Fortinet black logo

Administration Guide

Virtual wire pair policy

Virtual wire pair policy

The section describes how to create virtual wire pair policies. Before you can create a policy, you must create a virtual wire pair. See Configuring virtual wire pairs.

You must display the option before you can set it. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 Virtual Wire Pair Policy checkbox to display this option.

To create a virtual wire pair policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Virtual Wire Pair Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.
  5. Enter the following information, then click OK to create the policy:

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Virtual Wire Pair Interface

    Select an interface. You can type the name of the interface to search for it in the list.

    Virtual Wire Pair

    Select an arrow to indicate the flow of traffic between ports.

    Source Internet Service

    Turn source internet service on or off, then select services from the Object Selector frame, or drag and drop them from the object pane.

    Source Address

    Select source addresses.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    Source Device

    Select source devices, device groups, and device categories.

    This option is only available when Source Internet Service is off.

    Internet Service

    Toggle ON to enable Internet service. Toggle OFF to disable Internet service.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is available when Destination Internet Service is OFF.

    Service

    Select services and service groups.

    This option is available when Destination Internet Service is OFF.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Action

    Select an action for the policy to take: Deny or Accept.

    Log Traffic

    When the Action is DENY, select Log Violation Traffic to log violation traffic.

    When the Action is ACCEPT, select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    Generate Logs when Session Starts

    Select to generate logs when the session starts.

    Capture Packets

    Select to capture packets.

    This option is available when the Action is ACCEPT and Log Security Events or Log All Sessions is selected

    Security Profiles

    Select to add security profiles or profile groups.

    This option is available when Action is Accept.

    The following profile types can be added:

    • Antivirus Profile
    • Web Filter Profile
    • Application Control
    • IPS Profile
    • Email Filter Profile
    • DLP Sensor
    • VoIP Profile
    • ICAP Profile
    • SSL/SSH Inspection
    • Web Application Firewall
    • DNS Filter
    • Proxy Options
    • Profile Group (available when Use Security Profile Group is selected)

    Shared Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Reverse Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected.

    Per-IP Shaper

    Select per IP traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Description

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options.

    For more information on advanced option, see the FortiOS CLI Reference.

Virtual wire pair policy

Virtual wire pair policy

The section describes how to create virtual wire pair policies. Before you can create a policy, you must create a virtual wire pair. See Configuring virtual wire pairs.

You must display the option before you can set it. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 Virtual Wire Pair Policy checkbox to display this option.

To create a virtual wire pair policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Virtual Wire Pair Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Policy pane opens.
  5. Enter the following information, then click OK to create the policy:

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Virtual Wire Pair Interface

    Select an interface. You can type the name of the interface to search for it in the list.

    Virtual Wire Pair

    Select an arrow to indicate the flow of traffic between ports.

    Source Internet Service

    Turn source internet service on or off, then select services from the Object Selector frame, or drag and drop them from the object pane.

    Source Address

    Select source addresses.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    Source Device

    Select source devices, device groups, and device categories.

    This option is only available when Source Internet Service is off.

    Internet Service

    Toggle ON to enable Internet service. Toggle OFF to disable Internet service.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is available when Destination Internet Service is OFF.

    Service

    Select services and service groups.

    This option is available when Destination Internet Service is OFF.

    Schedule

    Select schedules, one time or recurring, and schedule groups.

    Action

    Select an action for the policy to take: Deny or Accept.

    Log Traffic

    When the Action is DENY, select Log Violation Traffic to log violation traffic.

    When the Action is ACCEPT, select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    Generate Logs when Session Starts

    Select to generate logs when the session starts.

    Capture Packets

    Select to capture packets.

    This option is available when the Action is ACCEPT and Log Security Events or Log All Sessions is selected

    Security Profiles

    Select to add security profiles or profile groups.

    This option is available when Action is Accept.

    The following profile types can be added:

    • Antivirus Profile
    • Web Filter Profile
    • Application Control
    • IPS Profile
    • Email Filter Profile
    • DLP Sensor
    • VoIP Profile
    • ICAP Profile
    • SSL/SSH Inspection
    • Web Application Firewall
    • DNS Filter
    • Proxy Options
    • Profile Group (available when Use Security Profile Group is selected)

    Shared Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Reverse Shaper

    Select traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected.

    Per-IP Shaper

    Select per IP traffic shapers.

    This option is available if the Action is ACCEPT or IPSEC.

    Description

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options.

    For more information on advanced option, see the FortiOS CLI Reference.