02-防火墙策略题材.ppt

The diagram above illustrates that an overall policy for content inspection is not a typical scenario. FortiGates are able to apply varying content inspection technologies based on different communications through the network. For example, sessions originating from the internal network may not be subject to IPS scanning. Whereas sessions entering servers on the DMZ should be subject to IPS scanning. We may wish to employ web content inspection technologies for our internal network, however, our servers may communicate with any outside host without such inspection. Protection profiles are broken down in several sections: Anti-Virus, Web Filtering, FortiGuard Web Filtering, Spam Filtering, IPS, Content Archive, IM/P2P, Logging, and VOIP. Each section will have different technologies and the ability to enable said technologies for supported protocols. Often times, as in the above diagram there is also the ability to specify certain thresholds or parameters for a particular feature. Although Fortinet recommends the creation of a new, custom Protection Profile for each type of flowThere are four protection profiles pre-configured in under (Firewall Protection Profile): Web: Scan: Strict: Unfiltered: 设置流量控制——在策略里调用 启用流量控制和每IP最大带宽 将应用层的安全附加在防火墙策略上———UTM 在策略中调用UTM 可以进行更细粒度的应用层的内容检测技术 防火墙策略中的UTM UTM选项涵盖病毒、IPS、Web过滤、email过滤、DLP、应用控制与以上相关的日志 实验 我们将DMZ 54 80 映射到X1的80端口上 54 443 映射到X2 443 内部用户10.0.X.1 通过公网地址X3访问internet 内部用户10.0.X.2 通过公网地址X4访问Internet TCP状态在会话表中可以跟踪 为非状态协议建立伪状态 IP, UDP, ICMP In the above diagram notice there is a “Multiple” button for source address, destination address, and service. This allows for simplified policy creation, and to avoid using address groups, and service groups. Generally speaking, if you are intend to group addresses or services for only a single policy simply use the “Multiple” button. If more than one firewall policy will group the addresses or services in the same fashion simply create a grouping via (firewall address