Fortinet black logo

Administration Guide

IP policies

IP policies

The section describes how to create new IPv4 and IPv6 policies.

IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network. IPv6 policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks.

On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the IPv6 Policy checkbox to display this option.

To create a new IPv4 or IPv6 policy:
  1. Ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Policy or IPv6 Policy. If you are in the Global Database ADOM, select IPv4 Header Policy, IPv4 Footer Policy, IPv6 Header Policy, or IPv6 Footer Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Policy pane opens.

  5. Enter the following information:

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Select the remove icon to remove values.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces.

    Source Internet Service

    Turn source internet service on or off, then select services.

    This option is only available for IPv4 policies.

    Source Address

    Select source addresses.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    Source Device

    Select source devices, device groups, and device categories.

    This option is only available when Source Internet Service is off.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    This option is only available for IPv4 policies.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Destination Internet Service is off.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Application

    Select applications.

    This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages.

    URL Category

    Select URL categories.

    This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages.

    Action

    Select an action for the policy to take: ACCEPT, DENY, or IPSEC.

    IPSEC is not available for IPv6 policies.

    Log Traffic

    When the Action is DENY, select Log Violation Traffic to log violation traffic.

    When the Action is ACCEPT or IPSEC, select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    Generate Logs when Session Starts

    Select to generate logs when the session starts.

    Capture Packets

    Select to capture packets.

    This option is available when the Action is ACCEPT or IPSEC, and Log Security Events or Log All Sessions is selected

    NAT

    Select to enable NAT.

    If enabled, select Use Destination Interface Address or Dynamic IP Pool, and select Fixed Port if required. If Dynamic IP Pool is selected, select pools.

    This option is available when the Action is ACCEPT, and when NGFW Mode is Profile-based; see Create new policy packages.

    VPN Tunnel

    Select a VPN tunnel dynamic object from the dropdown list. Select to allow traffic to be initiated from the remote site.

    This option is available when the Action is IPSEC.

    Security Profiles

    Select to add security profiles or profile groups.

    This option is available when the Action is ACCEPT or IPSEC.

    The following profile types can be added:

    • AntiVirus Profile
    • Web Filter Profile
    • Application Control
    • IPS Profile
    • Email Filter Profile
    • DLP Sensor
    • VoIP Profile
    • ICAP Profile
    • SSL/SSH Inspection
    • Web Application Firewall
    • DNS Filter
    • Proxy Options
    • Profile Group (available when Use Security Profile Group is selected)

    Shared Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Reverse Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected.

    Per-IP Shaper

    Select per IP traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options

Option

Description

Default

auth-cert

HTTPS server certificate for policy authentication (IPv4 only).

none

auth-path

Enable or disable authentication-based routing (IPv4 only).

disable

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication (IPv4 only).

none

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

block-notification

Enable or disable block notification (IPv4 only).

disable

captive-portal-exempt

Enable or disable exemption of captive portal (IPv4 only).

disable

custom-log-fields

Select the custom log fields from the dropdown list.

none

delay-tcp-npu-session

Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only).

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

disclaimer

Enable or disable user authentication disclaimer (IPv4 only).

disable

dscp-match

Enable or disable DSCP check.

disable

dscp-negate

Enable or disable negate DSCP match.

disable

dscp-value

Enter the DSCP value.

000000

dsri

Enable or disable DSRI (Disable Server Response Inspection) to ignore HTTP server responses.

disable

dstaddr-negate

Enable or disable negated destination address match.

disable

firewall-session-dirty

Packet session management, either check-all or check-new.

check-all

fsso-agent-for-ntlm

Select the FSSO agent for NTLM from the dropdown list (IPv4 only).

none

identity-based-route

Name of identity-based routing rule (IPv4 only).

none

internet-service-negate

When enabled, Internet services match against any Internet service EXCEPT the selected Internet service (IPv4 only).

disable

internet-service-src-negate

Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be (IPv4 only).

disable

learning-mode

Enable or disable learning mode for policy (IPv4 only).

disable

match-vip

Enable or disable match DNATed packet (IPv4 only).

disable

natinbound

Enable or disable policy NAT inbound.

disable

natip

Type the NAT IP address in the text field (IPv4 only).

0.0.0.0

natoutbound

Enable or disable policy NAT outbound.

disable

np-acceleration

Enable or disable UTM Network Processor acceleration.

enable

ntlm

Enable or disable NTLM authentication (IPv4 only).

disable

ntlm-enabled-browsers

Type a value in the text field (IPv4 only).

none

ntlm-guest

Enable or disable NTLM guest (IPv4 only).

disable

outbound

Enable or disable policy outbound.

disable

permit-any-host

Enable to accept UDP packets from any host (IPv4 only).

disable

permit-stun-host

Enable to accept UDP packets from any STUN host (IPv4 only).

disable

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

disable

redirect-url

URL redirection after disclaimer/authentication (IPv4 only).

none

replacemsg-override-group

Specify authentication replacement message override group.

none

rtp-addr

Select the RTP address from the dropdown list (IPv4 only).

none

rtp-nat

Enable to apply source NAT to RTP packets received by the firewall policy (IPv4 only).

disable

scan-botnet-connections

Enable or disable scanning of connections to Botnet servers (IPv4 only).

disable

schedule-timeout

Enable to force session to end when policy schedule end time is reached (IPv4 only).

disable

send-deny-packet

Enable to send a packet in reply to denied TCP, UDP or ICMP traffic.

disable

service-negate

Enable or disable negated service match.

disable

session-ttl

Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

srcaddr-negate

Enable or disable negated source address match.

disable

ssh-filter-profile

Select an SSH filter profile from the dropdown list.

None

ssl-mirror

Enable or disable SSL mirror.

disable

ssl-mirror-intf

Mirror interface name.

none

tcp-mss-receiver

Type a value for the receiver’s TCP MSS.

0

tcp-mss-sender

Type a value for the sender’s TCP MSS.

0

tcp-session-without-syn

Enable or disable creation of TCP session without SYN flag.

  • all - Enable TCP session without SYN.
  • data-only - Enable TCP session data only.
  • disable - Disable TCP session without SYN.

disable

timeout-send-rst

Enable sending a TCP reset when an application session times out.

disable

vlan-cos-fwd

Type the VLAN forward direction user priority.

255

vlan-cos-rev

Type the VLAN reverse direction user priority.

255

vlan-filter

Set VLAN filters.

wanopt

Enable or disable WAN optimization (IPv4 only).

disable

wanopt-detection

WAN optimization auto-detection mode (IPv4 only).

active

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

default

wanopt-peer

WAN optimization peer (IPv4 only).

none

wanopt-profile

WAN optimization profile (IPv4 only).

none

wccp

Enable or disable Web Cache Communication Protocol (WCCP) (IPv4 only).

disable

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Enable or disable web cache for HTTPS (IPv4 only).

disable

wsso

Enable or disable WiFi Single Sign-On (IPv4 only).

enable

IP policies

The section describes how to create new IPv4 and IPv6 policies.

IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network. IPv6 policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks.

On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the IPv6 Policy checkbox to display this option.

To create a new IPv4 or IPv6 policy:
  1. Ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Policy or IPv6 Policy. If you are in the Global Database ADOM, select IPv4 Header Policy, IPv4 Footer Policy, IPv6 Header Policy, or IPv6 Footer Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Policy pane opens.

  5. Enter the following information:

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Select the remove icon to remove values.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces.

    Source Internet Service

    Turn source internet service on or off, then select services.

    This option is only available for IPv4 policies.

    Source Address

    Select source addresses.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    Source Device

    Select source devices, device groups, and device categories.

    This option is only available when Source Internet Service is off.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    This option is only available for IPv4 policies.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Destination Internet Service is off.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Application

    Select applications.

    This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages.

    URL Category

    Select URL categories.

    This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages.

    Action

    Select an action for the policy to take: ACCEPT, DENY, or IPSEC.

    IPSEC is not available for IPv6 policies.

    Log Traffic

    When the Action is DENY, select Log Violation Traffic to log violation traffic.

    When the Action is ACCEPT or IPSEC, select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    Generate Logs when Session Starts

    Select to generate logs when the session starts.

    Capture Packets

    Select to capture packets.

    This option is available when the Action is ACCEPT or IPSEC, and Log Security Events or Log All Sessions is selected

    NAT

    Select to enable NAT.

    If enabled, select Use Destination Interface Address or Dynamic IP Pool, and select Fixed Port if required. If Dynamic IP Pool is selected, select pools.

    This option is available when the Action is ACCEPT, and when NGFW Mode is Profile-based; see Create new policy packages.

    VPN Tunnel

    Select a VPN tunnel dynamic object from the dropdown list. Select to allow traffic to be initiated from the remote site.

    This option is available when the Action is IPSEC.

    Security Profiles

    Select to add security profiles or profile groups.

    This option is available when the Action is ACCEPT or IPSEC.

    The following profile types can be added:

    • AntiVirus Profile
    • Web Filter Profile
    • Application Control
    • IPS Profile
    • Email Filter Profile
    • DLP Sensor
    • VoIP Profile
    • ICAP Profile
    • SSL/SSH Inspection
    • Web Application Firewall
    • DNS Filter
    • Proxy Options
    • Profile Group (available when Use Security Profile Group is selected)

    Shared Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Reverse Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected.

    Per-IP Shaper

    Select per IP traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options

Option

Description

Default

auth-cert

HTTPS server certificate for policy authentication (IPv4 only).

none

auth-path

Enable or disable authentication-based routing (IPv4 only).

disable

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication (IPv4 only).

none

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

block-notification

Enable or disable block notification (IPv4 only).

disable

captive-portal-exempt

Enable or disable exemption of captive portal (IPv4 only).

disable

custom-log-fields

Select the custom log fields from the dropdown list.

none

delay-tcp-npu-session

Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only).

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

disclaimer

Enable or disable user authentication disclaimer (IPv4 only).

disable

dscp-match

Enable or disable DSCP check.

disable

dscp-negate

Enable or disable negate DSCP match.

disable

dscp-value

Enter the DSCP value.

000000

dsri

Enable or disable DSRI (Disable Server Response Inspection) to ignore HTTP server responses.

disable

dstaddr-negate

Enable or disable negated destination address match.

disable

firewall-session-dirty

Packet session management, either check-all or check-new.

check-all

fsso-agent-for-ntlm

Select the FSSO agent for NTLM from the dropdown list (IPv4 only).

none

identity-based-route

Name of identity-based routing rule (IPv4 only).

none

internet-service-negate

When enabled, Internet services match against any Internet service EXCEPT the selected Internet service (IPv4 only).

disable

internet-service-src-negate

Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be (IPv4 only).

disable

learning-mode

Enable or disable learning mode for policy (IPv4 only).

disable

match-vip

Enable or disable match DNATed packet (IPv4 only).

disable

natinbound

Enable or disable policy NAT inbound.

disable

natip

Type the NAT IP address in the text field (IPv4 only).

0.0.0.0

natoutbound

Enable or disable policy NAT outbound.

disable

np-acceleration

Enable or disable UTM Network Processor acceleration.

enable

ntlm

Enable or disable NTLM authentication (IPv4 only).

disable

ntlm-enabled-browsers

Type a value in the text field (IPv4 only).

none

ntlm-guest

Enable or disable NTLM guest (IPv4 only).

disable

outbound

Enable or disable policy outbound.

disable

permit-any-host

Enable to accept UDP packets from any host (IPv4 only).

disable

permit-stun-host

Enable to accept UDP packets from any STUN host (IPv4 only).

disable

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

disable

redirect-url

URL redirection after disclaimer/authentication (IPv4 only).

none

replacemsg-override-group

Specify authentication replacement message override group.

none

rtp-addr

Select the RTP address from the dropdown list (IPv4 only).

none

rtp-nat

Enable to apply source NAT to RTP packets received by the firewall policy (IPv4 only).

disable

scan-botnet-connections

Enable or disable scanning of connections to Botnet servers (IPv4 only).

disable

schedule-timeout

Enable to force session to end when policy schedule end time is reached (IPv4 only).

disable

send-deny-packet

Enable to send a packet in reply to denied TCP, UDP or ICMP traffic.

disable

service-negate

Enable or disable negated service match.

disable

session-ttl

Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

srcaddr-negate

Enable or disable negated source address match.

disable

ssh-filter-profile

Select an SSH filter profile from the dropdown list.

None

ssl-mirror

Enable or disable SSL mirror.

disable

ssl-mirror-intf

Mirror interface name.

none

tcp-mss-receiver

Type a value for the receiver’s TCP MSS.

0

tcp-mss-sender

Type a value for the sender’s TCP MSS.

0

tcp-session-without-syn

Enable or disable creation of TCP session without SYN flag.

  • all - Enable TCP session without SYN.
  • data-only - Enable TCP session data only.
  • disable - Disable TCP session without SYN.

disable

timeout-send-rst

Enable sending a TCP reset when an application session times out.

disable

vlan-cos-fwd

Type the VLAN forward direction user priority.

255

vlan-cos-rev

Type the VLAN reverse direction user priority.

255

vlan-filter

Set VLAN filters.

wanopt

Enable or disable WAN optimization (IPv4 only).

disable

wanopt-detection

WAN optimization auto-detection mode (IPv4 only).

active

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

default

wanopt-peer

WAN optimization peer (IPv4 only).

none

wanopt-profile

WAN optimization profile (IPv4 only).

none

wccp

Enable or disable Web Cache Communication Protocol (WCCP) (IPv4 only).

disable

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Enable or disable web cache for HTTPS (IPv4 only).

disable

wsso

Enable or disable WiFi Single Sign-On (IPv4 only).

enable