Fortinet white logo
Fortinet white logo

CLI Reference

config firewall policy

config firewall policy

Configure firewall policies.

config firewall policy
    Description: Configure firewall policies.
    edit <policyid>
        set type [explicit-web|transparent|...]
        set status [enable|disable]
        set name {string}
        set uuid {uuid}
        set force-proxy [enable|disable]
        set dynamic-bypass [enable|disable]
        set srcintf <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set srcaddr <name1>, <name2>, ...
        set dstaddr <name1>, <name2>, ...
        set srcaddr6 <name1>, <name2>, ...
        set dstaddr6 <name1>, <name2>, ...
        set action [accept|deny|...]
        set schedule {string}
        set service <name1>, <name2>, ...
        set explicit-web-proxy {string}
        set transparent [enable|disable]
        set access-proxy <name1>, <name2>, ...
        set ztna-ems-tag <name1>, <name2>, ...
        set ztna-tags-match-logic [or|and]
        set device-ownership [enable|disable]
        set internet-service [enable|disable]
        set pass-through [enable|disable]
        set internet-service-name <name1>, <name2>, ...
        set internet-service-custom <name1>, <name2>, ...
        set utm-status [enable|disable]
        set webproxy-profile {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set log-http-transaction [disable|enable]
        set extended-log [enable|disable]
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-profile {string}
        set wanopt-peer {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set reverse-cache [disable|enable]
        set http-tunnel-auth [enable|disable]
        set ssh-policy-check [enable|disable]
        set webproxy-forward-server {string}
        set isolator-server {string}
        set poolname <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set users <name1>, <name2>, ...
        set disclaimer [disable|domain|...]
        set comments {var-string}
        set redirect-url {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set replacemsg-override-group {string}
        set srcaddr-negate [enable|disable]
        set dstaddr-negate [enable|disable]
        set service-negate [enable|disable]
        set internet-service-negate [enable|disable]
        set decrypted-traffic-mirror {string}
        set max-session-per-user {integer}
        set profile-type [single|group]
        set profile-group {string}
        set profile-protocol-options {string}
        set ssl-ssh-profile {string}
        set av-profile {string}
        set ia-profile {string}
        set webfilter-profile {string}
        set dnsfilter-profile {string}
        set emailfilter-profile {string}
        set dlp-sensor {string}
        set file-filter-profile {string}
        set ips-sensor {string}
        set application-list {string}
        set icap-profile {string}
        set cifs-profile {string}
        set videofilter-profile {string}
        set isolator-profile {string}
        set ssh-filter-profile {string}
    next
end

config firewall policy

Parameter

Description

Type

Size

Default

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

0

type

Type of policy.

option

-

transparent

Option

Description

explicit-web

Explicit Web Proxy policy

transparent

Transparent firewall policy

explicit-ftp

Explicit FTP Proxy policy

ssh-tunnel

SSH Tunnel policy

ssh

SSH policy

access-proxy

Access Proxy

wanopt

WANopt Tunnel

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

force-proxy

Force proxy.

option

-

disable

Option

Description

enable

Force all TCP transparent traffic to proxy.

disable

Do not force TCP transparent traffic to proxy.

dynamic-bypass

Dynamic bypass.

option

-

disable

Option

Description

enable

Enable dynamic bypass to all HTTP traffic in this policy.

disable

Disable dynamic bypass to all HTTP traffic in this policy.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

IPv6 source address (web proxy only).

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address (web proxy only).

Address name.

string

Maximum length: 79

action

Policy action (allow/deny).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

redirect

Redirect sessions that match the firewall policy to a url.

isolate

Isolate sessions that match the firewall policy with isolator.

schedule

Schedule name.

string

Maximum length: 35

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

explicit-web-proxy

Explicit web proxy.

string

Maximum length: 35

transparent

set webproxy to use original client address.

option

-

disable

Option

Description

enable

Enable using original client address for webproxy.

disable

Disable using original client address for webproxy.

access-proxy <name>

Access Proxy.

Access Proxy name.

string

Maximum length: 79

ztna-ems-tag <name>

Source ztna-ems-tag names.

Address name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

pass-through

Enable/disable policy matching pass through

option

-

disable

Option

Description

enable

Enable policy matching pass through.

disable

Disable policy matching pass through.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service Name.

Custom Internet Service name.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webproxy-profile

Web proxy profile using when none matched policy.

string

Maximum length: 63

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts and ends.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

log-http-transaction

Enable/disable http transaction log.

option

-

disable

Option

Description

disable

Disable HTTP transaction log.

enable

Enable HTTP transaction log.

extended-log

Enable/disable extended log for http transaction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt

Enable/disable WAN optimization.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

-

active

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

-

default

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiProxy address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

-

disable

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

reverse-cache

Enable/disable reverse cache servers.

option

-

disable

Option

Description

disable

Disable reverse cache.

enable

Enable reverse cache servers.

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-check

Enable/disable SSH policy check.

option

-

disable

Option

Description

enable

Enable SSH policy check.

disable

Disable SSH policy check.

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

isolator-server

isolator server name.

string

Maximum length: 63

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

comments

Comment.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further web proxy processing.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

0

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

ia-profile

Image analyzer profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

isolator-profile

Name of an existing isolator profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

config firewall policy

config firewall policy

Configure firewall policies.

config firewall policy
    Description: Configure firewall policies.
    edit <policyid>
        set type [explicit-web|transparent|...]
        set status [enable|disable]
        set name {string}
        set uuid {uuid}
        set force-proxy [enable|disable]
        set dynamic-bypass [enable|disable]
        set srcintf <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set srcaddr <name1>, <name2>, ...
        set dstaddr <name1>, <name2>, ...
        set srcaddr6 <name1>, <name2>, ...
        set dstaddr6 <name1>, <name2>, ...
        set action [accept|deny|...]
        set schedule {string}
        set service <name1>, <name2>, ...
        set explicit-web-proxy {string}
        set transparent [enable|disable]
        set access-proxy <name1>, <name2>, ...
        set ztna-ems-tag <name1>, <name2>, ...
        set ztna-tags-match-logic [or|and]
        set device-ownership [enable|disable]
        set internet-service [enable|disable]
        set pass-through [enable|disable]
        set internet-service-name <name1>, <name2>, ...
        set internet-service-custom <name1>, <name2>, ...
        set utm-status [enable|disable]
        set webproxy-profile {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set log-http-transaction [disable|enable]
        set extended-log [enable|disable]
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-profile {string}
        set wanopt-peer {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set reverse-cache [disable|enable]
        set http-tunnel-auth [enable|disable]
        set ssh-policy-check [enable|disable]
        set webproxy-forward-server {string}
        set isolator-server {string}
        set poolname <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set users <name1>, <name2>, ...
        set disclaimer [disable|domain|...]
        set comments {var-string}
        set redirect-url {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set replacemsg-override-group {string}
        set srcaddr-negate [enable|disable]
        set dstaddr-negate [enable|disable]
        set service-negate [enable|disable]
        set internet-service-negate [enable|disable]
        set decrypted-traffic-mirror {string}
        set max-session-per-user {integer}
        set profile-type [single|group]
        set profile-group {string}
        set profile-protocol-options {string}
        set ssl-ssh-profile {string}
        set av-profile {string}
        set ia-profile {string}
        set webfilter-profile {string}
        set dnsfilter-profile {string}
        set emailfilter-profile {string}
        set dlp-sensor {string}
        set file-filter-profile {string}
        set ips-sensor {string}
        set application-list {string}
        set icap-profile {string}
        set cifs-profile {string}
        set videofilter-profile {string}
        set isolator-profile {string}
        set ssh-filter-profile {string}
    next
end

config firewall policy

Parameter

Description

Type

Size

Default

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

0

type

Type of policy.

option

-

transparent

Option

Description

explicit-web

Explicit Web Proxy policy

transparent

Transparent firewall policy

explicit-ftp

Explicit FTP Proxy policy

ssh-tunnel

SSH Tunnel policy

ssh

SSH policy

access-proxy

Access Proxy

wanopt

WANopt Tunnel

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

force-proxy

Force proxy.

option

-

disable

Option

Description

enable

Force all TCP transparent traffic to proxy.

disable

Do not force TCP transparent traffic to proxy.

dynamic-bypass

Dynamic bypass.

option

-

disable

Option

Description

enable

Enable dynamic bypass to all HTTP traffic in this policy.

disable

Disable dynamic bypass to all HTTP traffic in this policy.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

IPv6 source address (web proxy only).

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address (web proxy only).

Address name.

string

Maximum length: 79

action

Policy action (allow/deny).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

redirect

Redirect sessions that match the firewall policy to a url.

isolate

Isolate sessions that match the firewall policy with isolator.

schedule

Schedule name.

string

Maximum length: 35

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

explicit-web-proxy

Explicit web proxy.

string

Maximum length: 35

transparent

set webproxy to use original client address.

option

-

disable

Option

Description

enable

Enable using original client address for webproxy.

disable

Disable using original client address for webproxy.

access-proxy <name>

Access Proxy.

Access Proxy name.

string

Maximum length: 79

ztna-ems-tag <name>

Source ztna-ems-tag names.

Address name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

pass-through

Enable/disable policy matching pass through

option

-

disable

Option

Description

enable

Enable policy matching pass through.

disable

Disable policy matching pass through.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service Name.

Custom Internet Service name.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webproxy-profile

Web proxy profile using when none matched policy.

string

Maximum length: 63

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts and ends.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

log-http-transaction

Enable/disable http transaction log.

option

-

disable

Option

Description

disable

Disable HTTP transaction log.

enable

Enable HTTP transaction log.

extended-log

Enable/disable extended log for http transaction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt

Enable/disable WAN optimization.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

-

active

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

-

default

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiProxy address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

-

disable

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

reverse-cache

Enable/disable reverse cache servers.

option

-

disable

Option

Description

disable

Disable reverse cache.

enable

Enable reverse cache servers.

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-check

Enable/disable SSH policy check.

option

-

disable

Option

Description

enable

Enable SSH policy check.

disable

Disable SSH policy check.

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

isolator-server

isolator server name.

string

Maximum length: 63

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

comments

Comment.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further web proxy processing.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

0

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

ia-profile

Image analyzer profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

isolator-profile

Name of an existing isolator profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35