config firewall policy6
Use this command to configure firewall policy rules for IPv6 addresses.
A firewall policy is a filter that allows or denies traffic to be forwarded to the system based on a matching tuple: source address, destination address, and service. By default, firewall policy rules are stateful: if client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.
The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.
By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.
Note: You do not need to create firewall rules for routine management traffic associated with the management port or HA ports. The interface “allow access” option enables permitted protocols. The system automatically permits from-self traffic, such as health check traffic, and expected responses.
Before you begin:
- You must have a good understanding and knowledge of firewalls.
- You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
- You must have read-write permission for firewall settings.
Syntax
config firewall policy6
set default-action {deny|accept}
set stateful {enable|disable}
config rule
edit <name>
set action {deny | accept}
set destination-address6 <datasource>
set in-interface <datasource>
set out-interface <datasource>
set service <datasource>
set source-address6 <datasource>
set status {enable | disable}
next
end
end
default-action |
Action when no rule matches or no rules are configured:
|
stateful |
Enable/disable stateful firewall. When enabled, server response traffic is permitted automatically when the client-to-server rule allows the connection to be established. When disabled, you must create separate rules for client-to-server and server-to-client traffic. Enabled by default. |
config rule |
|
action |
|
destination-address6 |
Destination address/addressbook object used to form the matching touple. |
in-interface |
Interface that receives traffic. |
out-interface |
Interface that forwards traffic. |
service |
Service object to use to form the matching tuple. |
source-address6 |
Source address/addressbook object used to form the matching touple. |
status
|
Enable or disable firewall policy6 rule. |