Figure 197: Create new policy
Policy Subtype | Select the firewall policy subtype. One of: Address, User Identity, Device Identity. The information to be added to create the policy will change according to your selection. | |
Incoming Interface | Select source zones from the drop-down list. Multiple zones can be selected. | |
Source Address | Select to add source addresses or address groups. Addresses and address groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. | |
Outgoing Interface | Select destination zones from the drop-down list. Multiple zones can be selected. | |
Destination Address | Select to add destination addresses or address groups. Addresses, address group, virtual IP, and virtual IP groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is Address. | |
Schedule | Select a schedule or schedules for the policy. Schedules (one time, recurring, and schedule group) can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is Address. | |
Service | Select services or service groups for the policy. Services and service groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is Address. | |
Action | Select an action for the policy to take, whether ACCEPT or DENY. Note: This option is only available if the selected subtype is Address. | |
Log Violation Traffic | Select to log violation traffic. Note: This option is only available if the selected subtype is Address and the Action is set to Deny. | |
NAT | Select to enable NAT. If enabled, select Use Destination Interface Address (with or without Fixed Port) or Dynamic IP Pool (select the pool from the list, or a new pool can be created). | |
Logging Options | Select one of the following: No Log, Log Security Events, and Log All Sessions. You can also select to generate logs when session starts and capture packets. Note: This option is only available if the selected subtype is Address. | |
Enable Web Cache | Select to enable web cache. Note: This option is only available if the selected subtype is Address or User Identity. | |
Enable WAN Optimization | Select to enable WAN optimization. If enabled, select active or passive from the drop down list, and select a profile to use for the optimization. Note: This option is only available if the selected subtype is Address or User Identity. | |
Enable Disclaimer | Select to enable the disclaimer, and enter the redirect URL. | |
Resolve User Name Using FSSO Agent | Select to resolve user names using the FSSO agent. Note: This option is only available if Policy Subtype is Address and the Action is ACCEPT. | |
Security Profiles | This option is only available if Policy Subtype is Address and the Action is ACCEPT. | |
Enable AntiVirus | Select to enable antivirus and select the profile from the drop-down list. | |
Enable Web Filter | Select to enable Web Filter and select the profile from the drop-down list. | |
Enable Application Control | Select to enable Application Control and select the profile from the drop-down list. | |
Enable IPS | Select to enable IPS and select the profile from the drop-down list. | |
Enable Email Filter | Select to enable Email Filter and select the profile from the drop-down list. | |
Enable DLP Sensor | Select to enable DLP Sensor and select the profile from the drop-down list. | |
Enable VoIP | Select to enable VoIP and select the profile from the drop-down list. | |
Enable ICAP | Select to enable ICAP and select the profile from the drop-down list. | |
Enable SSL/SSH Inspection | Select to enable SSL/SSH Inspection and select the profile from the drop-down list. | |
Proxy Options | Select to enable Proxy Options and select the profile from the drop-down list. | |
Traffic Shaping | Select to enable traffic shaping and select the traffic shaper object from the drop-down list. Note: This option is only available if Policy Subtype is Address and the Action is ACCEPT. | |
Reverse Direction Traffic Shaping | Select to enable reverse direction traffic shaping and select the traffic shaper object from the drop-down list. Note: This option is only available if Policy Subtype is Address and the Action is ACCEPT. | |
Per-IP Traffic Shaping | Select to enable per-IP traffic shaping and select the traffic shaper object from the drop-down list. Note: This option is only available if Policy Subtype is Address and the Action is ACCEPT. | |
Identity Policy | Select Add to add an identity policy to the policy. See “To create a new identity policy:” for more information. A certificate and customized authentication message can also be selected. Note: This option is only available if the selected subtype is User Identity. | |
Identity Policy | Select Add to add an identity policy to the policy. See “To create a new identity policy:” for more information. A customized authentication message and device policy options can also be selected. Device policy options include: Attempt to detect all unknown device types before implicit deny, Redirect all non-compliant/unregistered FortiClient compatible devices to a captive portal (select Windows PCs, Mac OSX, iPhone/iPad, or Android), and Prompt E-mail Collection Portal for all devices. Note: This option is only available if the selected subtype is Device Identity. | |
Tags | View the tags currently applied to the policy and add new tags. | |
Comments | Enter a comment. | |
Advanced Options | For more information on advanced option, see the FortiOS 5.0 CLI Reference. | |
auth-path | Select to apply authentication-based routing. You must also specify a RADIUS server, and the RADIUS server must be configured to supply the name of an object specified in config router auth-path. | |
auth-redirect-addr | Authentication redirect address, enter the address in the text field. | |
auto-asic-offload | Enable or disable session offload to NP or SP processors. Note: This is available on models that have network processors. | |
custom-log-fields | Select the custom log fields from the drop-down list. | |
diffserv-forward | Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure diffservcode-forward. | |
diffserv-reverse | Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev. | |
diffservcode-forward | Enter the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. This option appears only if diffserv-forward is enable. For details and DSCP configuration examples, see the Knowledge Base article Differentiated Services Code Point (DSCP) behavior. | |
diffservcode-rev | Enter the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. This option appears only if diffserv-rev is enable For details and DSCP configuration examples, see the Knowledge Base article Differentiated Services Code Point (DSCP) behavior. | |
fall-through-unauthenticated | Enable to allow an unauthenticated user to skip authentication rules and possibly match another policy. | |
fsso-agent-for-ntlm | Select the FSSO agent for NTLM from the drop-down list. | |
log-unmatched-traffic | Enable or disabling logging dropped traffic for policies with identity-based enabled. | |
match-vip | If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to ANY) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped. In some cases, when a virtual IP performs destination NAT (DNAT) on a packet, the translated packet may not be accepted by a firewall policy. If this happens, the packet is silently dropped and therefore not matched with the general policy at the bottom of the policy list. To catch these packets, enable match-vip in the general policy. Then the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged. | |
natip | Enter the NAT IP address in the text field. | |
ntlm-enabled-browsers | Enter a value in the text field. | |
ntlm-guest | Select to enable or disable NTLM guest. | |
permit-any-host | Enable to accept UDP packets from any host. This can help support the FaceTime application on NAT’d iPhones. | |
permit-stun-host | Enable to accept UDP packets from any STUN host. This can help support the FaceTime application on NAT’d iPhones. | |
profile-type | Select the profile type from the drop-down list. | |
rtp-addr | Select the RTP address from the drop-down list. Note: This field is only available when rtp-nat is enabled. | |
rtp-nat | Enable to apply source NAT to RTP packets received by the firewall policy. This field is used for redundant SIP configurations. If rtp-nat is enabled you must add one or more firewall addresses to the rtp-addr field. | |
schedule-timeout | Enable to force session to end when policy schedule end time is reached. | |
send-deny-packet | Enable to send a packet in reply to denied TCP, UDP or ICMP traffic. When deny‑tcp‑with‑icmp is enabled in system settings, a Communication Prohibited ICMP packet is sent. Otherwise, denied TCP traffic is sent a TCP reset. | |
session-ttl | Enter a value for the session time-to-live (TTL). Enter a value between 300 to 604800 or enter 0 for no limitation. | |
tcp-mss-receiver | Enter a value for the receiver’s TCP MSS. | |
tcp-mss-sender | Enter a value for the sender’s TCP MSS. | |
timeout-send-rst | Enable sending a TCP reset when an application session times out. | |
transaction-based | Select to enable or disable this feature. | |
wccp | Select to enable or disable Web Cache Communication Protocol (WCCP). | |
web-auth-cookie | Enable to reduce the number of authentication requests to the authentication server when session-based authentication is applied using explicit web proxy. This is only available when session based authentication is enabled. | |
Policy Subtype | Select the VPN policy subtype, either IPSEC or SSL VPN. The information to be added to create the policy will change according to your selection. |
Incoming Interface | Select source zones from the drop-down list. Multiple zones can be selected. Note: This option is only available if the selected subtype is SSL VPN. |
Remote Address | Select to add remote addresses or address groups. Addresses and address groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is SSL VPN. |
Local Interface | Select source zones from the drop-down list. Multiple zones can be selected. |
Local Protected Subnet | Select to add addresses or address groups. Addresses and address groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. |
Outgoing VPN Interface | Select destination zones from the drop-down list. Multiple zones can be selected. Note: This option is only available if the selected subtype is IPSEC. |
Remote Protected Subnet | Select to add addresses or address groups. Addresses and address groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is IPSEC. |
Schedule | Select a schedule or schedules for the policy. Schedules can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is IPSEC. |
Service | Select services or service groups for the policy. Services and service groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. Note: This option is only available if the selected subtype is IPSEC. |
Logging Options | Select the policy logging options: No Log, Log Security Events, or Log All Sessions. If the last option is selected, Generate Logs when Session Starts and Capture Packets can also be selected. Note: This option is only available if the selected subtype is IPSEC. |
SSL VPN Users | Select Add to add SSL VPN users to the policy. Note: This option is only available if the selected subtype is SSL VPN. |
SSL Client Certificate Restrictive | Select to make the SSL client certificate restrictive. If enabled, select the cipher strength: Any, High >= 164, or Medium >= 128. Note: This option is only available if the selected subtype is SSL VPN. |
VPN Tunnel | Select a VPN tunnel from the drop-down list. Allow traffic to be initiated from the remote site can also be enabled. Note: This option is only available if the selected subtype is IPSEC. |
Security Profiles | Enable security profiles, then select the specific profiles and their respective profile object. Profiles include: Antivirus, Web Filter, Application Control, IPS, Email Filter, DLP Sensor, VoIP, ICAP, SSL/SSH Inspection, and Proxy Options. Note: This option is only available if the selected subtype is IPSEC. For more information see “Security Profiles”. |
Traffic Shaping | Select to enable traffic shaping, then select a shaping option from the drop down list. If enabled, you can also select Reverse Direction Traffic Shaping and a shaping option from the drop down list. Note: This option is only available if the selected subtype is IPSEC. |
Per-IP Traffic Shaping | Select to enable per-IP traffic shaping, then select a shaping option from the drop down list. Note: This option is only available if the selected subtype is IPSEC. |
Tags | View the tags currently applied to the policy and add new tags. |
Comments | Enter a comment. |
Advanced Options | Select advanced policy related options. For a list of these options, see “Advanced Options”. |
Name | Edit the schedule name as required. |
Color | Select the icon to select an custom icon to display next to the schedule name. |
Day | Select the days of the week for the custom schedule. |
Start | Select the schedule start time. |
End | Select the schedule end time. |
Destination Address | Select to add destination addresses or address groups. Addresses and address groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. |
Group(s) | Select to add a group or groups to the policy. |
User(s) | Select to add a user or users to the policy. |
Schedule | Select a schedule or schedules for the policy. Schedules can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. |
Service | Select services or service groups for the policy. Services and service groups can also be created by selecting Create New in the dialog box. See “Create a new object” for more information. |
Action | Select an action for the policy to take, whether ACCEPT or DENY. |
Logging Options | Select the policy logging options: No Log, Log Security Events, or Log All Sessions. If the last option is selected, Generate Logs when Session Starts and Capture Packets can also be selected. |
Security Profiles | Enable security profiles, then select the specific profiles and their respective profile object. Profiles include: Antivirus, Web Filter, Application Control, IPS, Email Filter, DLP Sensor, VoIP, ICAP, SSL/SSH Inspection, and Proxy Options. For more information see “Security Profiles”. |
Traffic Shaping | Select to enable traffic shaping, then select a shaping option from the drop down list. If enabled, you can also select Reverse Direction Traffic Shaping and a shaping option from the drop down list. |
Per-IP Traffic Shaping | Select to enable per-IP traffic shaping, then select a shaping option from the drop down list. |
Name | Edit the schedule name as required. |
Color | Select the icon to select an custom icon to display next to the schedule name. |
Day | Select the days of the week for the custom schedule. |
Start | Select the schedule start time. |
End | Select the schedule end time. |
Name | Edit the service name as required. | |
Comments | Enter an optional comment. | |
Color | Select the icon to select an custom icon to display next to the service name. | |
Protocol | Select the protocol from the drop-down list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP. | |
IP/FQDN | Enter the IP or FQDN. Note: This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port and destination port in the table. | |
Type | Enter the type in the text field. Note: This menu item is available when Protocol is set to ICMP and ICMP6. | |
Code | Enter the code in the text field. Note: This menu item is available when Protocol is set to ICMP and ICMP6. | |
Protocol Number | Enter the protocol number in the text field. Note: This menu item is available when Protocol is set to IP. | |
Advanced Options | For more information on advanced option, see the FortiOS 5.0 CLI Reference. | |
check-reset-range | Configure ICMP error message verification. • disable — The FortiGate unit does not validate ICMP error messages. • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets. • default — Use the global setting defined in system global. Note: This field is available when protocol is TCP/UDP/SCTP. Note: This field is not available if explicit-proxy is enabled. | |
session-ttl | Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-halfclose-timer | Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-halfopen-timer | Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-timewait-timer | Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
udp-idle-timer | Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
