Fortinet FortiGate 4000 Switch User Manual


 
250 Fortinet Inc.
Configuring encrypt policies IPSec VPN
In addition to defining membership in the VPN by address, you can configure the
encrypt policy for services such as DNS, FTP, and POP3, and to allow connections
according to a predefined schedule (by the time of the day or the day of the week,
month, or year). You can also configure the encrypt policy for:
Inbound NAT to translate the source of incoming packets.
Outbound NAT to translate the source address of outgoing packets.
Traffic shaping to control the bandwidth available to the VPN and the priority of the
VPN.
Content profiles to apply antivirus protection, web filtering, and email filtering to
web, file transfer, and email services in the VPN.
Logging so that the FortiGate unit logs all connections that use the VPN.
The policy must also include the VPN tunnel that you created to communicate with the
remote FortiGate VPN gateway. When users on your internal network attempt to
connect to the network behind the remote VPN gateway, the encrypt policy intercepts
the connection attempt and starts the VPN tunnel added to the policy. The tunnel uses
the remote gateway added to its configuration to connect to the remote VPN gateway.
When the remote VPN gateway receives the connection attempt, it checks its own
policy, gateway, and tunnel configuration. If the configuration is allowed, an IPSec
VPN tunnel is negotiated between the two VPN peers.
Adding a source address
Adding a destination address
Adding an encrypt policy
Adding a source address
The source address is located within the internal network of the local VPN peer. It can
be a single computer address or the address of a network.
To add a source address
1 Go to Firewall > Address.
2 Select an internal interface.
3 Select New to add an address.
4 Enter the Address Name, IP Address, and NetMask for a single computer or for an
entire subnetwork on an internal interface of the local VPN peer.
5 Select OK to save the source address.
Note: The destination address can be a VPN client address on the Internet or the address of a
network behind a remote VPN gateway.