Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 7.2.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    7.2.2
    7.2.2
    7.2.1

    config firewall security-policy

    config firewall security-policy

    Configure NGFW application policies.

    Syntax

    config firewall security-policy
    edit <policyid>
        set action [accept|deny]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set av-profile {string}
        set comments {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstintf <name1>, <name2>, ...
        set enforce-default-app-port [enable|disable]
        set fsso-groups <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set ips-sensor {string}
        set learning-mode [enable|disable]
        set logtraffic [all|utm|...]
        set name {string}
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set schedule {string}
        set send-deny-packet [disable|enable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcintf <name1>, <name2>, ...
        set status [enable|disable]
        set url-category <id1>, <id2>, ...
        set users <name1>, <name2>, ...
        set uuid {uuid}
        set webfilter-profile {string}
    next
end

    config firewall security-policy

    Parameter

    Description

    Type

    Size

    Default

    action

    Policy action (accept/deny).

    option

    -

    deny

    Option

    Description

    accept

    Allows session that match the firewall policy.

    deny

    Blocks sessions that match the firewall policy.

    app-category <id>

    Application category ID list.

    Category IDs.

    integer

    Minimum value: 0 Maximum value: 4294967295

    app-group <name>

    Application group names.

    Application group names.

    string

    Maximum length: 79

    application <id>

    Application ID list.

    Application IDs.

    integer

    Minimum value: 0 Maximum value: 4294967295

    application-list

    Name of an existing Application list.

    string

    Maximum length: 35

    av-profile

    Name of an existing Antivirus profile.

    string

    Maximum length: 35

    comments

    Comment.

    var-string

    Maximum length: 1023

    custom-log-fields <field-id>

    Custom fields to append to log messages for this policy.

    Custom log field.

    string

    Maximum length: 35

    dstaddr <name>

    Destination IPv4 address name and address group names.

    Address name.

    string

    Maximum length: 79

    dstaddr-negate

    When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be.

    option

    -

    disable

    Option

    Description

    enable

    Enable destination address negate.

    disable

    Disable destination address negate.

    dstintf <name>

    Outgoing (egress) interface.

    Interface name.

    string

    Maximum length: 79

    enforce-default-app-port

    Enable/disable default application port enforcement for allowed applications.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    fsso-groups <name>

    Names of FSSO groups.

    Names of FSSO groups.

    string

    Maximum length: 511

    groups <name>

    Names of user groups that can authenticate with this policy.

    User group name.

    string

    Maximum length: 79

    ips-sensor

    Name of an existing IPS sensor.

    string

    Maximum length: 35

    learning-mode

    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.

    option

    -

    disable

    Option

    Description

    enable

    Enable learning mode.

    disable

    Disable learning mode.

    logtraffic

    Enable or disable logging. Log all sessions or security profile sessions.

    option

    -

    utm

    Option

    Description

    all

    Log all sessions accepted or denied by this policy.

    utm

    Log traffic that has a security profile applied to it.

    disable

    Disable all logging for this policy.

    name

    Policy name.

    string

    Maximum length: 35

    policyid

    Policy ID.

    integer

    Minimum value: 0 Maximum value: 4294967294

    0

    profile-group

    Name of profile group.

    string

    Maximum length: 35

    profile-protocol-options

    Name of an existing Protocol options profile.

    string

    Maximum length: 35

    default

    profile-type

    Determine whether the firewall policy allows security profile groups or single profiles only.

    option

    -

    single

    Option

    Description

    single

    Do not allow security profile groups.

    group

    Allow security profile groups.

    schedule

    Schedule name.

    string

    Maximum length: 35

    send-deny-packet

    Enable to send a reply when a session is denied or blocked by a firewall policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable deny-packet sending.

    enable

    Enable deny-packet sending.

    service <name>

    Service and service group names.

    Service name.

    string

    Maximum length: 79

    service-negate

    When enabled service specifies what the service must NOT be.

    option

    -

    disable

    Option

    Description

    enable

    Enable negated service match.

    disable

    Disable negated service match.

    srcaddr <name>

    Source IPv4 address name and address group names.

    Address name.

    string

    Maximum length: 79

    srcaddr-negate

    When enabled srcaddr/srcaddr6 specifies what the source address must NOT be.

    option

    -

    disable

    Option

    Description

    enable

    Enable source address negate.

    disable

    Disable source address negate.

    srcintf <name>

    Incoming (ingress) interface.

    Interface name.

    string

    Maximum length: 79

    status

    Enable or disable this policy.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    url-category <id>

    URL category ID list.

    URL category ID.

    integer

    Minimum value: 0 Maximum value: 255

    users <name>

    Names of individual users that can authenticate with this policy.

    User name.

    string

    Maximum length: 79

    uuid

    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

    uuid

    Not Specified

    00000000-0000-0000-0000-000000000000

    webfilter-profile

    Name of an existing Web filter profile.

    string

    Maximum length: 35

    Previous
    Next

    config firewall security-policy

    config firewall security-policy

    Configure NGFW application policies.

    Syntax

    config firewall security-policy
    edit <policyid>
        set action [accept|deny]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set av-profile {string}
        set comments {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstintf <name1>, <name2>, ...
        set enforce-default-app-port [enable|disable]
        set fsso-groups <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set ips-sensor {string}
        set learning-mode [enable|disable]
        set logtraffic [all|utm|...]
        set name {string}
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set schedule {string}
        set send-deny-packet [disable|enable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcintf <name1>, <name2>, ...
        set status [enable|disable]
        set url-category <id1>, <id2>, ...
        set users <name1>, <name2>, ...
        set uuid {uuid}
        set webfilter-profile {string}
    next
end

    config firewall security-policy

    Parameter

    Description

    Type

    Size

    Default

    action

    Policy action (accept/deny).

    option

    -

    deny

    Option

    Description

    accept

    Allows session that match the firewall policy.

    deny

    Blocks sessions that match the firewall policy.

    app-category <id>

    Application category ID list.

    Category IDs.

    integer

    Minimum value: 0 Maximum value: 4294967295

    app-group <name>

    Application group names.

    Application group names.

    string

    Maximum length: 79

    application <id>

    Application ID list.

    Application IDs.

    integer

    Minimum value: 0 Maximum value: 4294967295

    application-list

    Name of an existing Application list.

    string

    Maximum length: 35

    av-profile

    Name of an existing Antivirus profile.

    string

    Maximum length: 35

    comments

    Comment.

    var-string

    Maximum length: 1023

    custom-log-fields <field-id>

    Custom fields to append to log messages for this policy.

    Custom log field.

    string

    Maximum length: 35

    dstaddr <name>

    Destination IPv4 address name and address group names.

    Address name.

    string

    Maximum length: 79

    dstaddr-negate

    When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be.

    option

    -

    disable

    Option

    Description

    enable

    Enable destination address negate.

    disable

    Disable destination address negate.

    dstintf <name>

    Outgoing (egress) interface.

    Interface name.

    string

    Maximum length: 79

    enforce-default-app-port

    Enable/disable default application port enforcement for allowed applications.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    fsso-groups <name>

    Names of FSSO groups.

    Names of FSSO groups.

    string

    Maximum length: 511

    groups <name>

    Names of user groups that can authenticate with this policy.

    User group name.

    string

    Maximum length: 79

    ips-sensor

    Name of an existing IPS sensor.

    string

    Maximum length: 35

    learning-mode

    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.

    option

    -

    disable

    Option

    Description

    enable

    Enable learning mode.

    disable

    Disable learning mode.

    logtraffic

    Enable or disable logging. Log all sessions or security profile sessions.

    option

    -

    utm

    Option

    Description

    all

    Log all sessions accepted or denied by this policy.

    utm

    Log traffic that has a security profile applied to it.

    disable

    Disable all logging for this policy.

    name

    Policy name.

    string

    Maximum length: 35

    policyid

    Policy ID.

    integer

    Minimum value: 0 Maximum value: 4294967294

    0

    profile-group

    Name of profile group.

    string

    Maximum length: 35

    profile-protocol-options

    Name of an existing Protocol options profile.

    string

    Maximum length: 35

    default

    profile-type

    Determine whether the firewall policy allows security profile groups or single profiles only.

    option

    -

    single

    Option

    Description

    single

    Do not allow security profile groups.

    group

    Allow security profile groups.

    schedule

    Schedule name.

    string

    Maximum length: 35

    send-deny-packet

    Enable to send a reply when a session is denied or blocked by a firewall policy.

    option

    -

    disable

    Option

    Description

    disable

    Disable deny-packet sending.

    enable

    Enable deny-packet sending.

    service <name>

    Service and service group names.

    Service name.

    string

    Maximum length: 79

    service-negate

    When enabled service specifies what the service must NOT be.

    option

    -

    disable

    Option

    Description

    enable

    Enable negated service match.

    disable

    Disable negated service match.

    srcaddr <name>

    Source IPv4 address name and address group names.

    Address name.

    string

    Maximum length: 79

    srcaddr-negate

    When enabled srcaddr/srcaddr6 specifies what the source address must NOT be.

    option

    -

    disable

    Option

    Description

    enable

    Enable source address negate.

    disable

    Disable source address negate.

    srcintf <name>

    Incoming (ingress) interface.

    Interface name.

    string

    Maximum length: 79

    status

    Enable or disable this policy.

    option

    -

    enable

    Option

    Description

    enable

    Enable setting.

    disable

    Disable setting.

    url-category <id>

    URL category ID list.

    URL category ID.

    integer

    Minimum value: 0 Maximum value: 255

    users <name>

    Names of individual users that can authenticate with this policy.

    User name.

    string

    Maximum length: 79

    uuid

    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

    uuid

    Not Specified

    00000000-0000-0000-0000-000000000000

    webfilter-profile

    Name of an existing Web filter profile.

    string

    Maximum length: 35

    Previous
    Next