Configuring firewall policies Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
396 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Adding authentication to firewall policies
If you enable Enable Identity Based Policy in a firewall policy, network users must send
traffic involving a supported firewall authentication protocol to trigger the firewall
authentication challenge, and successfully authenticate, before the FortiGate unit will
allow any other traffic matching the firewall policy.
User authentication can occur through any of the following supported protocols:
• HTTP
• HTTPS
•FTP
•Telnet
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support e-commerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
Reverse
Direction
Traffic
Shaping
Select to enable the reverse traffic shaping. For example, if the traffic direction
that a policy controls is from port1 to port2, select this option will also apply the
policy shaping configuration to traffic from port2 to port1.
Log Allowed
Traffic
Select to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information see “Log&Report” on page 709.
Log Violation
Traffic
Available only if Action is set to DENY. Select Log Violation Traffic, for Deny
policies, to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information, see “Log&Report” on page 709.
Enable Endpoint
NAC
Select to enable the Endpoint NAC feature. From the list, select the Endpoint
NAC profile to apply. For more information, see “Endpoint NAC” on page 695.
Notes:
• You cannot enable Endpoint NAC in firewall policies if Redirect HTTP
Challenge to a Secure Channel (HTTPS) is enabled in User > Options >
Authentication.
• If the firewall policy involves a load balancing virtual IP, the Endpoint NAC
check is not performed.
Comments Add information about the policy. The maximum length is 63 characters.
To Next Page
Loading...
Need help?
General