Policy & Objects : Managing policies : Interface Policy
 
Interface Policy
The Interface Policy tab allows you to create, edit, delete, and clone interface policies. The following information is displayed for these policies: Seq.#, Interface (source interface), Source (source address), Destination (destination address), Service, IPS Sensor (profile), Application Sensor (profile), AntiVirus (profile), Web Filter (profile), DLP Sensor (profile), Email Filter (profile), and Install On (installation targets).
 
Select Display Options in the Policy & Objects tab, and toggle the Interface Policy switch to display this option in the Policy Package tab bar.
To create a new interface policy:
1. Select the ADOM from the drop-down list in the toolbar.
2. Select the policy package where you are creating the new identity policy from the tree menu.
3. Select Interface Policy in the policy toolbar.
4. Right-click on the sequence number of a current policy, or in an empty area of the content pane and select Create New from the pop-up menu.
The Create New Policy dialog box opens.
Figure 204: Interface Policy
5. Configure the following settings:
Source Interface
Select the source zone from the drop-down list.
Source Address
Select the source address from the drop-down list. You can create a new address or address group in the Add Source Address window.
Destination Address
Select the destination address from the drop-down list. You can create a new address or address group in the Add Destination Address dialog box.
Service
Select the service from the drop-down list. You can create a new service or service group in the Add Service dialog box.
Enable AntiVirus
Select to enable antivirus and select the profile from the drop-down list.
Enable Web Filter
Select to enable Web Filter and select the profile from the drop-down list.
Enable Application Control
Select to enable Application Control and select the profile from the drop-down list.
Enable IPS
Select to enable IPS and select the profile from the drop-down list.
Enable Email Filter
Select to enable Email Filter and select the profile from the drop-down list.
Enable DLP Sensor
Select to enable DLP Sensor and select the profile from the drop-down list.
6. Select OK to save the setting. You can select to enable or disable the policy in the right-click menu.
Edit the policy service:
1. Select Interface Policy in the policy toolbar.
2. Select the policy in the table and right-click the Service column and select Edit in the menu.
The Edit Service dialog box is displayed.
Figure 205: Edit Service
3. Configure the following settings:
Name
Edit the service name as required.
Comments
Enter an optional comment.
Color
Select the icon to select an custom icon to display next to the service name.
Protocol
Select the protocol from the drop-down list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP.
IP/FQDN
Enter the IP or FQDN.
Note: This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port and destination port in the table.
Type
Enter the type in the text field.
Note: This menu item is available when Protocol is set to ICMP and ICMP6.
Code
Enter the code in the text field.
Note: This menu item is available when Protocol is set to ICMP and ICMP6.
Protocol Number
Enter the protocol number in the text field.
Note: This menu item is available when Protocol is set to IP.
Advanced Options
For more information on advanced option, see the FortiOS 5.0 CLI Reference.
 
check-reset-range
Configure ICMP error message verification.
disable — The FortiGate unit does not validate ICMP error messages.
strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
default — Use the global setting defined in system global.
Note: This field is available when protocol is TCP/UDP/SCTP.
Note: This field is not available if explicit-proxy is enabled.
 
session-ttl
Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable.
Note: This is available when protocol is TCP/UDP/SCTP
 
tcp-halfclose-timer
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
 
tcp-halfopen-timer
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
 
tcp-timewait-timer
Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”.
Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
 
udp-idle-timer
Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
4. Select OK to save the service. The custom service will be added to Objects > Firewall Objects > Service.
To edit the installation target:
1. Select Interface Policy in the policy toolbar.
2. Select the policy in the table and right-click the Install On column and select Add Object(s) in the menu.
The Add Install On dialog box is displayed.
Figure 206: Add Install On
3. Select the installation targets from the list and select OK. To edit the installation targets, select the Installation tab in the Policy Package tab bar and select Edit Targets in the toolbar.