Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiBranchSASE 7.6.2 CLI Reference
    7.6.2
    7.6.5
    7.6.4
    7.6.2
    7.6.0

    config policy

    config policy

    Description: Configure firewall policies.

    config policy

    edit <name>

    set *srcintf <name1>, <name2>, …

    set *dstintf <name1>, <name2>, …

    set *srcaddr <name1>, <name2>, …

    set dnat [enable | disable]

    set *dstaddr <name1>, <name2>, …

    set action [accept | deny]

    set status [enable | disable]

    set *service <name1>, <name2>, …

    set nat [enable | disable]

    next

    delete <name>

    move <name1> [after | before] <name2>

    end

    purge

    show

    Sample command:

    config firewall policy
  edit test1
    set srcintf lo
    set dstintf any
    set srcaddr all
    set dnat disable
    set dstaddr all
    set action accept
    set status enable
    set service AH
    set nat enable
  next
  edit test2
    set srcintf any
    set dstintf lan
    set srcaddr all
    set dnat disable
    set dstaddr all
    set action accept
    set status disable
    set service ALL
    set nat enable
  next
  edit all-pass
    set srcintf any
    set dstintf any
    set srcaddr all
    set dnat disable
    set dstaddr all
    set action accept
    set status enable
    set service ALL
    set nat enable
   next
end
    Parameter Description Type Size Default
    srcintf Incoming (ingress) interface. option - none
    Option Description
    lan LAN as the incoming interface.
    lo Loopback as the incoming interface.
    port4 Port 4 as the incoming interface.
    any Any port as the incoming interface.
    dstintf Outgoing (egress) interface. option - none
    Option Description
    lan LAN as the outgoing interface.
    lo Loopback as the outgoing interface.
    port4 Port 4 as the outgoing interface.
    any Any port as the outgoing interface.
    srcaddr Source address. option - none
    Option Description
    all All network addresses.
    none None of the network addresses.
    lan-src LAN network address.
    wan-src WAN network address.
    dnat Destination NAT. option - disable
    Option Description
    enable Enable destination NAT.
    disable Disable destination NAT.

    dstaddr

    Destination address.

    option

    -

    none

    Option Description
    all All network addresses.
    none None of the network addresses.
    lan-src LAN network address.
    wan-src WAN network address.

    action

    Policy action.

    option

    -

    accept

    Option Description
    accept Accept policy.
    deny Deny policy.

    status

    Status of the policy.

    option

    -

    enable

    Option Decription
    enable Enable this policy.
    disable Disable this policy.

    service

    Service/service group name.

    option

    -

    none

    Option Description
    ALL All services.
    HTTP HTTP service.

    etc

    Refer to config network service list.

    nat

    Source NAT.

    option

    -

    disable

    Option Description
    enable Enable source NAT.
    disable Disable source NAT. 
    (policy) # move test2 after all-pass
(policy) <M> # show
config firewall policy
    edit test1
        set srcintf lo
        set dstintf any
        set srcaddr all
        set dnat disable
        set dstaddr all
        set action accept
        set status enable
        set service AH
        set nat enable
    next
    edit all-pass
        set srcintf any
        set dstintf any
        set srcaddr all
        set dnat disable
        set dstaddr all
        set action accept
        set status enable
        set service ALL
        set nat enable
    next
    edit test2
        set srcintf any
        set dstintf lan
        set srcaddr all
        set dnat disable
        set dstaddr all
        set action accept
        set status disable
        set service ALL
        set nat enable
    next
end
    Previous
    Next

    config policy

    config policy

    Description: Configure firewall policies.

    config policy

    edit <name>

    set *srcintf <name1>, <name2>, …

    set *dstintf <name1>, <name2>, …

    set *srcaddr <name1>, <name2>, …

    set dnat [enable | disable]

    set *dstaddr <name1>, <name2>, …

    set action [accept | deny]

    set status [enable | disable]

    set *service <name1>, <name2>, …

    set nat [enable | disable]

    next

    delete <name>

    move <name1> [after | before] <name2>

    end

    purge

    show

    Sample command:

    config firewall policy
  edit test1
    set srcintf lo
    set dstintf any
    set srcaddr all
    set dnat disable
    set dstaddr all
    set action accept
    set status enable
    set service AH
    set nat enable
  next
  edit test2
    set srcintf any
    set dstintf lan
    set srcaddr all
    set dnat disable
    set dstaddr all
    set action accept
    set status disable
    set service ALL
    set nat enable
  next
  edit all-pass
    set srcintf any
    set dstintf any
    set srcaddr all
    set dnat disable
    set dstaddr all
    set action accept
    set status enable
    set service ALL
    set nat enable
   next
end
    Parameter Description Type Size Default
    srcintf Incoming (ingress) interface. option - none
    Option Description
    lan LAN as the incoming interface.
    lo Loopback as the incoming interface.
    port4 Port 4 as the incoming interface.
    any Any port as the incoming interface.
    dstintf Outgoing (egress) interface. option - none
    Option Description
    lan LAN as the outgoing interface.
    lo Loopback as the outgoing interface.
    port4 Port 4 as the outgoing interface.
    any Any port as the outgoing interface.
    srcaddr Source address. option - none
    Option Description
    all All network addresses.
    none None of the network addresses.
    lan-src LAN network address.
    wan-src WAN network address.
    dnat Destination NAT. option - disable
    Option Description
    enable Enable destination NAT.
    disable Disable destination NAT.

    dstaddr

    Destination address.

    option

    -

    none

    Option Description
    all All network addresses.
    none None of the network addresses.
    lan-src LAN network address.
    wan-src WAN network address.

    action

    Policy action.

    option

    -

    accept

    Option Description
    accept Accept policy.
    deny Deny policy.

    status

    Status of the policy.

    option

    -

    enable

    Option Decription
    enable Enable this policy.
    disable Disable this policy.

    service

    Service/service group name.

    option

    -

    none

    Option Description
    ALL All services.
    HTTP HTTP service.

    etc

    Refer to config network service list.

    nat

    Source NAT.

    option

    -

    disable

    Option Description
    enable Enable source NAT.
    disable Disable source NAT. 
    (policy) # move test2 after all-pass
(policy) <M> # show
config firewall policy
    edit test1
        set srcintf lo
        set dstintf any
        set srcaddr all
        set dnat disable
        set dstaddr all
        set action accept
        set status enable
        set service AH
        set nat enable
    next
    edit all-pass
        set srcintf any
        set dstintf any
        set srcaddr all
        set dnat disable
        set dstaddr all
        set action accept
        set status enable
        set service ALL
        set nat enable
    next
    edit test2
        set srcintf any
        set dstintf lan
        set srcaddr all
        set dnat disable
        set dstaddr all
        set action accept
        set status disable
        set service ALL
        set nat enable
    next
end
    Previous
    Next