firewall : interface-policy
 
interface-policy
DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.
The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6 instead.
Syntax
config firewall interface-policy
edit <policy_id>
set application-list-status {enable | disable}
set application_list <app_list_str>
set av-profile-status {enable | disable}
set av-profile <avprofile_name>
set dlp-profile-status {enable | disable}
set dlp-profile <avprofile_name>
set dstaddr <dstaddr_ipv4>
set interface <int_str>
set ips-sensor-status {enable | disable}
set ips-sensor <sensor_str>
set logtraffic {all | utm | disable}
set service <service_str>
set spamfilter-profile <spfilter_profile_name>
set spamfilter-profile-status {enable | disable}
set srcaddr <srcaddr_ipv4>
set status {enable | disable}
set webfilter-profile-status {enable | disable}
set webfilter-profile <webfilter_profile_name>
end
Variable
Description
Default
application-list-status {enable | disable}
Enable to have the FortiGate unit apply an application black/white list to matching network traffic.
disable
application_list <app_list_str>
Enter the name of the application black/white list the FortiGate unit uses when examining network traffic.
This option is available only when application‑list‑status is set to enable.
No default.
av-profile-status {enable | disable}
Enable to apply an antivirus profile to traffic on this interface.
disable
av-profile <avprofile_name>
Enter the antivirus profile to apply. This is available when av‑profile‑status is enabled.
No default.
dlp-profile-status {enable | disable}
Enable to apply a Data Leak Prevention (DLP) profile to traffic on this interface.
disable
dlp-profile <avprofile_name>
Enter the Data Leak Prevention (DLP) profile to apply. This is available when dlp‑profile‑status is enabled.
No default.
dstaddr <dstaddr_ipv4>
Enter an address or address range to limit traffic monitoring to network traffic sent to the specified address or range.
 
interface <int_str>
The interface or zone to be monitored.
 
ips-sensor-status {enable | disable}
Enable to have the FortiGate unit examine network traffic for attacks and vulnerabilities.
disable
ips-sensor <sensor_str>
Enter the name of the IPS sensor the FortiGate unit will use when examining network traffic.
This option is available only when ips-sensor-status is set to enable.
No default.
logtraffic {all | utm | disable}
Choose which traffic logs will be recorded:
all
utm - only UTM-relatedlogs
disable - no logging
utm
service <service_str>
Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.
No default.
spamfilter-profile <spfilter_profile_name>
Enter the spamfilter profile to apply. This is available when spamfilter‑profile‑status is enabled.
No default.
spamfilter-profile-status {enable | disable}
Enable to apply a spamfilter profile to traffic on this interface.
disable
srcaddr <srcaddr_ipv4>
Enter an address or address range to limit traffic monitoring to network traffic sent from the specified address or range.
No default.
status {enable | disable}
Enable or disable the DoS policy. A disabled DoS policy has no effect on network traffic.
enable
webfilter-profile-status {enable | disable}
Enable to apply a webfilter profile to traffic on this interface.
disable
webfilter-profile <webfilter_profile_name>
Enter the webfilter profile to apply. This is available when webfilter‑profile‑status is enabled.
No default.