config firewall policy
Configure firewall policies.
config firewall policy
Description: Configure firewall policies.
edit <policyid>
set type [explicit-web|transparent|...]
set force-proxy [enable|disable]
set dynamic-bypass [enable|disable]
set name {string}
set explicit-web-proxy {string}
config srcintf
Description: Incoming (ingress) interface.
edit <name>
next
end
config dstintf
Description: Outgoing (egress) interface.
edit <name>
next
end
config srcaddr
Description: Source address and address group names.
edit <name>
next
end
config srcaddr6
Description: IPv6 source address (web proxy only).
edit <name>
next
end
set transparent [enable|disable]
config poolname
Description: Name of IP pool object.
edit <name>
next
end
config dstaddr
Description: Destination address and address group names.
edit <name>
next
end
config dstaddr6
Description: IPv6 destination address (web proxy only).
edit <name>
next
end
set internet-service [enable|disable]
config internet-service-id
Description: Internet Service ID.
edit <id>
next
end
config internet-service-custom
Description: Custom Internet Service Name.
edit <name>
next
end
set action [accept|deny|...]
set status [enable|disable]
set schedule {string}
config service
Description: Service and service group names.
edit <name>
next
end
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set log-http-transaction [enable|disable]
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-profile {string}
set wanopt-peer {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set reverse-cache [disable|enable]
set webproxy-profile {string}
set http-tunnel-auth [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-forward-server {string}
set isolator-server {string}
config groups
Description: Names of user groups that can authenticate with this policy.
edit <name>
next
end
config users
Description: Names of individual users that can authenticate with this policy.
edit <name>
next
end
set disclaimer [disable|domain|...]
set comments {var-string}
set redirect-url {var-string}
config custom-log-fields
Description: Custom fields to append to log messages for this policy.
edit <field-id>
next
end
config tags
Description: Names of object-tags applied to this policy.
edit <name>
next
end
set replacemsg-override-group {string}
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set service-negate [enable|disable]
set internet-service-negate [enable|disable]
set decrypted-traffic-mirror {string}
set scan-botnet-connections [disable|block]
set utm-status [enable|disable]
set profile-type [single|group]
set profile-group {string}
set av-profile {string}
set ia-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set spamfilter-profile {string}
set dlp-sensor {string}
set ips-sensor {string}
set application-list {string}
set icap-profile {string}
set cifs-profile {string}
set ssh-filter-profile {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set max-session-per-user {integer}
next
end
config firewall policy
|
Parameter |
Description |
Type |
Size |
|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
policyid |
Policy ID. |
integer |
Minimum value: 0 Maximum value: 4294967294 |
|||||||||||||||
|
type |
Type of policy. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
force-proxy |
Force proxy. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
dynamic-bypass |
Dynamic bypass. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
name |
Policy name. |
string |
Maximum length: 35 |
|||||||||||||||
|
explicit-web-proxy |
Explicit web proxy. |
string |
Maximum length: 35 |
|||||||||||||||
|
transparent |
set webproxy to use original client address. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
action |
Policy action (allow/deny). |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
status |
Enable or disable this policy. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
schedule |
Schedule name. |
string |
Maximum length: 35 |
|||||||||||||||
|
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
logtraffic-start |
Record logs when a session starts and ends. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
log-http-transaction |
Enable/disable http transaction log. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
wanopt |
Enable/disable WAN optimization. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
wanopt-detection |
WAN optimization auto-detection mode. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
wanopt-passive-opt |
WAN optimization passive mode options. This option decides what IP address will be used to connect server. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
wanopt-profile |
WAN optimization profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
wanopt-peer |
WAN optimization peer. |
string |
Maximum length: 35 |
|||||||||||||||
|
webcache |
Enable/disable web cache. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
webcache-https |
Enable/disable web cache for HTTPS. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
reverse-cache |
Enable/disable reverse cache servers. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
webproxy-profile |
Web proxy profile using when none matched policy. |
string |
Maximum length: 63 |
|||||||||||||||
|
http-tunnel-auth |
Enable/disable HTTP tunnel authentication. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
ssh-policy-redirect |
Redirect SSH traffic to match ssh policy. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
webproxy-forward-server |
Web proxy forward server name. |
string |
Maximum length: 63 |
|||||||||||||||
|
isolator-server |
isolator server name. |
string |
Maximum length: 63 |
|||||||||||||||
|
disclaimer |
Web proxy disclaimer setting: by domain, policy, or user. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
comments |
Comment. |
var-string |
Maximum length: 1023 |
|||||||||||||||
|
redirect-url |
Redirect URL for further web proxy processing. |
var-string |
Maximum length: 1023 |
|||||||||||||||
|
replacemsg-override-group |
Override the default replacement message group for this policy. |
string |
Maximum length: 35 |
|||||||||||||||
|
srcaddr-negate |
When enabled srcaddr specifies what the source address must NOT be. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
dstaddr-negate |
When enabled dstaddr specifies what the destination address must NOT be. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
internet-service-negate |
When enabled internet-service specifies what the service must NOT be. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
decrypted-traffic-mirror |
Decrypted traffic mirror. |
string |
Maximum length: 35 |
|||||||||||||||
|
scan-botnet-connections |
Block or monitor connections to Botnet servers or disable Botnet scanning. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
utm-status |
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
|||||||||||||||
|
|
|
|||||||||||||||||
|
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
|||||||||||||||
|
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
ia-profile |
Image analyzer profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
spamfilter-profile |
Name of an existing Spam filter profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
dlp-sensor |
Name of an existing DLP sensor. |
string |
Maximum length: 35 |
|||||||||||||||
|
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
|||||||||||||||
|
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
|||||||||||||||
|
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
cifs-profile |
Name of an existing CIFS profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
|||||||||||||||
|
max-session-per-user |
Max UTM sessions per user. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||
config srcintf
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Interface name. |
string |
Maximum length: 64 |
config dstintf
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Interface name. |
string |
Maximum length: 64 |
config srcaddr
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Address name. |
string |
Maximum length: 64 |
config srcaddr6
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Address name. |
string |
Maximum length: 64 |
config poolname
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
IP pool name. |
string |
Maximum length: 64 |
config dstaddr
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Address name. |
string |
Maximum length: 64 |
config dstaddr6
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Address name. |
string |
Maximum length: 64 |
config internet-service-id
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
id |
Internet Service ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
config internet-service-custom
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Custom Internet Service name. |
string |
Maximum length: 64 |
config service
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Service and service group names. |
string |
Maximum length: 64 |
config groups
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Group name. |
string |
Maximum length: 64 |
config users
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Names of individual users that can authenticate with this policy. |
string |
Maximum length: 64 |
config custom-log-fields
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
field-id |
Custom log field. |
string |
Maximum length: 35 |
config tags
|
Parameter |
Description |
Type |
Size |
|---|---|---|---|
|
name |
Tag name. |
string |
Maximum length: 64 |