Configuring a firewall policy

Firewall policies are sets of instructions that control the traffic flow going through a firewall device. These instructions control where the traffic goes, how it is processed, if it is processed, and even whether or not it is allowed to pass through the firewall.

To create or edit a firewall policy:

Go to Policy.
With the appropriate device selected, select Firewall Policy in the Policy type dropdown list.
Click Create or select a policy and click Edit.

In the form, enter the following information:

Settings	Guidelines
Name	Enter a name for the policy.
Incoming Interface	Select the incoming interfaces.
Outgoing Interface	Select the outgoing interfaces.
Source Internet Service	Enable or disable the source internet service, then select services.
IPv4 Source Address	Select the IPv4 source addresses. This option is only available when Source Internet Service is disabled.
IPv6 Source Address	Select the IPv6 source addresses. This option is only available when Source Internet Service is disabled.
Source User	Select source users.
Source User Group	Select source user groups.
FSSO Groups	Select the FSSO groups added via Fortinet Single Sign-On.
Destination Internet Service	Enable or disable the destination internet service, then select services.
IPv4 Destination Address	Select to add one or more address objects. This option is only available when Destination Internet Service is disabled.
IPv6 Destination Address	Select to add one or more address objects. This option is only available when Destination Internet Service is disabled.
Service	Select services and service groups. This option is only available when Destination Internet Service is disabled.
Schedule	Select one entry from the dropdown.
Action	Select whether to Deny or Accept matching traffic.
Accept Options
Inspection Mode	Select the appropriate traffic inspection mode.
Firewall/Network Options	Enable or disable NAT and select the appropriate protocol options.
Security Profiles Options	Enable or disable security profiles and select the appropriate profiles. Select the SSL/SSH inspection profile to use for this policy.
Traffic Shaping Options	Select traffic shaping options for Shared Shaper, Reverse Shaper, and Per-IP Shaper.
Disclaimer Options
Display Disclaimer	Enable or disable disclaimer for this type of traffic.
Customize Message	From the dropdown, select a customized message. This option is only available if Display Disclaimer is enabled.
Logging Options
Log Violation Traffic	Enable to create a log for each denied packet.
Generate Logs when Session Starts	Enable to generate logs when the session starts.
Advanced
WCCP	Enable Web Cache Communication Protocol (WCCP).
Exempt from Captive Portal	Select to exempt from the captive portal.
Comments	Optionally, enter a comment for the policy.

Click Save.

Settings

Guidelines

Name

Enter a name for the policy.

Incoming Interface

Select the incoming interfaces.

Outgoing Interface

Select the outgoing interfaces.

Source Internet Service

Enable or disable the source internet service, then select services.

IPv4 Source Address

Select the IPv4 source addresses.

This option is only available when Source Internet Service is disabled.

IPv6 Source Address

Select the IPv6 source addresses.

This option is only available when Source Internet Service is disabled.

Source User

Select source users.

Source User Group

Select source user groups.

FSSO Groups

Select the FSSO groups added via Fortinet Single Sign-On.

Destination Internet Service

Enable or disable the destination internet service, then select services.

IPv4 Destination Address

Select to add one or more address objects.

This option is only available when Destination Internet Service is disabled.

IPv6 Destination Address

Select to add one or more address objects.

This option is only available when Destination Internet Service is disabled.

Service

Select services and service groups.

This option is only available when Destination Internet Service is disabled.

Schedule

Select one entry from the dropdown.

Action

Select whether to Deny or Accept matching traffic.

Accept Options

Inspection Mode

Select the appropriate traffic inspection mode.

Firewall/Network Options

Enable or disable NAT and select the appropriate protocol options.

Security Profiles Options

Enable or disable security profiles and select the appropriate profiles.
Select the SSL/SSH inspection profile to use for this policy.

Traffic Shaping Options

Select traffic shaping options for Shared Shaper, Reverse Shaper, and Per-IP Shaper.

Disclaimer Options

Display Disclaimer

Enable or disable disclaimer for this type of traffic.

Customize Message

From the dropdown, select a customized message.

This option is only available if Display Disclaimer is enabled.

Logging Options

Log Violation Traffic

Enable to create a log for each denied packet.

Generate Logs when Session Starts

Enable to generate logs when the session starts.

Advanced

WCCP

Enable Web Cache Communication Protocol (WCCP).

Exempt from Captive Portal

Select to exempt from the captive portal.

Comments

Optionally, enter a comment for the policy.

User Guide

Configuring a firewall policy

Configuring a firewall policy

To create or edit a firewall policy:

Configuring a firewall policy

To create or edit a firewall policy: