy. You can also configure NAT and Authentication for the policy.
•
DENY: Select deny to reject connections matched by the policy.
the connection. The only other policy option that you can configure is
Log Traffic, to log the connections denied by this policy.
•
ENCRYPT: Select encrypt to make this policy an IPSec VPN
policy. When encrypt is selected the VPN Tunnel Options appear. You
can select an AutoIKE Key or Manual Key VPN tunnel for the policy
and configure other IPSec settings. You cannot add authentication to
an ENCRYPT policy.
VPN Tunnel
Select a VPN tunnel for an ENCRYPT policy. You can select an
AutoIKE key or Manual Key tunnel.
•
Allow Inbound: Select Allow inbound so that users behind the
remote VPN gateway can connect to the source address.
•
Allow outbound: Select Allow outbound so that users can connect
to the destination address behind the remote VPN gateway.
•
Inbound NAT: Select Inbound NAT to translate the source address
of incoming packets to the FortiGate internal IP address.
•
Outbound NAT: Select Outbound NAT to translate the source
address of outgoing packets to the FortiGate external IP address.
NAT
Select NAT to enable Network Address Translation for the policy. NAT
translates the source address and port of packets accepted by the
policy. If you select NAT, you can also select Dynamic IP Pool and
Fixed Port. NAT is not available in Transparent mode.
•
Dynamic IP Pool: Select Dynamic IP Pool to translate the source
address to an address randomly selected from the IP pool. An IP pool
dropdown list appears when the policy destination interface is the
same as the IP pool interface.
You cannot select Dynamic IP Pool if the destination interface or
VLAN subinterface is configured using DHCP or PPPoE.
See
.
•
Fixed Port: Select Fixed Port to prevent NAT from translating the
source port. Some applications do not function correctly if the source
port is changed. If you select Fixed Port, you must also select
Dynamic IP Pool and add a dynamic IP pool address range to the
destination interface of the policy. If you do not select Dynamic IP
Pool, a policy with Fixed Port selected can only allow one connection
at a time for this port or service.
Protection Profile
Select a protection profile to configure how antivirus and IPS
protection, web, web content, and spam filtering are applied to the
policy. See
“Protection profile” on page 222
. If you are configuring
authentication in the advanced settings, you do not need to choose a
protection profile since the user group chosen for authentication are
already tied to protection profiles.
Log Traffic
Select Log Traffic to record messages to the traffic log whenever the
policy processes a connection. You must also enable traffic log for a
logging location (syslog, WebTrends, local disk if available, memory,
or FortiLog) and set the logging severity level to Notification or lower.
For information about logging see
Advanced
Select advanced to show more options.