firewall : policy, policy6
 
policy, policy6
Use these commands to add, edit, or delete firewall policies.
• Use config firewall policy for IPv4 policies
• Use config firewall policy6 for IPv6 policies
Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow the connection, deny the connection, require authentication before the connection is allowed, or apply IPSec processing.
Each policy has a Universally Unique IDentifier (UUID) that is automatically assigned. To view it, use the command get firewall policy and look for the uuid field.
 
If you are creating a policy that involves IPv6 addresses, some of the IPv4 options, such as NAT and VPN settings, are not applicable.
Commands with an asterisk (*) apply to IPv4 policies only.
Syntax
config firewall policy
edit <index_int>
set action {accept | deny | ipsec}
set application-list {block-p2p | default | monitor-p2p-and-media | sniffer-profile}
set auth-cert <certificate_str> *
set auth-path {enable | disable} *
set auth-redirect-addr <domainname_str> *
set av-profile <name_str>
set block-notification {enable | disable} *
set captive-portal-exempt {enable | disable} *
set capture-packet {enable | disable} *
set central-nat {enable | disable} *
set comments <comment_str>
set custom-log-fields <fieldid_int> *
set devices <device_list>
set diffserv-forward {enable | disable}
set diffserv-reverse {enable | disable}
set diffservcode-forward <dscp_bin>
set diffservcode-rev <dscp_bin>
set disclaimer {enable | disable} *
set dlp-sensor <name_str>
set dstaddr <name_str>
set dstaddr-negate {enable | disable}
set dstintf <name_str>
set endpoint-compliance {enable | disable} *
set firewall-session-dirty {check‑all | check‑new}
set fixedport {enable | disable}
set fsso {enable | disable} *
set fsso-server-for-ntlm <server_str> *
set global-label <label_str>
set groups <group_name>
set icap-profile <icap_pr_name>
set identity-based-route <idroute_name> *
set inbound {enable | disable}
set ippool {enable | disable}
set ips-sensor <name_str>
set label <label_string>
set logtraffic {all | utm | disable}
set logtraffic-start {enable | disable} *
set match-vip {enable | disable} *
set nat {enable | disable}
set natinbound {enable | disable}
set natip <address_ipv4mask> *
set natoutbound {enable | disable}
set ntlm {enable | disable} *
set ntlm-enabled-browsers <user-agent_string> *
set ntlm-guest {enable | disable} *
set outbound {enable | disable}
set per-ip-shaper <shaper_name>
set permit-any-host {enable | disable} *
set permit-stun-host {enable | disable} *
set poolname <name_str>
set profile-group <name_str>
set profile-protocol-options <name_str>
set profile-type {group | single}
set redirect-url <name_str> *
set replacemsg-override-group <group_string>
set rsso {enable | disable}
set rtp-addr <name_str> *
set rtp-nat {disable | enable} *
set schedule <name_str>
set schedule-timeout {enable | disable} *
set send-deny-packet {enable | disable}
set service <name_str>
set service-negate {enable | disable}
set session-ttl <session_time_int> *
set spamfilter-profile <name_str>
set srcaddr <name_str>
set srcaddr-negate {enable | disable}
set srcintf <name_str>
set ssl-ssh-profile <profile_name>
set status {enable | disable}
set tags <tags_str>
set tcp-mss-receiver <maximumsize_int>
set tcp-mss-sender <maximumsize_int>
set timeout-send-rst {enable | disable}
set traffic-shaper <name_str>
set traffic-shaper-reverse <name_str>
set users <user_name_list>
set utm-status {disable | enable}
set uuid <uuid_str>
set vlan-cos-fwd <prio_int>
set vlan-cos-rev <prio_int>
set voip-profile <name_str>
set vpntunnel <name_str>
set wanopt {enable | disable} *
set wanopt-detection {active | passive | off} *
set wanopt-passive-opt {default | transparent | non-transparent} *
set wanopt-peer <peer_name> *
set wanopt-profile <name_str> *
set wccp {enable | disable} *
set webcache {disable | enable} *
set webcache-https {disable | any| ssl‑server} *
set webfilter-profile <name_str>
set wsso {enable | disable} *
end
 
Variable
Description
Default
<index_int>
Enter the unique ID number of this policy.
No default.
action {accept | deny | ipsec}
Select the action that the FortiGate unit will perform on traffic matching this firewall policy.
accept Allow packets that match the firewall policy. Optionally, also enable nat to make this a NAT policy (NAT/Route mode only).
deny Deny packets that match the firewall policy.
ipsec Allow and apply IPSec VPN. You must specify the vpntunnel attribute. You may also enable or disable the inbound, outbound, natoutbound, and natinbound attributes and/or specify a natip value.
For IPv6 policies, only accept and deny options are available.
deny
application-list {block-p2p | default | monitor-p2p-and-media | sniffer-profile}
Select a pre-packaged list of applications which the firewall policy will apply to.
(null)
auth-cert <certificate_str>
Select an HTTPS server certificate for policy authentication.
self-sign is the built-in, self-signed certificate; if you have added other certificates, you may select them instead.
This field is available only if the groups or users fields are specified.
No default.
auth-path {enable | disable}
Select to apply authentication-based routing. You must also specify a RADIUS server, and the RADIUS server must be configured to supply the name of an object specified in config router auth-path. For details on configuring authentication-based routes, see router auth-path.
This field is available only when the FortiGate unit is operating in NAT mode and the groups or users fields are specified.
For details on NAT and transparent mode, see “opmode {nat | transparent}”.
disable
auth-redirect-addr <domainname_str>
Enter the IP address or domain name to redirect user HTTP requests after accepting the authentication disclaimer. The redirect URL could be to a web page with extra information (for example, terms of usage).
To prevent web browser security warnings, this should match the CN field of the specified auth-cert, which is usually a fully qualified domain name (FQDN).
This field is available only if the groups or users fields are specified.
No default.
av-profile <name_str>
Enter the name of the antivirus profile to add to the firewall policy.
This field is available only if utm-status is enable. To add an av-profile, you must obtain an adequate profile name in profile-protection-options.
(null)
block-notification {enable | disable}
Enable to display Fortinet Bar in browser when a site is blocked and provide a block page via HTTP/HTTPS. Fortinet Bar must be enabled in firewall profile-protocol-options.
enable
(disable in 5.2.3)
captive-portal-exempt {enable | disable}
Enable to exempt users of this policy from the interface captive portal.
disable
capture-packet {enable | disable}
Enable or disable packet capture. This is available when logtraffic is all or utm.
disable
central-nat {enable | disable}
Enable or disable use of the central NAT table in this policy.
This is available only when nat is enabled.
disable
comments <comment_str>
Enter a description or other information about the policy. (Optional)
comment_str is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.
No default.
custom-log-fields <fieldid_int>
Enter custom log field index numbers to append one or more custom log fields to the log message for this policy. Separate multiple log custom log field indices with a space. (Optional.)
This option takes effect only if logging is enabled for the policy, and requires that you first define custom log fields. For details, see log custom-field.
No default.
 
deep-inspection-options <profile_name>
Enter the name of the deep inspection options profile to apply. See firewall ssl-ssh-profile.
No default.
devices <device_list>
Enter the device categories to which this policy applies.
No default.
diffserv-forward {enable | disable}
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure diffservcode-forward.
disable
diffserv-reverse
{enable | disable}
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.
disable
diffservcode-forward <dscp_bin>
Enter the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.
This option appears only if diffserv-forward is enable.
For details and DSCP configuration examples, see the Knowledge Center article Differentiated Services Code Point (DSCP) behavior.
000000
diffservcode-rev <dscp_bin>
Enter the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.
This option appears only if diffserv-rev is enable
For details and DSCP configuration examples, see the Knowledge Center article Differentiated Services Code Point (DSCP) behavior.
000000
disclaimer {enable | disable}
Enable to display the authentication disclaimer page, which is configured with other replacement messages. The user must accept the disclaimer to connect to the destination.
disable
dlp-sensor <name_str>
Enter the name of the DLP sensor to add to the firewall policy.
This option appears only if utm-status is enable.
(null)
dponly {enable | disable}
For FortiOS Carrier, enable to configure the firewall policy to only accept sessions with source addresses that are in the dynamic profile user context list. Sessions with source addresses that are not in the user context list do not match the policy. For sessions that don’t match the policy, the FortiOS Carrier unit continues searching down the policy list for a match.
disable
dstaddr <name_str>
Enter one or more destination firewall addresses, or a virtual IP, if creating a NAT policy. Separate multiple firewall addresses with a space.
If action is set to ipsec, enter the name of the IP address to which IP packets may be delivered at the remote end of the IPSec VPN tunnel.
If action is set to ssl-vpn, enter the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit.
For details on configuring virtual IPs, see “vip”.
No default.
dstaddr-negate {enable | disable}
Enable to negate dstaddr match. This causes dstaddr to specify what the destination address must not be.
disable
dstintf <name_str>
Enter the destination interface(s) for the policy. Enter the source interface(s) for the policy. Separate interface names with spaces.
The interface can be a physical interface, a VLAN subinterface, or a zone.
If action is set to ipsec, enter the name of the interface to the external (public) network.
If action is set to ssl-vpn, enter the name of the interface to the local (private) network.
Note: If a interface or VLAN subinterface has been added to a zone, the interface or VLAN subinterface cannot be used for dstintf.
No default.
endpoint-check {enable | disable}
Enable to perform endpoint NAC compliance check. This check denies access to this firewall policy for hosts that do not have up-to-date FortiClient Endpoint Security software running. You need to also configure endpoint-profile.
Note: If the firewall policy involves a load balancing virtual IP, the endpoint compliance check is not performed.
For more information, see “endpoint-control”.
disable
endpoint-compliance {enable | disable}
Enable or disable Endpoint control.
disable
firewall-session-dirty {check‑all | check‑new}
Select how to manage changes to a firewall policy:
check‑all — flush all current sessions and re-evaluate them
check‑new — keep existing sessions and apply policy change to new sessions only
This field is available if firewall-session-dirty in config system settings is set to check‑policy‑option.
check‑all
fixedport
{enable | disable}
Enable to preserve packets’ source port number, which may otherwise be changed by a NAT policy. Some applications do not function correctly if the source port number is changed, and may require this option.
If fixedport is enable, you should usually also enable IP pools; if you do not configure an IP pool for the policy, only one connection can occur at a time for this port.
disable
fsso {enable | disable}
Enable or disable Fortinet Single Sign On. This field is available when groups is populated.
disable
fsso-server-for-ntlm <server_str>
Restrict NTLM authentication to one particular server only for this policy. Enter the name of a server defined in user fsso.
No default.
global-label <label_str>
Put policy in the named subsection in the web-based manager. Subsection is created if it does not already exist.
No default.
groups <group_name>
Enter the names of the user groups allowed to use this policy.
No default.
icap-profile <icap_pr_name>
Optionally, enter the name of an Internet Content Adaptation Protocol (ICAP) profile. This is available if utm-status is enable.
null
identity-based-route <idroute_name>
Optionally, specify an identity-based route to include. Identity-based routes are defined in firewall identity-based-route.
No default.
inbound
{enable | disable}
When action is set to ipsec, enable or disable traffic from computers on the remote private network to initiate an IPSec VPN tunnel.
disable
ippool
{enable | disable}
When the action is set to accept and NAT is enabled, configure a NAT policy to translate the source address to an address randomly selected from the first IP pool added to the destination interface of the policy.
disable
ips-sensor <name_str>
Enter the name of the IPS sensor to add to the firewall policy.
This option appears only if utm-status is enable.
(null)
label <label_string>
Optionally, enter a label for this policy. The label is visible in the web-based manager in Section View.
No default.
logtraffic {all | utm | disable}
Choose which traffic logs will be recorded:
all
utm - only UTM-relatedlogs
disable - no logging
utm
logtraffic-start {enable | disable}
Enable to log session starts and ends.
disable
match-vip
{enable | disable}
If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to ANY) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped.
In some cases, when a virtual IP performs destination NAT (DNAT) on a packet, the translated packet may not be accepted by a firewall policy. If this happens, the packet is silently dropped and therefore not matched with the general policy at the bottom of the policy list.
To catch these packets, enable match-vip in the general policy. Then the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.
disable
nat {enable | disable}
Enable or disable network address translation (NAT). NAT translates the address and the port of packets accepted by the policy. When NAT is enabled, ippool and fixedport can also be enabled or disabled.
This option appears only if action is accept or ssl-vpn.
disable
natinbound
{enable | disable}
Enable or disable translating the source addresses IP packets emerging from the tunnel into the IP address of the FortiGate unit’s network interface to the local private network.
This option appears only if action is ipsec.
disable
natip <address_ipv4mask>
When action is set to ipsec and natoutbound is enabled, specify the source IP address and subnet mask to apply to outbound clear text packets before they are sent through the tunnel.
If you do not specify a natip value when natoutbound is enabled, the source addresses of outbound encrypted packets are translated into the IP address of the FortiGate unit’s external interface. When a natip value is specified, the FortiGate unit uses a static subnetwork-to-subnetwork mapping scheme to translate the source addresses of outbound IP packets into corresponding IP addresses on the subnetwork that you specify. For example, if the source address in the firewall encryption policy is 192.168.1.0/24 and the natip value is 172.16.2.0/24, a source address of 192.168.1.7 will be translated to 172.16.2.7.
0.0.0.0 0.0.0.0
natoutbound
{enable | disable}
When action is set to ipsec, enable or disable translating the source addresses of outbound encrypted packets into the IP address of the FortiGate unit’s outbound interface. Enable this attribute in combination with the natip attribute to change the source addresses of IP packets before they go into the tunnel.
disable
ntlm {enable | disable}
Enable or disable Directory Service authentication via NTLM.
If you enable this option, you must also define the user groups.
This field is available only if the groups or users fields are specified.
disable
ntlm-enabled-browsers <user-agent_string>
Enter the HTTP-User-Agent strings of supported browsers. Enclose each string in quotes and separate strings with a space.
Browsers with non-matching strings get guest access.
No default.
ntlm-guest {enable | disable}
Enable or disable NTLM guest user access.
disable
outbound
{enable | disable}
When action is set to ipsec, enable or disable traffic from computers on the local private network to initiate an IPSec VPN tunnel.
disable
per-ip-shaper <shaper_name>
Enter the name of the per-IP traffic shaper to apply. For information about per-IP traffic shapers, see firewall shaper per-ip-shaper.
No default.
permit-any-host {enable | disable}
Enable to accept UDP packets from any host. This can help support the FaceTime application on NAT’d iPhones.
disable
permit-stun-host {enable | disable}
Enable to accept UDP packets from any STUN host. This can help support the FaceTime application on NAT’d iPhones.
disable
poolname <name_str>
Enter the name of the IP pool.
This variable appears only if nat and ippool are enable.
No default.
profile-group <name_str>
Enter the name of a UTM profile group to add to the firewall policy. This option is available if profile-type is set to group.
(null)
profile-protocol-options <name_str>
Enter the name of the protocol options profile to add to the firewall policy.
This option is available in this context level only if, at this context level the utm-status is set to enable.
(null)
profile-type {group | single}
Select whether to add individual UTM profiles or a UTM profile group to the firewall policy.
single
redirect-url <name_str>
Enter a URL, if any, that the user is redirected to after authenticating and/or accepting the user authentication disclaimer.
This field is available only if disclaimer is enable.
No default.
replacemsg-override-group <group_string>
Select a replacement message override group from the available configured groups.This will override the default replacement message for this policy.
 
rsso {enable | disable}
Enable or disable RADIUS-based single sign-on (SSO) for this policy.
disable
rtp-addr <name_str>
Enter one or more RTP firewall addresses for the policy. Separate multiple firewall addresses with a space.
This field is only available when rtp-nat is enabled.
 
rtp-nat {disable | enable}
Enable to apply source NAT to RTP packets received by the firewall policy. This field is used for redundant SIP configurations. If rtp-nat is enabled you must add one or more firewall addresses to the rtp-addr field.
disable
schedule <name_str>
Enter the name of the one-time or recurring schedule or schedule group to use for the policy.
No default.
schedule-timeout {enable | disable}
Enable to force session to end when policy schedule end time is reached.
disable
send-deny-packet {enable | disable}
Enable to send a packet in reply to denied TCP, UDP or ICMP traffic. When deny‑tcp‑with‑icmp is enabled in system settings, a Communication Prohibited ICMP packet is sent. Otherwise, denied TCP traffic is sent a TCP reset.
disable
service <name_str>
Enter the name of one or more services, or a service group, to match with the firewall policy. Separate multiple services with a space.
No default.
service-negate {enable | disable}
Enable to negate service match. This causes service to specify what the service must not be.
disable
session-ttl <session_time_int>
Set the timeout value in the policy to override the global timeout setting defined by using config system session-ttl. When it is on default value, it will not take effect.
0
spamfilter-profile <name_str>
Enter the name of the email filter profile to add to the firewall policy.
This field is available only if utm-status is enable.To add a spamfilter-profile, you must obtain an adequate profile name in profile-protection-options.
(null)
srcaddr <name_str>
 
Enter one or more source firewall addresses for the policy. Separate multiple firewall addresses with a space.
If action is set to ipsec, enter the private IP address of the host, server, or network behind the FortiGate unit.
If action is set to ssl-vpn and the firewall encryption policy is for web-only mode clients, type all.
If action is set to ssl-vpn and the firewall encryption policy is for tunnel mode clients, enter the name of the IP address range that you reserved for tunnel mode clients. To define an address range for tunnel mode clients, see “ssl settings”.
No default.
srcaddr-negate {enable | disable}
Enable to negate srcaddr match. This causes srcaddr to specify what the source address must not be.
disable
srcintf <name_str>
Enter the source interface(s) for the policy. Separate interface names with spaces.
The interface can be a physical interface, a VLAN subinterface, a zone, ftp-proxy, or web-proxy.
An interface or VLAN subinterface that has been added to a zone cannot be used for srcintf.
If action is set to ipsec, enter the name of the interface to the local (private) network.
If action is set to ssl-vpn, enter the name of the interface that accepts connections from remote clients.
No default.
ssl-ssh-profile <profile_name>
Enter the SSL-SSH profile to apply. See firewall ssl-ssh-profile.
No default.
status {enable | disable}
Enable or disable the policy.
enable
tags <tags_str>
Enter object tags applied to this policy. Separate tag names with spaces.
null
tcp-mss-receiver <maximumsize_int>
Enter a TCP MSS number for the receiver.
0
tcp-mss-sender <maximumsize_int>
Enter a TCP Maximum Sending Size number for the sender.
When a FortiGate unit is configured to use PPPoE to connect to an ISP, certain web sites may not be accessible to users. This occurs because a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500.
When the server sends the large packet with DF bit set to 1, the ADSL provider’s router either does not send an “ICMP fragmentation needed” packet or the packet is dropped along the path to the web server. In either case, the web server never knows fragmentation is required to reach the client.
In this case, configure the tcp-mss-sender option to enable access to all web sites. For more information, see the article Cannot view some web sites when using PPPoE on the Fortinet Knowledge Center.
0
timeout-send-rst {enable | disable}
Enable sending a TCP reset when an application session times out.
disable
traffic-shaper <name_str>
Select a traffic shaper for the policy. A traffic shaper controls the bandwidth available to, and sets the priority of the traffic processed by, the policy.
No default.
traffic-shaper-reverse <name_str>
Select a reverse traffic shaper. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.
No default.
users <user_name_list>
Enter the users to whom this policy applies. Separate names with spaces.
No default.
utm-status {disable | enable}
Enable or disable UTM for the firewall policy. If you enable UTM you must add one or more UTM profiles and sensors (or a group profile) to the firewall policy.
disable
uuid <uuid_str>
The Universally Unique IDentifier (UUID) for this policy. This value cannot be set. It is assigned automatically and is used in logs.
auto-assigned
vlan-cos-fwd <prio_int>
Set the VLAN forward direction user priority, CoS. Range 0 (lowest) to 7 (highest), 255 for passthrough.
255
vlan-cos-rev <prio_int>
Set the VLAN reverse direction user priority, CoS. Range 0 (lowest) to 7 (highest), 255 for passthrough.
255
voip-profile <name_str>
Enter the name of the VoIP profile to add to the firewall policy.
This field is available only if utm-status is enable.
(null)
vpntunnel <name_str>
Enter the name of a Phase 1 IPSec VPN configuration to apply to the tunnel.
This field is available only if action is ipsec.
No default.
wanopt {enable | disable}
Enable or disable WAN optimization on this policy. WANopt is available only if action is accept.
disable
wanopt-detection {active | passive | off}
Select WANopt peer auto-detection mode.
off
wanopt-passive-opt {default | transparent | non-transparent}
Set passive WAN Optimization policy address translation behavior:
default - Use the transparent setting in the WAN Optimization profile added to the active policy (client-side configuration).
transparent - Impose transparent mode (override the active policy transparent mode setting). Packets exiting the FortiGate keep their original source addresses.
non-transparent - Impose non-transparent mode (override the active policy transparent mode setting). Packets exiting the FortiGate have their source address changed to the address of the server-side FortiGate unit interface that sends the packets to the servers.
Default
wanopt-peer <peer_name>
Enter the WAN Optimization peer.
No default.
wanopt-profile <name_str>
Enter the WANopt profile to use in this policy.
No default.
wccp {enable | disable}
Enable or disable web cache on the policy. If enabled, the FortiGate unit will check the learned web cache information, and may redirect the traffic to the web cache server.
disable
webcache {disable | enable}
Enable or disable WAN optimization web caching for HTTP traffic accepted by the firewall policy. This option is available only on FortiGate units that support WAN Optimization and web caching.
disable
webcache-https {disable | any| ssl‑server}
Enable the level of webcaching for HTTPS traffic.
disable — no caching of HTTPS traffic
any — use SSL offload for traffic of matched SSL server. For other HTTPS traffic, it intercepts in the same way as HTTPS deep scan.
ssl-server — cache only traffic of matched SSL server whose port matches the HTTPS port in the protocol option or 443 if protocol option is not defined.
This field is not available if srcintf is ftp-proxy or wanopt.
disable
webfilter-profile <name_str>
Enter the name of the web filtering profile to add to the firewall policy.
This field is available only if utm-status is enable. To add a webfilter-profile, you must obtain an adequate profile name in profile-protection-options.
 
(null)
wsso {enable | disable}
Enable or disable WiFi Single Sign On.
disable