Select Display Options in the Policy & Objects tab, and toggle the Interface Policy switch to display this option in the Policy Package tab bar. |
Source Interface | Select the source zone from the drop-down list. |
Source Address | Select the source address from the drop-down list. You can create a new address or address group in the Add Source Address window. |
Destination Address | Select the destination address from the drop-down list. You can create a new address or address group in the Add Destination Address dialog box. |
Service | Select the service from the drop-down list. You can create a new service or service group in the Add Service dialog box. |
Enable AntiVirus | Select to enable antivirus and select the profile from the drop-down list. |
Enable Web Filter | Select to enable Web Filter and select the profile from the drop-down list. |
Enable Application Control | Select to enable Application Control and select the profile from the drop-down list. |
Enable IPS | Select to enable IPS and select the profile from the drop-down list. |
Enable Email Filter | Select to enable Email Filter and select the profile from the drop-down list. |
Enable DLP Sensor | Select to enable DLP Sensor and select the profile from the drop-down list. |
Name | Edit the service name as required. | |
Comments | Enter an optional comment. | |
Color | Select the icon to select an custom icon to display next to the service name. | |
Protocol | Select the protocol from the drop-down list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP. | |
IP/FQDN | Enter the IP or FQDN. Note: This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port and destination port in the table. | |
Type | Enter the type in the text field. Note: This menu item is available when Protocol is set to ICMP and ICMP6. | |
Code | Enter the code in the text field. Note: This menu item is available when Protocol is set to ICMP and ICMP6. | |
Protocol Number | Enter the protocol number in the text field. Note: This menu item is available when Protocol is set to IP. | |
Advanced Options | For more information on advanced option, see the FortiOS 5.0 CLI Reference. | |
check-reset-range | Configure ICMP error message verification. • disable — The FortiGate unit does not validate ICMP error messages. • strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets. • default — Use the global setting defined in system global. Note: This field is available when protocol is TCP/UDP/SCTP. Note: This field is not available if explicit-proxy is enabled. | |
session-ttl | Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable. Note: This is available when protocol is TCP/UDP/SCTP | |
tcp-halfclose-timer | Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-halfopen-timer | Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
tcp-timewait-timer | Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”. Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached. The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. | |
udp-idle-timer | Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds. Enter 0 to use the global setting defined in system global. Note: This is available when protocol is TCP/UDP/SCTP. |