Create a new firewall policy
This section describes how to create a new firewall policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it is processed, if it is processed, and even whether or not it is allowed to pass through the FortiGate.
See Firewall policy in the FortiOS Administration Guide for more information.
The firewall policy option is visible only if the NGFW Mode is selected as Profile-based in the policy package. |
To create a new Firewall policy:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
- Click Create New.
- Enter the following information:
Option
Description
ID
Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.
Once a policy ID has been configured it cannot be changed.
Name
Enter a unique name for the policy. Each policy must have a unique name.
Incoming Interface
Click the field then select interfaces.
Click the remove icon to remove interfaces.
New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.
Outgoing Interface
Select outgoing interfaces in the same manner as Incoming Interface.
Source
Select the source address, address groups, virtual IPs, virtual IP groups, user, user groups, and FSSO groups.
IP/MAC Based Access Control
Use ZTNA tags to allow access based on the IP/MAC address of a device.
Destination
Select the destination address, address groups, virtual IPs, virtual IP groups, and services.
Service
Select services and service groups.
This option is only available when Destination Internet Service is off.
Schedule
Select a one-time schedule, recurring schedule, or schedule group.
Action
Select an action for the policy to take: DENY, ACCEPT, or IPSEC.
Deny options
Block Notification
Turn block notification display on or off.
Customize Messages
Select or create a message to be displayed when traffic is blocked by this policy.
This option is only available when Block Notification is on.
Log Violation Traffic
Turn violation logging on or off.
Select whether to generate logs when the session starts.
Accept options
Inspection Mode
Select Flow-based or Proxy-based inspection.
Proxy HTTP(S) Traffic
Select whether to redirect HTTP(S) traffic to matching transparent web proxy policy.
This option is only available when the inspection mode is set to Proxy-based.
NAT
Select to enable NAT.
If enabled, select NAT, NAT46, or NAT64.
IP Pool Configuration
If NAT is selected, select Use Outgoing Interface Address or Use Dynamic IP Pool.
IPv4 Pool Name
If NAT64 is selected or NAT and Use Dynamic IP Pool are selected, select or create an IPv4 pool.
IPv6 Pool Name
If NAT46 is selected or NAT and Use Dynamic IP Pool are selected, select or create an IPv6 pool.
Preserve Source Port
If NAT is on, select whether to preserve the source port.
Protocol Options
Select a protocol options profile.
Display Disclaimer
Turn the disclaimer display on or off.
Customize Messages
Select or create a disclaimer message to be displayed when traffic is allowed by this policy.
This option is only available when Display Disclaimer is on.
Security Profiles
Select whether to apply security profiles to this policy, then select the security profiles.
SSL/SSH Inspection
Select one of the following options for SSL/SSH Inspection:
- certificate-inspection
- custom-deep-inspection
- deep-inspection
- no-inspection
Shared Shaper
Select shared traffic shapers.
Reverse Shaper
Select reverse traffic shapers.
Per-IP Shaper
Select per IP traffic shapers.
Log Allowed Traffic
Select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
If logging is on, select whether to capture packets.
Select whether to generate logs when the session starts.
IPSEC options
Protocol Options
Select a protocol options profile.
VPN Tunnel
Select or create a VPN tunnel dynamic object.
Select whether to allow traffic to be initiated from the remote site.
Security Profiles
Select whether to apply security profiles to this policy, then select the security profiles.
SSL/SSH Inspection
Select one of the following options for SSL/SSH Inspection:
- certificate-inspection
- custom-deep-inspection
- deep-inspection
- no-inspection
Shared Shaper
Select shared traffic shapers.
Reverse Shaper
Select reverse traffic shapers.
Per-IP Shaper
Select per IP traffic shapers.
Log Allowed Traffic
Select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
If logging is on, select whether to capture packets.
Select whether to generate logs when the session starts.
Advanced
WCCP
Turn Web Cache Communication Protocol (WCCP) web caching on or off.
Exempt from Captive Portal
Select whether this traffic is exempt from any captive portals.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it. Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Revisions
Change Note
Add a description of the changes being made to the policy. This field is required. - Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options
Option |
Description |
Default |
---|---|---|
anti-replay |
Enable or disable anti-replay checking. |
enable |
auth-cert |
Select the HTTPS server certificate for policy authentication. |
none |
auth-path |
Enable or disable authentication-based routing. |
disable |
auth-redirect-addr |
Select the HTTP-to-HTTPS redirect address for firewall authentication. |
none |
auto-asic-offload |
Enable or disable policy traffic ASIC offloading. |
enable |
block-notification |
Enable or disable block notification. |
disable |
cgn-eif |
Enable or disable CGN endpoint independent filtering. |
disable |
cgn-eim |
Enable or disable CGN endpoint independent mapping. |
disable |
cgn-log-server-grp |
Select the NP log server group. |
none |
cgn-resource-quota |
Set the allowed number of blocks assigned to a source IP address. |
16 |
cgn-session-quota |
Set the allowed concurrent sessions available for a source IP address. |
16777215 |
custom-log-fields |
Select custom fields to append to log messages for this policy. |
none |
delay-tcp-npu-session |
Enable or disable TCP NPU session delay to guarantee packet order of 3-way handshake. |
disable |
diffserv-copy |
Enable or disable copying of the DSCP values from the original direction to the reply direction. |
disable |
diffserv-forward |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure |
disable |
diffserv-reverse |
Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure |
disable |
diffservcode-forward |
Enter the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
diffservcode-rev |
Enter the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
dlp-profile |
Select an existing data leak prevention (DLP) profile. |
none |
dsri |
Enable to ignore HTTP server responses. |
disable |
dstaddr-negate |
Enable to negate the destination IP address. |
disable |
dstaddr6-negate |
Enable to negate the destination IPv6 address. |
disable |
dynamic-shaping |
Enable or disable dynamic RADIUS-defined traffic shaping. |
disable |
email-collect |
Enable or disable email collection. |
disable |
fec |
Enable or disable forward error correction (FEC) on traffic matching this policy on a FEC device. |
disable |
firewall-session-dirty |
Select how to handle sessions if the configuration of this firewall policy changes. |
check-all |
ffsso-agent-for-ntlm |
Select the FSSO agent for NTLM authentication. |
none |
geoip-anycast |
Enable or disable recognition of anycast IP addresses using the geography IP database. |
disable |
geoip-match |
Select whether to match the address based on the physical or registered location. |
physical-location |
identity-based-route |
Select the identity-based routing rule. |
none |
internet-service-negate |
Enable to negate the internet service set in the policy. |
disable |
internet-service-src-negate |
Enable to negate the source internet service set in this policy. |
disable |
internet-service6 |
Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used. |
disable |
internet-service6-custom |
Select a custom IPv6 internet service. |
none |
internet-service6-custom-group |
Select a custom IPv6 internet service group. |
none |
internet-service6-group |
Select an IPv6 internet service group. |
none |
internet-service6-name |
Select an IPv6 internet service. |
none |
internet-service6-negate |
Enable to negate the source IPv6 internet service set in this policy. |
disable |
internet-service6-src |
Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used. |
disable |
internet-service6-src-custom |
Select the custom IPv6 internet service source. |
none |
internet-service6-src-custom-group |
Select the custom IPv6 source group. |
none |
internet-service6-src-group |
Select the IPv6 source group. |
none |
internet-service6-src-name |
Select the IPv6 source. |
none |
internet-service6-src-negate |
Enable to negate the value set in |
disable |
match-vip |
Enable or disable matching of packets that have had their destination address changed by a VIP. |
disable |
match-vip-only |
Enable or disable matching only those packets that have had their destination addresses change by a VIP. |
disable |
natinbound |
Enable or disable applying destination NAT to inbound traffic. |
disable |
natip |
Set the source NAT IP address for inbound traffic. |
0.0.0.0/0.0.0.0 |
natoutbound |
Enable or disable applying destination NAT to outbound traffic. |
disable |
network-service-dynamic |
Select a dynamic network service. |
none |
network-service-src-dynamic |
Select a dynamic network service source. |
none |
np-acceleration |
Enable or disable UTM network processor acceleration. |
disable |
ntlm |
Enable or disable NTLM authentication. |
disable |
ntlm-enabled-browsers |
Set the HTTP-User-Agent value of supported browsers. |
none |
ntlm-guest |
Enable or disable NTLM guest user access. |
disable |
outbound |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. |
disable |
passive-wan-health-measurement |
Enable or disable passive WAN health measurement. When enabled, |
disable. |
permit-any-host |
Enable or disable accepting UDP packets from any host. |
disable |
permit-stun-host |
Enable or disable accepting UDP packets from any session traversal utilities for NAT (STUN) host. |
disable |
policy-expiry |
Enable or disable policy expiry. |
disable |
policy-expiry-date |
If policy-expiry is enabled, set the policy expiry date. |
0000-00-00,00:00:00 |
policy-offload |
Enable or disable hardware session setup for CGNAT. |
disable |
radius-mac-auth-bypass |
Enable or disable MAC authentication bypass. The bypassed MAC address must be received from the RADIUS server. |
disable |
redirect-url |
Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating. |
none |
reputation-direction |
Set the destination of the initial traffic for reputation to take effect. |
destination |
reputation-direction6 |
Set the destination of the initial traffic for IPv6 reputation to take effect. |
destination |
reputation-minimum |
Set the minimum reputation to take action. |
0 |
reputation-minimum6 |
Set the minimum IPv6 reputation to take action. |
0 |
rtp-addr |
If this is an RTP NAT policy, set the address names. |
none |
rtp-nat |
Enable or disable real time protocol (RTP) NAT. |
disable |
schedule-timeout |
Enable or disable ending current sessions when the schedule object times out. Disable allows sessions to end from inactivity. |
disable |
sctp-filter-profile |
Select an existing SCTP filter profile. |
none |
send-deny-packet |
Enable or disable sending a reply when a session is denied or blocked by a firewall policy. |
disable |
service-negate |
Enable or disable negation of the service set in the policy. |
disable |
session-ttl |
Enter a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation. |
0 |
sgt |
Enter security group tags (SGT). |
none |
sgt-check |
Enable or disable SGT check. |
disable |
src-vendor-mac |
Select the vendor MAC source. |
none |
srcaddr-negate |
Enable or disable negation of the source address. |
disable |
srcaddr6-negate |
Enable or disable negation of the source IPv6 address. |
disable |
ssh-filter-profile |
Select an SSH filter profile from the drop-down list. |
None |
ssh-policy-redirect |
Enable or disable SSH policy redirect. |
disable |
tcp-mss-receiver |
Enter the receiver’s TCP maximum segment size (MSS). |
0 |
tcp-mss-sender |
Enter the sender’s TCP MSS. |
0 |
tcp-session-without-syn |
Enable or disable creation of a TCP session without the SYN flag. |
disable |
tcp-timeout-pid |
Select the TCP timeout profile. |
none |
timeout-send-rst |
Enable or disable the sending of RST packets when TCP sessions expire |
disable |
tos |
Enter the type of service (TOS) value used for comparison. |
0 |
tos-mask |
Enter the bit mask for TOS. Non-zero bit positions are used for comparison while zero bit positions are ignored. |
0 |
tos-negate |
Enable or disable to negate the TOS match. |
disable |
udp-timeout-pid |
Select the UDP timeout profile. |
none |
uuid |
Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset. |
00000000-0000- 0000-0000- 000000000000 |
vlan-cos-fwd |
Select the VLAN forward direction user priority. The available values are:
|
255 |
vlan-cos-rev |
Select the VLAN reverse direction user priority. The available values are:
|
255 |
vlan-filter |
Set VLAN filters. |
none |
wanopt |
Enable or disable WAN optimization (IPv4 only). |
disable |
wanopt-detection |
Select the WAN optimization as active, passive, or off. |
active |
wanopt-passive-opt |
Select WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only). |
default |
wanopt-peer |
Select a WAN optimization peer (IPv4 only). |
none |
wanopt-profile |
Select a WAN optimization profile (IPv4 only). |
none |
webcache |
Enable or disable web cache (IPv4 only). |
disable |
webcache-https |
Enable or disable the web cache for HTTPS (IPv4 only). |
none |
webproxy-forward-server |
Select the webproxy forward server (IPv4 only). |
none |
webproxy-profile |
Select the webproxy profile (IPv4 only). |
none |