Fortinet white logo
Fortinet white logo

CLI Reference

config firewall policy

config firewall policy

Use this command to configure firewall policy rules for IPv4 addresses.

A firewall policy is a filter that allows or denies traffic to be forwarded to the system based on a matching tuple: source address, destination address, and service. By default, firewall policy rules are stateful: if client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.

The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.

By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.

Note: You do not need to create firewall rules for routine management traffic associated with the management port or HA ports. The interface “allow access” option enables permitted protocols. The system automatically permits from-self traffic, such as health check traffic, and expected responses.

Before you begin:
  • You must have a good understanding and knowledge of firewalls.
  • You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
  • You must have read-write permission for firewall settings.

Syntax

config firewall policy

set default-action {deny|accept}

set stateful {enable|disable}

config rule

edit <name>

set action {deny | accept}

set deny-log {disable | enable}

set destination-type {address|addrgrp|external-resource}

set destination-address <datasource>

set destination-addrgrp <datasource>

set destination-external-resource-address <datasource>

set in-interface <datasource>

set out-interface <datasource>

set service <datasource>

set source-type {address|addrgrp|external-resource}

set source-address <datasource>

set source-addrgrp <datasource>

set source-external-resource-address <datasource>

set status {enable | disable}

next

end

end

default-action

Action when no rule matches or no rules are configured:

  • deny—Drop the traffic.
  • accept—Allow the traffic to pass the firewall.

stateful

Enable/disable stateful firewall. When enabled, server response traffic is permitted automatically when the client-to-server rule allows the connection to be established. When disabled, you must create separate rules for client-to-server and server-to-client traffic. Enabled by default.

config rule

action

  • deny—Drop the traffic.
  • accept—Allow the traffic to pass the firewall.

deny-log

Enable/disable deny log. When enabled, firewall denied traffic is logged, wherein relevant information for traffic is logged when the traffic triggers the policy action to drop it. The deny-log option is only available when action is set to deny. Disabled by default.

destination-type

Select the destination type to use to form the matching tuple.

  • address
  • addrgrp
  • external-resource

destination-address

The destination-address option is available if the destination-type is address.

Specify the Address object to use as the destination.

destination-addrgrp

The destination-address-group option is available if the destination-type is addrgrp.

Specify the Address Group object to use as the destination.

destination-external-resource-address

The destination-external-resource-address option is available if the destination-type is external-resource.

Specify the external IP address list imported through the IP Address connector to use as the destination. For details, see config system external-resource.

in-interface

Interface that receives traffic.

out-interface

Interface that forwards traffic.

service

Service object to use to form the matching tuple.

source-type

Select the source type to use to form the matching tuple.

  • address
  • address-group
  • external-resource

source-address

The source-address option is available if the source-type is address.

Specify the Address object to use as the source.

source-addrgrp

The source-address-group option is available if the source-type is addrgrp.

Specify the Address Group object to use as the source.

source-external-resource-address

The source-external-resource-address option is available if the source-type is external-resource.

Specify the external IP address list imported through the IP Address connector to use as the source. For details, see config system external-resource.

status

Enable or disable firewall policy rule.

Example

FortiADC-VM # config firewall policy

FortiADC-VM (policy) # set default-action deny

FortiADC-VM (policy) # config rule

FortiADC-VM (rule) # edit fw-allow-http

Add new entry 'fw-allow-http' for node 1871

FortiADC-VM (fw-allow-http) # get

in-interface :

out-interface :

source-address :

destination-address :

service :

status : enable

action :

FortiADC-VM (fw-allow-http) # set action accept

FortiADC-VM (fw-allow-http) # set in-interface port4

FortiADC-VM (fw-allow-http) # set out-interface port5

FortiADC-VM (fw-allow-http) # set source-address fw-source-addr1

FortiADC-VM (fw-allow-http) # set destination-address fw-dest-addr1

FortiADC-VM (fw-allow-http) # set service fw-http

FortiADC-VM (fw-allow-http) # get

in-interface : port4

out-interface : port5

source-address : fw-source-addr1

destination-address : fw-dest-addr1

service : fw-http

status : enable

action : accept

FortiADC-VM (fw-allow-http) # end

config firewall policy

config firewall policy

Use this command to configure firewall policy rules for IPv4 addresses.

A firewall policy is a filter that allows or denies traffic to be forwarded to the system based on a matching tuple: source address, destination address, and service. By default, firewall policy rules are stateful: if client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.

The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.

By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.

Note: You do not need to create firewall rules for routine management traffic associated with the management port or HA ports. The interface “allow access” option enables permitted protocols. The system automatically permits from-self traffic, such as health check traffic, and expected responses.

Before you begin:
  • You must have a good understanding and knowledge of firewalls.
  • You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
  • You must have read-write permission for firewall settings.

Syntax

config firewall policy

set default-action {deny|accept}

set stateful {enable|disable}

config rule

edit <name>

set action {deny | accept}

set deny-log {disable | enable}

set destination-type {address|addrgrp|external-resource}

set destination-address <datasource>

set destination-addrgrp <datasource>

set destination-external-resource-address <datasource>

set in-interface <datasource>

set out-interface <datasource>

set service <datasource>

set source-type {address|addrgrp|external-resource}

set source-address <datasource>

set source-addrgrp <datasource>

set source-external-resource-address <datasource>

set status {enable | disable}

next

end

end

default-action

Action when no rule matches or no rules are configured:

  • deny—Drop the traffic.
  • accept—Allow the traffic to pass the firewall.

stateful

Enable/disable stateful firewall. When enabled, server response traffic is permitted automatically when the client-to-server rule allows the connection to be established. When disabled, you must create separate rules for client-to-server and server-to-client traffic. Enabled by default.

config rule

action

  • deny—Drop the traffic.
  • accept—Allow the traffic to pass the firewall.

deny-log

Enable/disable deny log. When enabled, firewall denied traffic is logged, wherein relevant information for traffic is logged when the traffic triggers the policy action to drop it. The deny-log option is only available when action is set to deny. Disabled by default.

destination-type

Select the destination type to use to form the matching tuple.

  • address
  • addrgrp
  • external-resource

destination-address

The destination-address option is available if the destination-type is address.

Specify the Address object to use as the destination.

destination-addrgrp

The destination-address-group option is available if the destination-type is addrgrp.

Specify the Address Group object to use as the destination.

destination-external-resource-address

The destination-external-resource-address option is available if the destination-type is external-resource.

Specify the external IP address list imported through the IP Address connector to use as the destination. For details, see config system external-resource.

in-interface

Interface that receives traffic.

out-interface

Interface that forwards traffic.

service

Service object to use to form the matching tuple.

source-type

Select the source type to use to form the matching tuple.

  • address
  • address-group
  • external-resource

source-address

The source-address option is available if the source-type is address.

Specify the Address object to use as the source.

source-addrgrp

The source-address-group option is available if the source-type is addrgrp.

Specify the Address Group object to use as the source.

source-external-resource-address

The source-external-resource-address option is available if the source-type is external-resource.

Specify the external IP address list imported through the IP Address connector to use as the source. For details, see config system external-resource.

status

Enable or disable firewall policy rule.

Example

FortiADC-VM # config firewall policy

FortiADC-VM (policy) # set default-action deny

FortiADC-VM (policy) # config rule

FortiADC-VM (rule) # edit fw-allow-http

Add new entry 'fw-allow-http' for node 1871

FortiADC-VM (fw-allow-http) # get

in-interface :

out-interface :

source-address :

destination-address :

service :

status : enable

action :

FortiADC-VM (fw-allow-http) # set action accept

FortiADC-VM (fw-allow-http) # set in-interface port4

FortiADC-VM (fw-allow-http) # set out-interface port5

FortiADC-VM (fw-allow-http) # set source-address fw-source-addr1

FortiADC-VM (fw-allow-http) # set destination-address fw-dest-addr1

FortiADC-VM (fw-allow-http) # set service fw-http

FortiADC-VM (fw-allow-http) # get

in-interface : port4

out-interface : port5

source-address : fw-source-addr1

destination-address : fw-dest-addr1

service : fw-http

status : enable

action : accept

FortiADC-VM (fw-allow-http) # end