FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 8 - Firewall > Firewall Policies > IPv4 Policy

IPv4 Policy

To configure a IPv4 policy in the GUI

  1. Goto Policy & Objects > IPv4 Policy

The right side window will display a table of the existing IPv4 Policies.

  • To edit an existing policy, double click on the policy you wish to edit
  • To create a new policy, select the Create New icon in the top left side of the right window.
  1. Make sure the policy has a name in the Name field
note icon By default, a policy is required to have a name, but it is possible to toggle this requirement on or off in the CLI, or in the GUI if you have first enabled the GUI option in the CLI.
  1. Set the Incoming Interface parameter by selecting the field with the "+" next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any option. Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones
  2. Set the Outgoing Interface parameter by selecting the field with the "+" next to the field label. (Same rules apply as with the above step.)
  3. Set the Source parameter by selecting the field with the "+" next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indcating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The "+" icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Destination Address parameter by selecting the field with the "+" next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  5. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The "+" icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  6. Set the Service parameter by selecting the field with the "+" next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option.For more information on services, check the Firewall Objects section called Services and TCP ports
  7. Set the Action parameter. Select one of the following options for the action:
  • ACCEPT - lets the traffic through to the next phase of analysis
  • DENY - drops the session
  • LEARN - collects information about the traffic for future analysis
  • IPsec - for using with IPsec tunnels

Because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Set the NAT parameter by toggling the slider button.(gray means it is disabled)

The NAT setting section is affected by whether or not Central NAT is enabled.

If Central NAT is enabled, the only option in Firewall / Network options will be whether to enable or disable NAT. The rest of the NAT parameters will be set in the Central SNAT page.

If Central NAT is disabled, there are two additional settings in the Policy configuration page.

  1. Set the Fixed Port parameter by toggling the slider button.(gray means it is disabled)
  2. Set the IP Pool Configuration by selection one of the options of:
  • Use Outgoing Interface Address
  • Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the "+" icon next to the Search field is a shortcut for creating a new IP Pool.

Security Profiles

  1. Disable or enable the various Security Profiles. Once a Profile has been toggled into the enabled mode a drop down menu will appear for the purpose of chosing a specific profile. Only one profile can be chosen for each profile type. The "+" icon next to the Search field in the drop down menu is a shortcut for creating a new profile.

The list of Security Profiles available to set includes:

  • AntiVirus
  • Web Filter
  • DNS Filter
  • Application Control
  • CASI
  • IPS
  • Anti-Spam
  • DLP Sensor
  • VoIP
  • ICAP
  • Web Application Firewall
  • Proxy Options
  • SSL/SSH Inspection

Logging Options

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the DENY action is selected

    Enable the Log Violation Traffic setting by toggling the slider button.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the LEARN action is selected

To get more information on the LEARN option, read the Learning mode for Firewall policies topic in What's new for the Firewall in 5.4

Firewall / Network Options

  1. Set the NAT parameter by toggling the slider button.(gray means it is disabled). Unlike the ACCEPT option, whether or not Central NAT is enabled or disabled does not affect this settings options.
  2. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  3. Toggle whether or not to Enable this policy.The default is enabled.
  4. Select the OK button to save the policy.

Settings if the IPsec action is selected

VPN Tunnel

  1. For the VPN Tunnel field, use the drop down menu to select the VPN tunnel that you want the policy associated with.
  2. Toggle the sliding button to enable or disable the option to Allow traffic to be initiated from the remote site

Security Profiles

  1. Disable or enable the various Security Profiles. Once a Profile has been toggled into the enabled mode a drop down menu will appear for the purpose of chosing a specific profile. Only one profile can be chosen for each profile type. The "+" icon next to the Search field in the drop down menu is a shortcut for creating a new profile.

The list of Security Profiles available to set includes:

  • AntiVirus
  • Web Filter
  • DNS Filter
  • Application Control
  • CASI
  • IPS
  • Anti-Spam
  • DLP Sensor
  • VoIP
  • ICAP
  • Web Application Firewall
  • Proxy Options
  • SSL/SSH Inspection

Logging Options

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.