config firewall policy
Description: Configure IPv4 policies.
edit <policyid>
set name {string}
set uuid {uuid}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-id <id1>, <id2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-id <id1>, <id2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set reputation-minimum {integer}
set reputation-direction [source|destination]
set rtp-nat [disable|enable]
set rtp-addr <name1>, <name2>, ...
set action [accept|deny|...]
set send-deny-packet [disable|enable]
set firewall-session-dirty [check-all|check-new]
set status [enable|disable]
set schedule {string}
set schedule-timeout [enable|disable]
set service <name1>, <name2>, ...
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set anti-replay [enable|disable]
set tcp-session-without-syn [all|data-only|...]
set geoip-anycast [enable|disable]
set utm-status [enable|disable]
set inspection-mode [proxy|flow]
set http-policy-redirect [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-profile {string}
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-sensor {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set icap-profile {string}
set cifs-profile {string}
set waf-profile {string}
set ssh-filter-profile {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set capture-packet [enable|disable]
set auto-asic-offload [enable|disable]
set np-acceleration [enable|disable]
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-profile {string}
set wanopt-peer {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set webproxy-forward-server {string}
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set per-ip-shaper {string}
set application <id1>, <id2>, ...
set app-category <id1>, <id2>, ...
set url-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set nat [enable|disable]
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set fixedport [enable|disable]
set ippool [enable|disable]
set poolname <name1>, <name2>, ...
set session-ttl {integer}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set inbound [enable|disable]
set outbound [enable|disable]
set natinbound [enable|disable]
set natoutbound [enable|disable]
set wccp [enable|disable]
set ntlm [enable|disable]
set ntlm-guest [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set fsso [enable|disable]
set wsso [enable|disable]
set rsso [enable|disable]
set fsso-agent-for-ntlm {string}
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set fsso-groups <name1>, <name2>, ...
set auth-path [enable|disable]
set disclaimer [enable|disable]
set email-collect [enable|disable]
set vpntunnel {string}
set natip {ipv4-classnet}
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set tcp-mss-sender {integer}
set tcp-mss-receiver {integer}
set comments {var-string}
set auth-cert {string}
set auth-redirect-addr {string}
set redirect-url {string}
set identity-based-route {string}
set block-notification [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set replacemsg-override-group {string}
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set service-negate [enable|disable]
set internet-service-negate [enable|disable]
set internet-service-src-negate [enable|disable]
set timeout-send-rst [enable|disable]
set captive-portal-exempt [enable|disable]
set ssl-mirror [enable|disable]
set ssl-mirror-intf <name1>, <name2>, ...
set dsri [enable|disable]
set radius-mac-auth-bypass [enable|disable]
set delay-tcp-npu-session [enable|disable]
set vlan-filter {user}
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
name | Policy name. | string | Maximum length: 35 |
uuid | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | uuid | Not Specified |
srcintf <name> |
Incoming (ingress) interface. Interface name. |
string | Maximum length: 79 |
dstintf <name> |
Outgoing (egress) interface. Interface name. |
string | Maximum length: 79 |
srcaddr <name> |
Source address and address group names. Address name. |
string | Maximum length: 79 |
dstaddr <name> |
Destination address and address group names. Address name. |
string | Maximum length: 79 |
internet-service | Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. enable: Enable use of Internet Services in policy. disable: Disable use of Internet Services in policy. |
option | - |
internet-service-id <id> |
Internet Service ID. Internet Service ID. |
integer | Minimum value: 0 Maximum value: 4294967295 |
internet-service-group <name> |
Internet Service group name. Internet Service group name. |
string | Maximum length: 79 |
internet-service-custom <name> |
Custom Internet Service name. Custom Internet Service name. |
string | Maximum length: 79 |
internet-service-custom-group <name> |
Custom Internet Service group name. Custom Internet Service group name. |
string | Maximum length: 79 |
internet-service-src | Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. enable: Enable use of Internet Services source in policy. disable: Disable use of Internet Services source in policy. |
option | - |
internet-service-src-id <id> |
Internet Service source ID. Internet Service ID. |
integer | Minimum value: 0 Maximum value: 4294967295 |
internet-service-src-group <name> |
Internet Service source group name. Internet Service group name. |
string | Maximum length: 79 |
internet-service-src-custom <name> |
Custom Internet Service source name. Custom Internet Service name. |
string | Maximum length: 79 |
internet-service-src-custom-group <name> |
Custom Internet Service source group name. Custom Internet Service group name. |
string | Maximum length: 79 |
reputation-minimum | Minimum Reputation to take action. | integer | Minimum value: 0 Maximum value: 4294967295 |
reputation-direction | Direction of the initial traffic for reputation to take effect. source: Check reputation for source address. destination: Check reputation for destination address. |
option | - |
rtp-nat | Enable Real Time Protocol (RTP) NAT. disable: Disable setting. enable: Enable setting. |
option | - |
rtp-addr <name> |
Address names if this is an RTP NAT policy. Address name. |
string | Maximum length: 79 |
action | Policy action (allow/deny/ipsec). accept: Allows session that match the firewall policy. deny: Blocks sessions that match the firewall policy. ipsec: Firewall policy becomes a policy-based IPsec VPN policy. |
option | - |
send-deny-packet | Enable to send a reply when a session is denied or blocked by a firewall policy. disable: Disable deny-packet sending. enable: Enable deny-packet sending. |
option | - |
firewall-session-dirty | How to handle sessions if the configuration of this firewall policy changes. check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies. check-new: Continue to allow sessions already accepted by this policy. |
option | - |
status | Enable or disable this policy. enable: Enable setting. disable: Disable setting. |
option | - |
schedule | Schedule name. | string | Maximum length: 35 |
schedule-timeout | Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. enable: Enable schedule timeout. disable: Disable schedule timeout. |
option | - |
service <name> |
Service and service group names. Service and service group names. |
string | Maximum length: 79 |
tos | ToS (Type of Service) value used for comparison. | user | Not Specified |
tos-mask | Non-zero bit positions are used for comparison while zero bit positions are ignored. | user | Not Specified |
tos-negate | Enable negated TOS match. enable: Enable TOS match negate. disable: Disable TOS match negate. |
option | - |
anti-replay | Enable/disable anti-replay check. enable: Enable anti-replay check. disable: Disable anti-replay check. |
option | - |
tcp-session-without-syn | Enable/disable creation of TCP session without SYN flag. all: Enable TCP session without SYN. data-only: Enable TCP session data only. disable: Disable TCP session without SYN. |
option | - |
geoip-anycast | Enable/disable recognition of anycast IP addresses using the geography IP database. enable: Enable recognition of anycast IP addresses using the geography IP database. disable: Disable recognition of anycast IP addresses using the geography IP database. |
option | - |
utm-status | Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. enable: Enable setting. disable: Disable setting. |
option | - |
inspection-mode | Policy inspection mode (Flow/proxy). Default is Flow mode. proxy: Proxy based inspection. flow: Flow based inspection. |
option | - |
http-policy-redirect | Redirect HTTP(S) traffic to matching transparent web proxy policy. enable: Enable HTTP(S) policy redirect. disable: Disable HTTP(S) policy redirect. |
option | - |
ssh-policy-redirect | Redirect SSH traffic to matching transparent proxy policy. enable: Enable SSH policy redirect. disable: Disable SSH policy redirect. |
option | - |
webproxy-profile | Webproxy profile name. | string | Maximum length: 63 |
profile-type | Determine whether the firewall policy allows security profile groups or single profiles only. single: Do not allow security profile groups. group: Allow security profile groups. |
option | - |
profile-group | Name of profile group. | string | Maximum length: 35 |
profile-protocol-options | Name of an existing Protocol options profile. | string | Maximum length: 35 |
ssl-ssh-profile | Name of an existing SSL SSH profile. | string | Maximum length: 35 |
av-profile | Name of an existing Antivirus profile. | string | Maximum length: 35 |
webfilter-profile | Name of an existing Web filter profile. | string | Maximum length: 35 |
dnsfilter-profile | Name of an existing DNS filter profile. | string | Maximum length: 35 |
emailfilter-profile | Name of an existing email filter profile. | string | Maximum length: 35 |
dlp-sensor | Name of an existing DLP sensor. | string | Maximum length: 35 |
ips-sensor | Name of an existing IPS sensor. | string | Maximum length: 35 |
application-list | Name of an existing Application list. | string | Maximum length: 35 |
voip-profile | Name of an existing VoIP profile. | string | Maximum length: 35 |
icap-profile | Name of an existing ICAP profile. | string | Maximum length: 35 |
cifs-profile | Name of an existing CIFS profile. | string | Maximum length: 35 |
waf-profile | Name of an existing Web application firewall profile. | string | Maximum length: 35 |
ssh-filter-profile | Name of an existing SSH filter profile. | string | Maximum length: 35 |
logtraffic | Enable or disable logging. Log all sessions or security profile sessions. all: Log all sessions accepted or denied by this policy. utm: Log traffic that has a security profile applied to it. disable: Disable all logging for this policy. |
option | - |
logtraffic-start | Record logs when a session starts. enable: Enable setting. disable: Disable setting. |
option | - |
capture-packet | Enable/disable capture packets. enable: Enable capture packets. disable: Disable capture packets. |
option | - |
auto-asic-offload | Enable/disable policy traffic ASIC offloading. enable: Enable auto ASIC offloading. disable: Disable ASIC offloading. |
option | - |
np-acceleration | Enable/disable UTM Network Processor acceleration. enable: Enable UTM Network Processor acceleration. disable: Disable UTM Network Processor acceleration. |
option | - |
wanopt | Enable/disable WAN optimization. enable: Enable setting. disable: Disable setting. |
option | - |
wanopt-detection | WAN optimization auto-detection mode. active: Active WAN optimization peer auto-detection. passive: Passive WAN optimization peer auto-detection. off: Turn off WAN optimization peer auto-detection. |
option | - |
wanopt-passive-opt | WAN optimization passive mode options. This option decides what IP address will be used to connect server. default: Allow client side WAN opt peer to decide. transparent: Use address of client to connect to server. non-transparent: Use local FortiGate address to connect to server. |
option | - |
wanopt-profile | WAN optimization profile. | string | Maximum length: 35 |
wanopt-peer | WAN optimization peer. | string | Maximum length: 35 |
webcache | Enable/disable web cache. enable: Enable setting. disable: Disable setting. |
option | - |
webcache-https | Enable/disable web cache for HTTPS. disable: Disable web cache for HTTPS. enable: Enable web cache for HTTPS. |
option | - |
webproxy-forward-server | Webproxy forward server name. | string | Maximum length: 63 |
traffic-shaper | Traffic shaper. | string | Maximum length: 35 |
traffic-shaper-reverse | Reverse traffic shaper. | string | Maximum length: 35 |
per-ip-shaper | Per-IP traffic shaper. | string | Maximum length: 35 |
application <id> |
Application ID list. Application IDs. |
integer | Minimum value: 0 Maximum value: 4294967295 |
app-category <id> |
Application category ID list. Category IDs. |
integer | Minimum value: 0 Maximum value: 4294967295 |
url-category <id> |
URL category ID list. URL category ID. |
integer | Minimum value: 0 Maximum value: 4294967295 |
app-group <name> |
Application group names. Application group names. |
string | Maximum length: 79 |
nat | Enable/disable source NAT. enable: Enable setting. disable: Disable setting. |
option | - |
permit-any-host | Accept UDP packets from any host. enable: Enable setting. disable: Disable setting. |
option | - |
permit-stun-host | Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. enable: Enable setting. disable: Disable setting. |
option | - |
fixedport | Enable to prevent source NAT from changing a session's source port. enable: Enable setting. disable: Disable setting. |
option | - |
ippool | Enable to use IP Pools for source NAT. enable: Enable setting. disable: Disable setting. |
option | - |
poolname <name> |
IP Pool names. IP pool name. |
string | Maximum length: 79 |
session-ttl | TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). | integer | Minimum value: 300 Maximum value: 2764800 |
vlan-cos-fwd | VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. | integer | Minimum value: 0 Maximum value: 7 |
vlan-cos-rev | VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest. | integer | Minimum value: 0 Maximum value: 7 |
inbound | Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. enable: Enable setting. disable: Disable setting. |
option | - |
outbound | Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. enable: Enable setting. disable: Disable setting. |
option | - |
natinbound | Policy-based IPsec VPN: apply destination NAT to inbound traffic. enable: Enable setting. disable: Disable setting. |
option | - |
natoutbound | Policy-based IPsec VPN: apply source NAT to outbound traffic. enable: Enable setting. disable: Disable setting. |
option | - |
wccp | Enable/disable forwarding traffic matching this policy to a configured WCCP server. enable: Enable WCCP setting. disable: Disable WCCP setting. |
option | - |
ntlm | Enable/disable NTLM authentication. enable: Enable setting. disable: Disable setting. |
option | - |
ntlm-guest | Enable/disable NTLM guest user access. enable: Enable setting. disable: Disable setting. |
option | - |
ntlm-enabled-browsers <user-agent-string> |
HTTP-User-Agent value of supported browsers. User agent string. |
string | Maximum length: 79 |
fsso | Enable/disable Fortinet Single Sign-On. enable: Enable setting. disable: Disable setting. |
option | - |
wsso | Enable/disable WiFi Single Sign On (WSSO). enable: Enable setting. disable: Disable setting. |
option | - |
rsso | Enable/disable RADIUS single sign-on (RSSO). enable: Enable setting. disable: Disable setting. |
option | - |
fsso-agent-for-ntlm | FSSO agent to use for NTLM authentication. | string | Maximum length: 35 |
groups <name> |
Names of user groups that can authenticate with this policy. Group name. |
string | Maximum length: 79 |
users <name> |
Names of individual users that can authenticate with this policy. Names of individual users that can authenticate with this policy. |
string | Maximum length: 79 |
fsso-groups <name> |
Names of FSSO groups. Names of FSSO groups. |
string | Maximum length: 511 |
auth-path | Enable/disable authentication-based routing. enable: Enable authentication-based routing. disable: Disable authentication-based routing. |
option | - |
disclaimer | Enable/disable user authentication disclaimer. enable: Enable user authentication disclaimer. disable: Disable user authentication disclaimer. |
option | - |
email-collect | Enable/disable email collection. enable: Enable email collection. disable: Disable email collection. |
option | - |
vpntunnel | Policy-based IPsec VPN: name of the IPsec VPN Phase 1. | string | Maximum length: 35 |
natip | Policy-based IPsec VPN: source NAT IP address for outgoing traffic. | ipv4-classnet | Not Specified |
match-vip | Enable to match packets that have had their destination addresses changed by a VIP. enable: Match DNATed packet. disable: Do not match DNATed packet. |
option | - |
match-vip-only | Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. enable: Enable matching of only those packets that have had their destination addresses changed by a VIP. disable: Disable matching of only those packets that have had their destination addresses changed by a VIP. |
option | - |
diffserv-forward | Enable to change packet's DiffServ values to the specified diffservcode-forward value. enable: Enable setting forward (original) traffic Diffserv. disable: Disable setting forward (original) traffic Diffserv. |
option | - |
diffserv-reverse | Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. enable: Enable setting reverse (reply) traffic DiffServ. disable: Disable setting reverse (reply) traffic DiffServ. |
option | - |
diffservcode-forward | Change packet's DiffServ to this value. | user | Not Specified |
diffservcode-rev | Change packet's reverse (reply) DiffServ to this value. | user | Not Specified |
tcp-mss-sender | Sender TCP maximum segment size (MSS). | integer | Minimum value: 0 Maximum value: 65535 |
tcp-mss-receiver | Receiver TCP maximum segment size (MSS). | integer | Minimum value: 0 Maximum value: 65535 |
comments | Comment. | var-string | Maximum length: 1023 |
auth-cert | HTTPS server certificate for policy authentication. | string | Maximum length: 35 |
auth-redirect-addr | HTTP-to-HTTPS redirect address for firewall authentication. | string | Maximum length: 63 |
redirect-url | URL users are directed to after seeing and accepting the disclaimer or authenticating. | string | Maximum length: 255 |
identity-based-route | Name of identity-based routing rule. | string | Maximum length: 35 |
block-notification | Enable/disable block notification. enable: Enable setting. disable: Disable setting. |
option | - |
custom-log-fields <field-id> |
Custom fields to append to log messages for this policy. Custom log field. |
string | Maximum length: 35 |
replacemsg-override-group | Override the default replacement message group for this policy. | string | Maximum length: 35 |
srcaddr-negate | When enabled srcaddr specifies what the source address must NOT be. enable: Enable source address negate. disable: Disable source address negate. |
option | - |
dstaddr-negate | When enabled dstaddr specifies what the destination address must NOT be. enable: Enable destination address negate. disable: Disable destination address negate. |
option | - |
service-negate | When enabled service specifies what the service must NOT be. enable: Enable negated service match. disable: Disable negated service match. |
option | - |
internet-service-negate | When enabled internet-service specifies what the service must NOT be. enable: Enable negated Internet Service match. disable: Disable negated Internet Service match. |
option | - |
internet-service-src-negate | When enabled internet-service-src specifies what the service must NOT be. enable: Enable negated Internet Service source match. disable: Disable negated Internet Service source match. |
option | - |
timeout-send-rst | Enable/disable sending RST packets when TCP sessions expire. enable: Enable sending of RST packet upon TCP session expiration. disable: Disable sending of RST packet upon TCP session expiration. |
option | - |
captive-portal-exempt | Enable to exempt some users from the captive portal. enable: Enable exemption of captive portal. disable: Disable exemption of captive portal. |
option | - |
ssl-mirror | Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). enable: Enable SSL mirror. disable: Disable SSL mirror. |
option | - |
ssl-mirror-intf <name> |
SSL mirror interface name. Mirror Interface name. |
string | Maximum length: 79 |
dsri | Enable DSRI to ignore HTTP server responses. enable: Enable DSRI. disable: Disable DSRI. |
option | - |
radius-mac-auth-bypass | Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass. |
option | - |
delay-tcp-npu-session | Enable TCP NPU session delay to guarantee packet order of 3-way handshake. enable: Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. disable: Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake. |
option | - |
vlan-filter | Set VLAN filters. | user | Not Specified |
config firewall policy
Description: Configure IPv4 policies.
edit <policyid>
set name {string}
set uuid {uuid}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set internet-service [enable|disable]
set internet-service-id <id1>, <id2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-id <id1>, <id2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set reputation-minimum {integer}
set reputation-direction [source|destination]
set rtp-nat [disable|enable]
set rtp-addr <name1>, <name2>, ...
set action [accept|deny|...]
set send-deny-packet [disable|enable]
set firewall-session-dirty [check-all|check-new]
set status [enable|disable]
set schedule {string}
set schedule-timeout [enable|disable]
set service <name1>, <name2>, ...
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set anti-replay [enable|disable]
set tcp-session-without-syn [all|data-only|...]
set geoip-anycast [enable|disable]
set utm-status [enable|disable]
set inspection-mode [proxy|flow]
set http-policy-redirect [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-profile {string}
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-sensor {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set icap-profile {string}
set cifs-profile {string}
set waf-profile {string}
set ssh-filter-profile {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set capture-packet [enable|disable]
set auto-asic-offload [enable|disable]
set np-acceleration [enable|disable]
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-profile {string}
set wanopt-peer {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set webproxy-forward-server {string}
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set per-ip-shaper {string}
set application <id1>, <id2>, ...
set app-category <id1>, <id2>, ...
set url-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set nat [enable|disable]
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set fixedport [enable|disable]
set ippool [enable|disable]
set poolname <name1>, <name2>, ...
set session-ttl {integer}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set inbound [enable|disable]
set outbound [enable|disable]
set natinbound [enable|disable]
set natoutbound [enable|disable]
set wccp [enable|disable]
set ntlm [enable|disable]
set ntlm-guest [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set fsso [enable|disable]
set wsso [enable|disable]
set rsso [enable|disable]
set fsso-agent-for-ntlm {string}
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set fsso-groups <name1>, <name2>, ...
set auth-path [enable|disable]
set disclaimer [enable|disable]
set email-collect [enable|disable]
set vpntunnel {string}
set natip {ipv4-classnet}
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set tcp-mss-sender {integer}
set tcp-mss-receiver {integer}
set comments {var-string}
set auth-cert {string}
set auth-redirect-addr {string}
set redirect-url {string}
set identity-based-route {string}
set block-notification [enable|disable]
set custom-log-fields <field-id1>, <field-id2>, ...
set replacemsg-override-group {string}
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set service-negate [enable|disable]
set internet-service-negate [enable|disable]
set internet-service-src-negate [enable|disable]
set timeout-send-rst [enable|disable]
set captive-portal-exempt [enable|disable]
set ssl-mirror [enable|disable]
set ssl-mirror-intf <name1>, <name2>, ...
set dsri [enable|disable]
set radius-mac-auth-bypass [enable|disable]
set delay-tcp-npu-session [enable|disable]
set vlan-filter {user}
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
name | Policy name. | string | Maximum length: 35 |
uuid | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | uuid | Not Specified |
srcintf <name> |
Incoming (ingress) interface. Interface name. |
string | Maximum length: 79 |
dstintf <name> |
Outgoing (egress) interface. Interface name. |
string | Maximum length: 79 |
srcaddr <name> |
Source address and address group names. Address name. |
string | Maximum length: 79 |
dstaddr <name> |
Destination address and address group names. Address name. |
string | Maximum length: 79 |
internet-service | Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. enable: Enable use of Internet Services in policy. disable: Disable use of Internet Services in policy. |
option | - |
internet-service-id <id> |
Internet Service ID. Internet Service ID. |
integer | Minimum value: 0 Maximum value: 4294967295 |
internet-service-group <name> |
Internet Service group name. Internet Service group name. |
string | Maximum length: 79 |
internet-service-custom <name> |
Custom Internet Service name. Custom Internet Service name. |
string | Maximum length: 79 |
internet-service-custom-group <name> |
Custom Internet Service group name. Custom Internet Service group name. |
string | Maximum length: 79 |
internet-service-src | Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. enable: Enable use of Internet Services source in policy. disable: Disable use of Internet Services source in policy. |
option | - |
internet-service-src-id <id> |
Internet Service source ID. Internet Service ID. |
integer | Minimum value: 0 Maximum value: 4294967295 |
internet-service-src-group <name> |
Internet Service source group name. Internet Service group name. |
string | Maximum length: 79 |
internet-service-src-custom <name> |
Custom Internet Service source name. Custom Internet Service name. |
string | Maximum length: 79 |
internet-service-src-custom-group <name> |
Custom Internet Service source group name. Custom Internet Service group name. |
string | Maximum length: 79 |
reputation-minimum | Minimum Reputation to take action. | integer | Minimum value: 0 Maximum value: 4294967295 |
reputation-direction | Direction of the initial traffic for reputation to take effect. source: Check reputation for source address. destination: Check reputation for destination address. |
option | - |
rtp-nat | Enable Real Time Protocol (RTP) NAT. disable: Disable setting. enable: Enable setting. |
option | - |
rtp-addr <name> |
Address names if this is an RTP NAT policy. Address name. |
string | Maximum length: 79 |
action | Policy action (allow/deny/ipsec). accept: Allows session that match the firewall policy. deny: Blocks sessions that match the firewall policy. ipsec: Firewall policy becomes a policy-based IPsec VPN policy. |
option | - |
send-deny-packet | Enable to send a reply when a session is denied or blocked by a firewall policy. disable: Disable deny-packet sending. enable: Enable deny-packet sending. |
option | - |
firewall-session-dirty | How to handle sessions if the configuration of this firewall policy changes. check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies. check-new: Continue to allow sessions already accepted by this policy. |
option | - |
status | Enable or disable this policy. enable: Enable setting. disable: Disable setting. |
option | - |
schedule | Schedule name. | string | Maximum length: 35 |
schedule-timeout | Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. enable: Enable schedule timeout. disable: Disable schedule timeout. |
option | - |
service <name> |
Service and service group names. Service and service group names. |
string | Maximum length: 79 |
tos | ToS (Type of Service) value used for comparison. | user | Not Specified |
tos-mask | Non-zero bit positions are used for comparison while zero bit positions are ignored. | user | Not Specified |
tos-negate | Enable negated TOS match. enable: Enable TOS match negate. disable: Disable TOS match negate. |
option | - |
anti-replay | Enable/disable anti-replay check. enable: Enable anti-replay check. disable: Disable anti-replay check. |
option | - |
tcp-session-without-syn | Enable/disable creation of TCP session without SYN flag. all: Enable TCP session without SYN. data-only: Enable TCP session data only. disable: Disable TCP session without SYN. |
option | - |
geoip-anycast | Enable/disable recognition of anycast IP addresses using the geography IP database. enable: Enable recognition of anycast IP addresses using the geography IP database. disable: Disable recognition of anycast IP addresses using the geography IP database. |
option | - |
utm-status | Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. enable: Enable setting. disable: Disable setting. |
option | - |
inspection-mode | Policy inspection mode (Flow/proxy). Default is Flow mode. proxy: Proxy based inspection. flow: Flow based inspection. |
option | - |
http-policy-redirect | Redirect HTTP(S) traffic to matching transparent web proxy policy. enable: Enable HTTP(S) policy redirect. disable: Disable HTTP(S) policy redirect. |
option | - |
ssh-policy-redirect | Redirect SSH traffic to matching transparent proxy policy. enable: Enable SSH policy redirect. disable: Disable SSH policy redirect. |
option | - |
webproxy-profile | Webproxy profile name. | string | Maximum length: 63 |
profile-type | Determine whether the firewall policy allows security profile groups or single profiles only. single: Do not allow security profile groups. group: Allow security profile groups. |
option | - |
profile-group | Name of profile group. | string | Maximum length: 35 |
profile-protocol-options | Name of an existing Protocol options profile. | string | Maximum length: 35 |
ssl-ssh-profile | Name of an existing SSL SSH profile. | string | Maximum length: 35 |
av-profile | Name of an existing Antivirus profile. | string | Maximum length: 35 |
webfilter-profile | Name of an existing Web filter profile. | string | Maximum length: 35 |
dnsfilter-profile | Name of an existing DNS filter profile. | string | Maximum length: 35 |
emailfilter-profile | Name of an existing email filter profile. | string | Maximum length: 35 |
dlp-sensor | Name of an existing DLP sensor. | string | Maximum length: 35 |
ips-sensor | Name of an existing IPS sensor. | string | Maximum length: 35 |
application-list | Name of an existing Application list. | string | Maximum length: 35 |
voip-profile | Name of an existing VoIP profile. | string | Maximum length: 35 |
icap-profile | Name of an existing ICAP profile. | string | Maximum length: 35 |
cifs-profile | Name of an existing CIFS profile. | string | Maximum length: 35 |
waf-profile | Name of an existing Web application firewall profile. | string | Maximum length: 35 |
ssh-filter-profile | Name of an existing SSH filter profile. | string | Maximum length: 35 |
logtraffic | Enable or disable logging. Log all sessions or security profile sessions. all: Log all sessions accepted or denied by this policy. utm: Log traffic that has a security profile applied to it. disable: Disable all logging for this policy. |
option | - |
logtraffic-start | Record logs when a session starts. enable: Enable setting. disable: Disable setting. |
option | - |
capture-packet | Enable/disable capture packets. enable: Enable capture packets. disable: Disable capture packets. |
option | - |
auto-asic-offload | Enable/disable policy traffic ASIC offloading. enable: Enable auto ASIC offloading. disable: Disable ASIC offloading. |
option | - |
np-acceleration | Enable/disable UTM Network Processor acceleration. enable: Enable UTM Network Processor acceleration. disable: Disable UTM Network Processor acceleration. |
option | - |
wanopt | Enable/disable WAN optimization. enable: Enable setting. disable: Disable setting. |
option | - |
wanopt-detection | WAN optimization auto-detection mode. active: Active WAN optimization peer auto-detection. passive: Passive WAN optimization peer auto-detection. off: Turn off WAN optimization peer auto-detection. |
option | - |
wanopt-passive-opt | WAN optimization passive mode options. This option decides what IP address will be used to connect server. default: Allow client side WAN opt peer to decide. transparent: Use address of client to connect to server. non-transparent: Use local FortiGate address to connect to server. |
option | - |
wanopt-profile | WAN optimization profile. | string | Maximum length: 35 |
wanopt-peer | WAN optimization peer. | string | Maximum length: 35 |
webcache | Enable/disable web cache. enable: Enable setting. disable: Disable setting. |
option | - |
webcache-https | Enable/disable web cache for HTTPS. disable: Disable web cache for HTTPS. enable: Enable web cache for HTTPS. |
option | - |
webproxy-forward-server | Webproxy forward server name. | string | Maximum length: 63 |
traffic-shaper | Traffic shaper. | string | Maximum length: 35 |
traffic-shaper-reverse | Reverse traffic shaper. | string | Maximum length: 35 |
per-ip-shaper | Per-IP traffic shaper. | string | Maximum length: 35 |
application <id> |
Application ID list. Application IDs. |
integer | Minimum value: 0 Maximum value: 4294967295 |
app-category <id> |
Application category ID list. Category IDs. |
integer | Minimum value: 0 Maximum value: 4294967295 |
url-category <id> |
URL category ID list. URL category ID. |
integer | Minimum value: 0 Maximum value: 4294967295 |
app-group <name> |
Application group names. Application group names. |
string | Maximum length: 79 |
nat | Enable/disable source NAT. enable: Enable setting. disable: Disable setting. |
option | - |
permit-any-host | Accept UDP packets from any host. enable: Enable setting. disable: Disable setting. |
option | - |
permit-stun-host | Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. enable: Enable setting. disable: Disable setting. |
option | - |
fixedport | Enable to prevent source NAT from changing a session's source port. enable: Enable setting. disable: Disable setting. |
option | - |
ippool | Enable to use IP Pools for source NAT. enable: Enable setting. disable: Disable setting. |
option | - |
poolname <name> |
IP Pool names. IP pool name. |
string | Maximum length: 79 |
session-ttl | TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). | integer | Minimum value: 300 Maximum value: 2764800 |
vlan-cos-fwd | VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. | integer | Minimum value: 0 Maximum value: 7 |
vlan-cos-rev | VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest. | integer | Minimum value: 0 Maximum value: 7 |
inbound | Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. enable: Enable setting. disable: Disable setting. |
option | - |
outbound | Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. enable: Enable setting. disable: Disable setting. |
option | - |
natinbound | Policy-based IPsec VPN: apply destination NAT to inbound traffic. enable: Enable setting. disable: Disable setting. |
option | - |
natoutbound | Policy-based IPsec VPN: apply source NAT to outbound traffic. enable: Enable setting. disable: Disable setting. |
option | - |
wccp | Enable/disable forwarding traffic matching this policy to a configured WCCP server. enable: Enable WCCP setting. disable: Disable WCCP setting. |
option | - |
ntlm | Enable/disable NTLM authentication. enable: Enable setting. disable: Disable setting. |
option | - |
ntlm-guest | Enable/disable NTLM guest user access. enable: Enable setting. disable: Disable setting. |
option | - |
ntlm-enabled-browsers <user-agent-string> |
HTTP-User-Agent value of supported browsers. User agent string. |
string | Maximum length: 79 |
fsso | Enable/disable Fortinet Single Sign-On. enable: Enable setting. disable: Disable setting. |
option | - |
wsso | Enable/disable WiFi Single Sign On (WSSO). enable: Enable setting. disable: Disable setting. |
option | - |
rsso | Enable/disable RADIUS single sign-on (RSSO). enable: Enable setting. disable: Disable setting. |
option | - |
fsso-agent-for-ntlm | FSSO agent to use for NTLM authentication. | string | Maximum length: 35 |
groups <name> |
Names of user groups that can authenticate with this policy. Group name. |
string | Maximum length: 79 |
users <name> |
Names of individual users that can authenticate with this policy. Names of individual users that can authenticate with this policy. |
string | Maximum length: 79 |
fsso-groups <name> |
Names of FSSO groups. Names of FSSO groups. |
string | Maximum length: 511 |
auth-path | Enable/disable authentication-based routing. enable: Enable authentication-based routing. disable: Disable authentication-based routing. |
option | - |
disclaimer | Enable/disable user authentication disclaimer. enable: Enable user authentication disclaimer. disable: Disable user authentication disclaimer. |
option | - |
email-collect | Enable/disable email collection. enable: Enable email collection. disable: Disable email collection. |
option | - |
vpntunnel | Policy-based IPsec VPN: name of the IPsec VPN Phase 1. | string | Maximum length: 35 |
natip | Policy-based IPsec VPN: source NAT IP address for outgoing traffic. | ipv4-classnet | Not Specified |
match-vip | Enable to match packets that have had their destination addresses changed by a VIP. enable: Match DNATed packet. disable: Do not match DNATed packet. |
option | - |
match-vip-only | Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. enable: Enable matching of only those packets that have had their destination addresses changed by a VIP. disable: Disable matching of only those packets that have had their destination addresses changed by a VIP. |
option | - |
diffserv-forward | Enable to change packet's DiffServ values to the specified diffservcode-forward value. enable: Enable setting forward (original) traffic Diffserv. disable: Disable setting forward (original) traffic Diffserv. |
option | - |
diffserv-reverse | Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. enable: Enable setting reverse (reply) traffic DiffServ. disable: Disable setting reverse (reply) traffic DiffServ. |
option | - |
diffservcode-forward | Change packet's DiffServ to this value. | user | Not Specified |
diffservcode-rev | Change packet's reverse (reply) DiffServ to this value. | user | Not Specified |
tcp-mss-sender | Sender TCP maximum segment size (MSS). | integer | Minimum value: 0 Maximum value: 65535 |
tcp-mss-receiver | Receiver TCP maximum segment size (MSS). | integer | Minimum value: 0 Maximum value: 65535 |
comments | Comment. | var-string | Maximum length: 1023 |
auth-cert | HTTPS server certificate for policy authentication. | string | Maximum length: 35 |
auth-redirect-addr | HTTP-to-HTTPS redirect address for firewall authentication. | string | Maximum length: 63 |
redirect-url | URL users are directed to after seeing and accepting the disclaimer or authenticating. | string | Maximum length: 255 |
identity-based-route | Name of identity-based routing rule. | string | Maximum length: 35 |
block-notification | Enable/disable block notification. enable: Enable setting. disable: Disable setting. |
option | - |
custom-log-fields <field-id> |
Custom fields to append to log messages for this policy. Custom log field. |
string | Maximum length: 35 |
replacemsg-override-group | Override the default replacement message group for this policy. | string | Maximum length: 35 |
srcaddr-negate | When enabled srcaddr specifies what the source address must NOT be. enable: Enable source address negate. disable: Disable source address negate. |
option | - |
dstaddr-negate | When enabled dstaddr specifies what the destination address must NOT be. enable: Enable destination address negate. disable: Disable destination address negate. |
option | - |
service-negate | When enabled service specifies what the service must NOT be. enable: Enable negated service match. disable: Disable negated service match. |
option | - |
internet-service-negate | When enabled internet-service specifies what the service must NOT be. enable: Enable negated Internet Service match. disable: Disable negated Internet Service match. |
option | - |
internet-service-src-negate | When enabled internet-service-src specifies what the service must NOT be. enable: Enable negated Internet Service source match. disable: Disable negated Internet Service source match. |
option | - |
timeout-send-rst | Enable/disable sending RST packets when TCP sessions expire. enable: Enable sending of RST packet upon TCP session expiration. disable: Disable sending of RST packet upon TCP session expiration. |
option | - |
captive-portal-exempt | Enable to exempt some users from the captive portal. enable: Enable exemption of captive portal. disable: Disable exemption of captive portal. |
option | - |
ssl-mirror | Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). enable: Enable SSL mirror. disable: Disable SSL mirror. |
option | - |
ssl-mirror-intf <name> |
SSL mirror interface name. Mirror Interface name. |
string | Maximum length: 79 |
dsri | Enable DSRI to ignore HTTP server responses. enable: Enable DSRI. disable: Disable DSRI. |
option | - |
radius-mac-auth-bypass | Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass. |
option | - |
delay-tcp-npu-session | Enable TCP NPU session delay to guarantee packet order of 3-way handshake. enable: Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. disable: Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake. |
option | - |
vlan-filter | Set VLAN filters. | user | Not Specified |