Vpn tunnel, Traffic shaping – Fortinet FortiGate 100 User Manual

146

Fortinet Inc.

Firewall policy options

Firewall configuration

VPN Tunnel

Select a VPN tunnel for an ENCRYPT policy. You can select an AutoIKE key or
Manual Key tunnel. VPN Tunnel is not available in Transparent mode.

Traffic Shaping

Traffic Shaping controls the bandwidth available to and sets the priority of the traffic
processed by the policy. Traffic Shaping makes it possible to control which policies
have the highest priority when large amounts of data are moving through the
FortiGate device. For example, the policy for the corporate web server might be given
higher priority than the policies for most employees’ computers. An employee who
needs unusually high-speed Internet access could have a special outgoing policy set
up with higher bandwidth.

If you set both guaranteed bandwidth and maximum bandwidth to 0 the policy does
not allow any traffic.

Dynamic IP
Pool

You cannot select Dynamic IP Pool for Int

->

Ext or DMZ

->

Ext policies if the

external interface is configured using DHCP or PPPoE.
Select Dynamic IP Pool to translate the source address to an address

randomly selected from an IP pool added to the destination interface of the

policy. To add IP pools, see

“IP pools” on page 164

.

Fixed Port

Select Fixed Port to prevent NAT from translating the source port. Some

applications do not function correctly if the source port is changed. If you

select Fixed Port, you must also select Dynamic IP Pool and add a dynamic

IP pool address range to the destination interface of the policy. If you do not

select Dynamic IP Pool, a policy with Fixed Port selected can only allow one

connection at a time for this port or service.

Allow inbound Select Allow inbound so that users behind the remote VPN gateway can

connect to the source address.

Allow outbound Select Allow outbound so that users can connect to the destination address

behind the remote VPN gateway.

Inbound NAT

Select Inbound NAT to translate the source address of incoming packets to

the FortiGate internal IP address.

Outbound NAT Select Outbound NAT to translate the source address of outgoing packets to

the FortiGate external IP address.

Guaranteed
Bandwidth

You can use traffic shaping to guarantee the amount of bandwidth available

through the firewall for a policy. Guarantee bandwidth (in Kbytes) to make

sure that there is enough bandwidth available for a high-priority service.

Maximum
Bandwidth

You can also use traffic shaping to limit the amount of bandwidth available

through the firewall for a policy. Limit bandwidth to keep less important

services from using bandwidth needed for more important services.

Traffic Priority

Select High, Medium, or Low. Select Traffic Priority so that the FortiGate unit

manages the relative priorities of different types of traffic. For example, a

policy for connecting to a secure web server needed to support e-commerce

traffic should be assigned a high traffic priority. Less important services

should be assigned a low priority. The firewall provides bandwidth to low-

priority connections only when bandwidth is not needed for high-priority

connections.