firewall : policy46, policy64
 
policy46, policy64
Use this command to configure IPv6 <-> IPv4 policies.
Use  config firewall policy46 for IPv4-to-IPv6 policies
Use  config firewall policy64 for IPv6-to-IPv4 policies
Each policy has a Universally Unique IDentifier (UUID) that is automatically assigned. To view it, use the command get firewall policy46 or get firewall policy64 and look for the uuid field.
Syntax
config firewall policy46 or config firewall policy64
edit <index_int>
set action {accept | deny}
set comments <comment_str>
set dstaddr <name_str>
set dstintf <name_str>
set fixedport {enable | disable}
set ippool {enable | disable}
set logtraffic {enable | disable}
set per-ip-shaper <shaper_name>
set permit-any-host {enable | disable}
set poolname <name_str>
set schedule <name_str>
set service <name_str>
set srcaddr <name_str>
set srcintf <name_str>
set status {enable | disable}
set tags <tags_str>
set traffic-shaper <name_str>
set traffic-shaper-reverse <name_str>
end
 
Variable
Description
Default
<index_int>
Enter the unique ID number of this policy.
No default.
action {accept | deny}
Select the action that the FortiGate unit will perform on traffic matching this firewall policy.
accept: Allow packets that match the firewall policy. Also enable or disable ippool to select a source address for packets from a pool of IP addresses added to the destination interface and enable or disable fixedport so that the policy does not translate the packet source port.
deny: Deny packets that match the firewall policy.
deny
comments <comment_str>
Enter a description or other information about the policy. (Optional)
comment_str is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.
No default.
dstaddr <name_str>
Enter one or more destination firewall addresses. Separate multiple firewall addresses with a space.
No default.
dstintf <name_str>
Enter the destination interface for the policy. The interface can be a physical interface, a VLAN subinterface, or a zone.
Note: If a interface or VLAN subinterface has been added to a zone, the interface or VLAN subinterface cannot be used for dstintf.
No default.
fixedport {enable | disable}
Enable to preserve packets’ source port number. Some applications do not function correctly if the source port number is changed, and may require this option.
If fixedport is enable, you should usually also enable IP pools; if you do not configure an IP pool for the policy, only one connection can occur at a time for this port.
disable
ippool
{enable | disable}
Enable translating the source address to an address randomly selected from the first IP pool added to the destination interface of the policy.
disable
logtraffic
{enable | disable}
Enable or disable recording traffic log messages for this policy.
disable
per-ip-shaper <shaper_name>
Enter the name of the per-IP traffic shaper to apply. For information about per-IP traffic shapers, see firewall shaper per-ip-shaper.
No default.
permit-any-host {enable | disable}
Enable to permit “hairpinning” between hosts located in the same network behind one external IP address.
disable
poolname <name_str>
Enter the name of the IP pool.
This variable appears only if ippool is enable.
No default.
schedule <name_str>
Enter the name of the one-time or recurring schedule or schedule group to use for the policy.
No default.
service <name_str>
Enter the name of one or more services, or a service group, to match with the firewall policy. Separate multiple services with a space.
No default.
srcaddr <name_str>
Enter one or more source firewall addresses for the policy. Separate multiple firewall addresses with a space.
No default.
srcintf <name_str>
Enter the source interface for the policy.
If the interface or VLAN subinterface has been added to a zone, interface or VLAN subinterface cannot be used for srcintf.
No default.
status
{enable | disable}
Enable or disable the policy.
enable
tags <tags_str>
Enter object tags applied to this policy. Separate tag names with spaces.
null
traffic-shaper <name_str>
Select a traffic shaper for the policy. A traffic shaper controls the bandwidth available to, and sets the priority of the traffic processed by, the policy.
No default.
traffic-shaper-reverse <name_str>
Select a reverse traffic shaper. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.
No default.
uuid <uuid_str>
The Universally Unique IDentifier (UUID) for this policy. This value cannot be set. It is assigned automatically and is used in logs.
auto-assigned