Firewall policy examples Firewall Policy
FortiGate Version 4.0 MR1 Administration Guide
414 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
1 * 32,768 * 2 * 1 * 32,768 = 2,147,483,648.
A problem with this calculation is that not all 32,768 possible destination ports are used. In
fact for many organizations, must Internet traffic is web traffic using destination port 80
and all using the TCP protocol. So the pool size limit for web traffic to one destination IP
address from one NAT IP address using the TCP protocol would be N=1, R=32, 768, P=1,
D=1 and Dp=1:
1* 32,768 * 1 * 1 * 1 = 32,768
Using the topology in Figure 221 on page 410, for students simultaneously connecting to
the search engine, the social networking and the video sharing sites on TCP port 80 then
assuming each site uses one IP address a maximum of 32,768 simultaneous connections
are allowed to each site or 32,768 * 3 = 98,304 connections in total.
Many large public web sites may use round-robin DNS to rotate through at least four IP
addresses. If the search engine and the video sharing site did this with an even balance of
IP usage the result would be a maximum of 4 * 32,768 = 131,072 connections to the
search engine, 131,072 connections to the video sharing site and 32,768 connections to
the social networking site for a total of 294,912 different connections supported by the
single FortiGate unit with one NAT IP and for a total of 9 destination IP addresses and one
destination port.
Firewall policy examples
FortiGate units are capable of meeting various network requirements from home use to
SOHO, large enterprises and ISPs. The following two scenarios demonstrate practical
applications of firewall policies in the SOHO and large enterprise environments.
This section describes:
• Scenario one: SOHO-sized business
• Scenario two: enterprise-sized business
• Viewing the firewall policy list
• Configuring firewall policies
Scenario one: SOHO-sized business
Company A is a small software company performing development and providing customer
support. In addition to their internal network of 15 computers, they also have several
employees who work from home all or some of the time.
With their current network topography, all 15 of the internal computers are behind a router
and must go to an external source to access the IPS mail and web servers. All home-
based employees access the router through open/non-secured connections.
To Next Page
Loading...
Need help?
General