Fortinet white logo
Fortinet white logo

CLI Reference

config firewall policy

config firewall policy

Configure IPv4 policies.

config firewall policy
    Description: Configure IPv4 policies.
    edit <policyid>
        set action [accept|deny|...]
        set anti-replay [enable|disable]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set auth-cert {string}
        set auth-path [enable|disable]
        set auth-redirect-addr {string}
        set auto-asic-offload [enable|disable]
        set av-profile {string}
        set block-notification [enable|disable]
        set captive-portal-exempt [enable|disable]
        set capture-packet [enable|disable]
        set cifs-profile {string}
        set comments {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set delay-tcp-npu-session [enable|disable]
        set diffserv-forward [enable|disable]
        set diffserv-reverse [enable|disable]
        set diffservcode-forward {user}
        set diffservcode-rev {user}
        set disclaimer [enable|disable]
        set dlp-sensor {string}
        set dnsfilter-profile {string}
        set dsri [enable|disable]
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstintf <name1>, <name2>, ...
        set email-collect [enable|disable]
        set emailfilter-profile {string}
        set firewall-session-dirty [check-all|check-new]
        set fixedport [enable|disable]
        set fsso [enable|disable]
        set fsso-agent-for-ntlm {string}
        set fsso-groups <name1>, <name2>, ...
        set geoip-anycast [enable|disable]
        set groups <name1>, <name2>, ...
        set http-policy-redirect [enable|disable]
        set icap-profile {string}
        set identity-based-route {string}
        set inbound [enable|disable]
        set inspection-mode [proxy|flow]
        set internet-service [enable|disable]
        set internet-service-custom <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-id <id1>, <id2>, ...
        set internet-service-negate [enable|disable]
        set internet-service-src [enable|disable]
        set internet-service-src-custom <name1>, <name2>, ...
        set internet-service-src-custom-group <name1>, <name2>, ...
        set internet-service-src-group <name1>, <name2>, ...
        set internet-service-src-id <id1>, <id2>, ...
        set internet-service-src-negate [enable|disable]
        set ippool [enable|disable]
        set ips-sensor {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set match-vip [enable|disable]
        set match-vip-only [enable|disable]
        set name {string}
        set nat [enable|disable]
        set natinbound [enable|disable]
        set natip {ipv4-classnet}
        set natoutbound [enable|disable]
        set np-acceleration [enable|disable]
        set ntlm [enable|disable]
        set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
        set ntlm-guest [enable|disable]
        set outbound [enable|disable]
        set per-ip-shaper {string}
        set permit-any-host [enable|disable]
        set permit-stun-host [enable|disable]
        set poolname <name1>, <name2>, ...
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set radius-mac-auth-bypass [enable|disable]
        set redirect-url {string}
        set replacemsg-override-group {string}
        set reputation-direction [source|destination]
        set reputation-minimum {integer}
        set rsso [enable|disable]
        set rtp-addr <name1>, <name2>, ...
        set rtp-nat [disable|enable]
        set schedule {string}
        set schedule-timeout [enable|disable]
        set send-deny-packet [disable|enable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set session-ttl {user}
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssh-policy-redirect [enable|disable]
        set ssl-mirror [enable|disable]
        set ssl-mirror-intf <name1>, <name2>, ...
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set tcp-mss-receiver {integer}
        set tcp-mss-sender {integer}
        set tcp-session-without-syn [all|data-only|...]
        set timeout-send-rst [enable|disable]
        set tos {user}
        set tos-mask {user}
        set tos-negate [enable|disable]
        set traffic-shaper {string}
        set traffic-shaper-reverse {string}
        set url-category <id1>, <id2>, ...
        set users <name1>, <name2>, ...
        set utm-status [enable|disable]
        set uuid {uuid}
        set vlan-cos-fwd {integer}
        set vlan-cos-rev {integer}
        set vlan-filter {user}
        set voip-profile {string}
        set vpntunnel {string}
        set waf-profile {string}
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-peer {string}
        set wanopt-profile {string}
        set wccp [enable|disable]
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set webfilter-profile {string}
        set webproxy-forward-server {string}
        set webproxy-profile {string}
        set wsso [enable|disable]
    next
end

config firewall policy

Parameter

Description

Type

Size

action

Policy action (allow/deny/ipsec).

option

-

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

anti-replay

Enable/disable anti-replay check.

option

-

Option

Description

enable

Enable anti-replay check.

disable

Disable anti-replay check.

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

Application group names.

Application group names.

string

Maximum length: 79

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

application-list

Name of an existing Application list.

string

Maximum length: 35

auth-cert

HTTPS server certificate for policy authentication.

string

Maximum length: 35

auth-path

Enable/disable authentication-based routing.

option

-

Option

Description

enable

Enable authentication-based routing.

disable

Disable authentication-based routing.

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication.

string

Maximum length: 63

auto-asic-offload *

Enable/disable policy traffic ASIC offloading.

option

-

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

block-notification

Enable/disable block notification.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

captive-portal-exempt

Enable to exempt some users from the captive portal.

option

-

Option

Description

enable

Enable exemption of captive portal.

disable

Disable exemption of captive portal.

capture-packet *

Enable/disable capture packets.

option

-

Option

Description

enable

Enable capture packets.

disable

Disable capture packets.

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

comments

Comment.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

delay-tcp-npu-session

Enable TCP NPU session delay to guarantee packet order of 3-way handshake.

option

-

Option

Description

enable

Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

disable

Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

Option

Description

enable

Enable setting forward (original) traffic Diffserv.

disable

Disable setting forward (original) traffic Diffserv.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

Option

Description

enable

Enable setting reverse (reply) traffic DiffServ.

disable

Disable setting reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

disclaimer

Enable/disable user authentication disclaimer.

option

-

Option

Description

enable

Enable user authentication disclaimer.

disable

Disable user authentication disclaimer.

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.

option

-

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

email-collect

Enable/disable email collection.

option

-

Option

Description

enable

Enable email collection.

disable

Disable email collection.

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.

option

-

Option

Description

check-all

Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.

check-new

Continue to allow sessions already accepted by this policy.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

fsso

Enable/disable Fortinet Single Sign-On.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

fsso-agent-for-ntlm

FSSO agent to use for NTLM authentication.

string

Maximum length: 35

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

geoip-anycast

Enable/disable recognition of anycast IP addresses using the geography IP database.

option

-

Option

Description

enable

Enable recognition of anycast IP addresses using the geography IP database.

disable

Disable recognition of anycast IP addresses using the geography IP database.

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

identity-based-route

Name of identity-based routing rule.

string

Maximum length: 35

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-id <id>

Internet Service ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-id <id>

Internet Service source ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

ippool

Enable to use IP Pools for source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

match-vip

Enable to match packets that have had their destination addresses changed by a VIP.

option

-

Option

Description

enable

Match DNATed packet.

disable

Do not match DNATed packet.

match-vip-only

Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.

option

-

Option

Description

enable

Enable matching of only those packets that have had their destination addresses changed by a VIP.

disable

Disable matching of only those packets that have had their destination addresses changed by a VIP.

name

Policy name.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natip

Policy-based IPsec VPN: source NAT IP address for outgoing traffic.

ipv4-classnet

Not Specified

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

np-acceleration *

Enable/disable UTM Network Processor acceleration.

option

-

Option

Description

enable

Enable UTM Network Processor acceleration.

disable

Disable UTM Network Processor acceleration.

ntlm

Enable/disable NTLM authentication.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ntlm-enabled-browsers <user-agent-string>

HTTP-User-Agent value of supported browsers.

User agent string.

string

Maximum length: 79

ntlm-guest

Enable/disable NTLM guest user access.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

permit-any-host

Accept UDP packets from any host.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-stun-host

Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

poolname <name>

IP Pool names.

IP pool name.

string

Maximum length: 79

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

option

-

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

redirect-url

URL users are directed to after seeing and accepting the disclaimer or authenticating.

string

Maximum length: 255

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

reputation-direction

Direction of the initial traffic for reputation to take effect.

option

-

Option

Description

source

Check reputation for source address.

destination

Check reputation for destination address.

reputation-minimum

Minimum Reputation to take action.

integer

Minimum value: 0 Maximum value: 4294967295

rsso

Enable/disable RADIUS single sign-on (RSSO).

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

rtp-addr <name>

Address names if this is an RTP NAT policy.

Address name.

string

Maximum length: 79

rtp-nat

Enable Real Time Protocol (RTP) NAT.

option

-

Option

Description

disable

Disable setting.

enable

Enable setting.

schedule

Schedule name.

string

Maximum length: 35

schedule-timeout

Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.

option

-

Option

Description

enable

Enable schedule timeout.

disable

Disable schedule timeout.

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.

option

-

Option

Description

disable

Disable deny-packet sending.

enable

Enable deny-packet sending.

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

session-ttl

TTL in seconds for sessions accepted by this policy.

user

Not Specified

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

ssl-mirror

Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).

option

-

Option

Description

enable

Enable SSL mirror.

disable

Disable SSL mirror.

ssl-mirror-intf <name>

SSL mirror interface name.

Mirror Interface name.

string

Maximum length: 79

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

status

Enable or disable this policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.

option

-

Option

Description

all

Enable TCP session without SYN.

data-only

Enable TCP session data only.

disable

Disable TCP session without SYN.

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.

option

-

Option

Description

enable

Enable sending of RST packet upon TCP session expiration.

disable

Disable sending of RST packet upon TCP session expiration.

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.

option

-

Option

Description

enable

Enable TOS match negate.

disable

Disable TOS match negate.

traffic-shaper

Traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

url-category <id>

URL category ID list.

URL category ID.

integer

Minimum value: 0 Maximum value: 4294967295

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

vlan-filter

Set VLAN filters.

user

Not Specified

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

wanopt *

Enable/disable WAN optimization.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection *

WAN optimization auto-detection mode.

option

-

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt *

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

-

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiGate address to connect to server.

wanopt-peer *

WAN optimization peer.

string

Maximum length: 35

wanopt-profile *

WAN optimization profile.

string

Maximum length: 35

wccp

Enable/disable forwarding traffic matching this policy to a configured WCCP server.

option

-

Option

Description

enable

Enable WCCP setting.

disable

Disable WCCP setting.

webcache *

Enable/disable web cache.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https *

Enable/disable web cache for HTTPS.

option

-

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

wsso

Enable/disable WiFi Single Sign On (WSSO).

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

* This parameter may not exist in some models.

config firewall policy

config firewall policy

Configure IPv4 policies.

config firewall policy
    Description: Configure IPv4 policies.
    edit <policyid>
        set action [accept|deny|...]
        set anti-replay [enable|disable]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set auth-cert {string}
        set auth-path [enable|disable]
        set auth-redirect-addr {string}
        set auto-asic-offload [enable|disable]
        set av-profile {string}
        set block-notification [enable|disable]
        set captive-portal-exempt [enable|disable]
        set capture-packet [enable|disable]
        set cifs-profile {string}
        set comments {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set delay-tcp-npu-session [enable|disable]
        set diffserv-forward [enable|disable]
        set diffserv-reverse [enable|disable]
        set diffservcode-forward {user}
        set diffservcode-rev {user}
        set disclaimer [enable|disable]
        set dlp-sensor {string}
        set dnsfilter-profile {string}
        set dsri [enable|disable]
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstintf <name1>, <name2>, ...
        set email-collect [enable|disable]
        set emailfilter-profile {string}
        set firewall-session-dirty [check-all|check-new]
        set fixedport [enable|disable]
        set fsso [enable|disable]
        set fsso-agent-for-ntlm {string}
        set fsso-groups <name1>, <name2>, ...
        set geoip-anycast [enable|disable]
        set groups <name1>, <name2>, ...
        set http-policy-redirect [enable|disable]
        set icap-profile {string}
        set identity-based-route {string}
        set inbound [enable|disable]
        set inspection-mode [proxy|flow]
        set internet-service [enable|disable]
        set internet-service-custom <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-id <id1>, <id2>, ...
        set internet-service-negate [enable|disable]
        set internet-service-src [enable|disable]
        set internet-service-src-custom <name1>, <name2>, ...
        set internet-service-src-custom-group <name1>, <name2>, ...
        set internet-service-src-group <name1>, <name2>, ...
        set internet-service-src-id <id1>, <id2>, ...
        set internet-service-src-negate [enable|disable]
        set ippool [enable|disable]
        set ips-sensor {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set match-vip [enable|disable]
        set match-vip-only [enable|disable]
        set name {string}
        set nat [enable|disable]
        set natinbound [enable|disable]
        set natip {ipv4-classnet}
        set natoutbound [enable|disable]
        set np-acceleration [enable|disable]
        set ntlm [enable|disable]
        set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
        set ntlm-guest [enable|disable]
        set outbound [enable|disable]
        set per-ip-shaper {string}
        set permit-any-host [enable|disable]
        set permit-stun-host [enable|disable]
        set poolname <name1>, <name2>, ...
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set radius-mac-auth-bypass [enable|disable]
        set redirect-url {string}
        set replacemsg-override-group {string}
        set reputation-direction [source|destination]
        set reputation-minimum {integer}
        set rsso [enable|disable]
        set rtp-addr <name1>, <name2>, ...
        set rtp-nat [disable|enable]
        set schedule {string}
        set schedule-timeout [enable|disable]
        set send-deny-packet [disable|enable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set session-ttl {user}
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssh-policy-redirect [enable|disable]
        set ssl-mirror [enable|disable]
        set ssl-mirror-intf <name1>, <name2>, ...
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set tcp-mss-receiver {integer}
        set tcp-mss-sender {integer}
        set tcp-session-without-syn [all|data-only|...]
        set timeout-send-rst [enable|disable]
        set tos {user}
        set tos-mask {user}
        set tos-negate [enable|disable]
        set traffic-shaper {string}
        set traffic-shaper-reverse {string}
        set url-category <id1>, <id2>, ...
        set users <name1>, <name2>, ...
        set utm-status [enable|disable]
        set uuid {uuid}
        set vlan-cos-fwd {integer}
        set vlan-cos-rev {integer}
        set vlan-filter {user}
        set voip-profile {string}
        set vpntunnel {string}
        set waf-profile {string}
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-peer {string}
        set wanopt-profile {string}
        set wccp [enable|disable]
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set webfilter-profile {string}
        set webproxy-forward-server {string}
        set webproxy-profile {string}
        set wsso [enable|disable]
    next
end

config firewall policy

Parameter

Description

Type

Size

action

Policy action (allow/deny/ipsec).

option

-

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

anti-replay

Enable/disable anti-replay check.

option

-

Option

Description

enable

Enable anti-replay check.

disable

Disable anti-replay check.

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

Application group names.

Application group names.

string

Maximum length: 79

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

application-list

Name of an existing Application list.

string

Maximum length: 35

auth-cert

HTTPS server certificate for policy authentication.

string

Maximum length: 35

auth-path

Enable/disable authentication-based routing.

option

-

Option

Description

enable

Enable authentication-based routing.

disable

Disable authentication-based routing.

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication.

string

Maximum length: 63

auto-asic-offload *

Enable/disable policy traffic ASIC offloading.

option

-

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

block-notification

Enable/disable block notification.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

captive-portal-exempt

Enable to exempt some users from the captive portal.

option

-

Option

Description

enable

Enable exemption of captive portal.

disable

Disable exemption of captive portal.

capture-packet *

Enable/disable capture packets.

option

-

Option

Description

enable

Enable capture packets.

disable

Disable capture packets.

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

comments

Comment.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

delay-tcp-npu-session

Enable TCP NPU session delay to guarantee packet order of 3-way handshake.

option

-

Option

Description

enable

Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

disable

Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

Option

Description

enable

Enable setting forward (original) traffic Diffserv.

disable

Disable setting forward (original) traffic Diffserv.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

Option

Description

enable

Enable setting reverse (reply) traffic DiffServ.

disable

Disable setting reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

disclaimer

Enable/disable user authentication disclaimer.

option

-

Option

Description

enable

Enable user authentication disclaimer.

disable

Disable user authentication disclaimer.

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.

option

-

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

email-collect

Enable/disable email collection.

option

-

Option

Description

enable

Enable email collection.

disable

Disable email collection.

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.

option

-

Option

Description

check-all

Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.

check-new

Continue to allow sessions already accepted by this policy.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

fsso

Enable/disable Fortinet Single Sign-On.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

fsso-agent-for-ntlm

FSSO agent to use for NTLM authentication.

string

Maximum length: 35

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

geoip-anycast

Enable/disable recognition of anycast IP addresses using the geography IP database.

option

-

Option

Description

enable

Enable recognition of anycast IP addresses using the geography IP database.

disable

Disable recognition of anycast IP addresses using the geography IP database.

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

identity-based-route

Name of identity-based routing rule.

string

Maximum length: 35

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-id <id>

Internet Service ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-id <id>

Internet Service source ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

ippool

Enable to use IP Pools for source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

match-vip

Enable to match packets that have had their destination addresses changed by a VIP.

option

-

Option

Description

enable

Match DNATed packet.

disable

Do not match DNATed packet.

match-vip-only

Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.

option

-

Option

Description

enable

Enable matching of only those packets that have had their destination addresses changed by a VIP.

disable

Disable matching of only those packets that have had their destination addresses changed by a VIP.

name

Policy name.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natip

Policy-based IPsec VPN: source NAT IP address for outgoing traffic.

ipv4-classnet

Not Specified

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

np-acceleration *

Enable/disable UTM Network Processor acceleration.

option

-

Option

Description

enable

Enable UTM Network Processor acceleration.

disable

Disable UTM Network Processor acceleration.

ntlm

Enable/disable NTLM authentication.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ntlm-enabled-browsers <user-agent-string>

HTTP-User-Agent value of supported browsers.

User agent string.

string

Maximum length: 79

ntlm-guest

Enable/disable NTLM guest user access.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

permit-any-host

Accept UDP packets from any host.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-stun-host

Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

poolname <name>

IP Pool names.

IP pool name.

string

Maximum length: 79

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

option

-

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

redirect-url

URL users are directed to after seeing and accepting the disclaimer or authenticating.

string

Maximum length: 255

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

reputation-direction

Direction of the initial traffic for reputation to take effect.

option

-

Option

Description

source

Check reputation for source address.

destination

Check reputation for destination address.

reputation-minimum

Minimum Reputation to take action.

integer

Minimum value: 0 Maximum value: 4294967295

rsso

Enable/disable RADIUS single sign-on (RSSO).

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

rtp-addr <name>

Address names if this is an RTP NAT policy.

Address name.

string

Maximum length: 79

rtp-nat

Enable Real Time Protocol (RTP) NAT.

option

-

Option

Description

disable

Disable setting.

enable

Enable setting.

schedule

Schedule name.

string

Maximum length: 35

schedule-timeout

Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.

option

-

Option

Description

enable

Enable schedule timeout.

disable

Disable schedule timeout.

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.

option

-

Option

Description

disable

Disable deny-packet sending.

enable

Enable deny-packet sending.

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

session-ttl

TTL in seconds for sessions accepted by this policy.

user

Not Specified

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

ssl-mirror

Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).

option

-

Option

Description

enable

Enable SSL mirror.

disable

Disable SSL mirror.

ssl-mirror-intf <name>

SSL mirror interface name.

Mirror Interface name.

string

Maximum length: 79

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

status

Enable or disable this policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.

option

-

Option

Description

all

Enable TCP session without SYN.

data-only

Enable TCP session data only.

disable

Disable TCP session without SYN.

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.

option

-

Option

Description

enable

Enable sending of RST packet upon TCP session expiration.

disable

Disable sending of RST packet upon TCP session expiration.

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.

option

-

Option

Description

enable

Enable TOS match negate.

disable

Disable TOS match negate.

traffic-shaper

Traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

url-category <id>

URL category ID list.

URL category ID.

integer

Minimum value: 0 Maximum value: 4294967295

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

vlan-filter

Set VLAN filters.

user

Not Specified

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

wanopt *

Enable/disable WAN optimization.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection *

WAN optimization auto-detection mode.

option

-

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt *

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

-

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiGate address to connect to server.

wanopt-peer *

WAN optimization peer.

string

Maximum length: 35

wanopt-profile *

WAN optimization profile.

string

Maximum length: 35

wccp

Enable/disable forwarding traffic matching this policy to a configured WCCP server.

option

-

Option

Description

enable

Enable WCCP setting.

disable

Disable WCCP setting.

webcache *

Enable/disable web cache.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https *

Enable/disable web cache for HTTPS.

option

-

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

wsso

Enable/disable WiFi Single Sign On (WSSO).

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

* This parameter may not exist in some models.