config firewall policy
Use this command to configure firewall policy rules for IPv4 addresses.
A firewall policy allows or denies traffic to be forwarded to the system based on a matching tuple: source address, destination address, and service.
The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.
By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.
Before you begin:
• You must have a good understanding and knowledge of firewalls.
• You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
• You must have read-write permission for firewall settings.
Syntax
config firewall policy
set default-action {deny|accept}
set stateful {enable|disable}
config rule
edit <name>
set action {deny | accept}
set destination-address <datasource>
set in-interface <datasource>
set out-interface <datasource>
set service <datasource>
set source-address <datasource>
next
end
end
default-action | Action when no rule matches or no rules are configured: • deny—Drop the traffic. • accept—Allow the traffic to pass the firewall. |
stateful | Enable/disable stateful firewall. Enabled by default. |
config rule |
action | • deny—Drop the traffic. • accept—Allow the traffic to pass the firewall. |
destination-address | Destination address object to use to form the matching tuple. |
in-interface | Interface that receives traffic. |
out-interface | Interface that forwards traffic. |
service | Service object to use to form the matching tuple. |
source-address | Source address object to use to form the matching tuple. |
Example
FortiADC-VM # config firewall policy
FortiADC-VM (policy) # set default-action deny
FortiADC-VM (policy) # config rule
FortiADC-VM (rule) # edit fw-allow-http
Add new entry 'fw-allow-http' for node 1871
FortiADC-VM (fw-allow-http) # get
in-interface :
out-interface :
source-address :
destination-address :
service :
action :
FortiADC-VM (fw-allow-http) # set action accept
FortiADC-VM (fw-allow-http) # set in-interface port4
FortiADC-VM (fw-allow-http) # set out-interface port5
FortiADC-VM (fw-allow-http) # set source-address fw-source-addr1
FortiADC-VM (fw-allow-http) # set destination-address fw-dest-addr1
FortiADC-VM (fw-allow-http) # set service fw-http
FortiADC-VM (fw-allow-http) # get
in-interface : port4
out-interface : port5
source-address : fw-source-addr1
destination-address : fw-dest-addr1
service : fw-http
action : accept
FortiADC-VM (fw-allow-http) # end