config firewall policy6
Configure IPv6 policies.
config firewall policy6
Description: Configure IPv6 policies.
edit <policyid>
set name {string}
set uuid {uuid}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set action [accept|deny|...]
set firewall-session-dirty [check-all|check-new]
set status [enable|disable]
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set schedule {string}
set service <name1>, <name2>, ...
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set tcp-session-without-syn [all|data-only|...]
set anti-replay [enable|disable]
set utm-status [enable|disable]
set inspection-mode [proxy|flow]
set http-policy-redirect [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-profile {string}
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-sensor {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set icap-profile {string}
set cifs-profile {string}
set waf-profile {string}
set ssh-filter-profile {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set auto-asic-offload [enable|disable]
set np-acceleration [enable|disable]
set webproxy-forward-server {string}
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set per-ip-shaper {string}
set application <id1>, <id2>, ...
set app-category <id1>, <id2>, ...
set url-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set nat [enable|disable]
set fixedport [enable|disable]
set ippool [enable|disable]
set poolname <name1>, <name2>, ...
set session-ttl {user}
set inbound [enable|disable]
set outbound [enable|disable]
set natinbound [enable|disable]
set natoutbound [enable|disable]
set send-deny-packet [enable|disable]
set vpntunnel {string}
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set tcp-mss-sender {integer}
set tcp-mss-receiver {integer}
set comments {var-string}
set rsso [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set replacemsg-override-group {string}
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set service-negate [enable|disable]
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set timeout-send-rst [enable|disable]
set ssl-mirror [enable|disable]
set ssl-mirror-intf <name1>, <name2>, ...
set dsri [enable|disable]
set vlan-filter {user}
set fsso-groups <name1>, <name2>, ...
next
end
config firewall policy6
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
Policy name. |
string |
Maximum length: 35 |
|||||||||
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
|||||||||
srcintf |
Incoming (ingress) interface. Interface name. |
string |
Maximum length: 79 |
|||||||||
dstintf |
Outgoing (egress) interface. Interface name. |
string |
Maximum length: 79 |
|||||||||
srcaddr |
Source address and address group names. Address name. |
string |
Maximum length: 79 |
|||||||||
dstaddr |
Destination address and address group names. Address name. |
string |
Maximum length: 79 |
|||||||||
action |
Policy action (allow/deny/ipsec). |
option |
- |
|||||||||
|
|
|||||||||||
firewall-session-dirty |
How to handle sessions if the configuration of this firewall policy changes. |
option |
- |
|||||||||
|
|
|||||||||||
status |
Enable or disable this policy. |
option |
- |
|||||||||
|
|
|||||||||||
vlan-cos-fwd |
VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest |
integer |
Minimum value: 0 Maximum value: 7 |
|||||||||
vlan-cos-rev |
VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest |
integer |
Minimum value: 0 Maximum value: 7 |
|||||||||
schedule |
Schedule name. |
string |
Maximum length: 35 |
|||||||||
service |
Service and service group names. Address name. |
string |
Maximum length: 79 |
|||||||||
tos |
ToS (Type of Service) value used for comparison. |
user |
Not Specified |
|||||||||
tos-mask |
Non-zero bit positions are used for comparison while zero bit positions are ignored. |
user |
Not Specified |
|||||||||
tos-negate |
Enable negated TOS match. |
option |
- |
|||||||||
|
|
|||||||||||
tcp-session-without-syn |
Enable/disable creation of TCP session without SYN flag. |
option |
- |
|||||||||
|
|
|||||||||||
anti-replay |
Enable/disable anti-replay check. |
option |
- |
|||||||||
|
|
|||||||||||
utm-status |
Enable AV/web/ips protection profile. |
option |
- |
|||||||||
|
|
|||||||||||
inspection-mode |
Policy inspection mode (Flow/proxy). Default is Flow mode. |
option |
- |
|||||||||
|
|
|||||||||||
http-policy-redirect |
Redirect HTTP(S) traffic to matching transparent web proxy policy. |
option |
- |
|||||||||
|
|
|||||||||||
ssh-policy-redirect |
Redirect SSH traffic to matching transparent proxy policy. |
option |
- |
|||||||||
|
|
|||||||||||
webproxy-profile |
Webproxy profile name. |
string |
Maximum length: 63 |
|||||||||
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
|||||||||
|
|
|||||||||||
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
|||||||||
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
|||||||||
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
|||||||||
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
|||||||||
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
|||||||||
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
|||||||||
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 35 |
|||||||||
dlp-sensor |
Name of an existing DLP sensor. |
string |
Maximum length: 35 |
|||||||||
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
|||||||||
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
|||||||||
voip-profile |
Name of an existing VoIP profile. |
string |
Maximum length: 35 |
|||||||||
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
|||||||||
cifs-profile |
Name of an existing CIFS profile. |
string |
Maximum length: 35 |
|||||||||
waf-profile |
Name of an existing Web application firewall profile. |
string |
Maximum length: 35 |
|||||||||
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
|||||||||
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
|||||||||
|
|
|||||||||||
logtraffic-start |
Record logs when a session starts. |
option |
- |
|||||||||
|
|
|||||||||||
auto-asic-offload |
Enable/disable policy traffic ASIC offloading. |
option |
- |
|||||||||
|
|
|||||||||||
np-acceleration * |
Enable/disable UTM Network Processor acceleration. |
option |
- |
|||||||||
|
|
|||||||||||
webproxy-forward-server |
Web proxy forward server name. |
string |
Maximum length: 63 |
|||||||||
traffic-shaper |
Reverse traffic shaper. |
string |
Maximum length: 35 |
|||||||||
traffic-shaper-reverse |
Reverse traffic shaper. |
string |
Maximum length: 35 |
|||||||||
per-ip-shaper |
Per-IP traffic shaper. |
string |
Maximum length: 35 |
|||||||||
application |
Application ID list. Application IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||
app-category |
Application category ID list. Category IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||
url-category |
URL category ID list. URL category ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||
app-group |
Application group names. Application group names. |
string |
Maximum length: 79 |
|||||||||
nat |
Enable/disable source NAT. |
option |
- |
|||||||||
|
|
|||||||||||
fixedport |
Enable to prevent source NAT from changing a session's source port. |
option |
- |
|||||||||
|
|
|||||||||||
ippool |
Enable to use IP Pools for source NAT. |
option |
- |
|||||||||
|
|
|||||||||||
poolname |
IP Pool names. IP pool name. |
string |
Maximum length: 79 |
|||||||||
session-ttl |
Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. |
user |
Not Specified |
|||||||||
inbound |
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. |
option |
- |
|||||||||
|
|
|||||||||||
outbound |
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. |
option |
- |
|||||||||
|
|
|||||||||||
natinbound |
Policy-based IPsec VPN: apply destination NAT to inbound traffic. |
option |
- |
|||||||||
|
|
|||||||||||
natoutbound |
Policy-based IPsec VPN: apply source NAT to outbound traffic. |
option |
- |
|||||||||
|
|
|||||||||||
send-deny-packet |
Enable/disable return of deny-packet. |
option |
- |
|||||||||
|
|
|||||||||||
vpntunnel |
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. |
string |
Maximum length: 35 |
|||||||||
diffserv-forward |
Enable to change packet's DiffServ values to the specified diffservcode-forward value. |
option |
- |
|||||||||
|
|
|||||||||||
diffserv-reverse |
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. |
option |
- |
|||||||||
|
|
|||||||||||
diffservcode-forward |
Change packet's DiffServ to this value. |
user |
Not Specified |
|||||||||
diffservcode-rev |
Change packet's reverse (reply) DiffServ to this value. |
user |
Not Specified |
|||||||||
tcp-mss-sender |
Sender TCP maximum segment size (MSS). |
integer |
Minimum value: 0 Maximum value: 65535 |
|||||||||
tcp-mss-receiver |
Receiver TCP maximum segment size (MSS). |
integer |
Minimum value: 0 Maximum value: 65535 |
|||||||||
comments |
Comment. |
var-string |
Maximum length: 1023 |
|||||||||
rsso |
Enable/disable RADIUS single sign-on (RSSO). |
option |
- |
|||||||||
|
|
|||||||||||
custom-log-fields |
Log field index numbers to append custom log fields to log messages for this policy. Custom log field. |
string |
Maximum length: 35 |
|||||||||
replacemsg-override-group |
Override the default replacement message group for this policy. |
string |
Maximum length: 35 |
|||||||||
srcaddr-negate |
When enabled srcaddr specifies what the source address must NOT be. |
option |
- |
|||||||||
|
|
|||||||||||
dstaddr-negate |
When enabled dstaddr specifies what the destination address must NOT be. |
option |
- |
|||||||||
|
|
|||||||||||
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
|||||||||
|
|
|||||||||||
groups |
Names of user groups that can authenticate with this policy. Group name. |
string |
Maximum length: 79 |
|||||||||
users |
Names of individual users that can authenticate with this policy. Names of individual users that can authenticate with this policy. |
string |
Maximum length: 79 |
|||||||||
timeout-send-rst |
Enable/disable sending RST packets when TCP sessions expire. |
option |
- |
|||||||||
|
|
|||||||||||
ssl-mirror |
Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). |
option |
- |
|||||||||
|
|
|||||||||||
ssl-mirror-intf |
SSL mirror interface name. Interface name. |
string |
Maximum length: 79 |
|||||||||
dsri |
Enable DSRI to ignore HTTP server responses. |
option |
- |
|||||||||
|
|
|||||||||||
vlan-filter |
Set VLAN filters. |
user |
Not Specified |
|||||||||
fsso-groups |
Names of FSSO groups. Names of FSSO groups. |
string |
Maximum length: 511 |
* This parameter may not exist in some models.