Fortinet black logo

CLI Reference

firewall {policy | policy6}

firewall {policy | policy6}

Used to change firewall policies or their individual configurations. In addition to editing an existing policy, policies can be added, deleted, moved or cloned. It is also possible to purge all of the policy content from the table that holds them.

  • Use config firewall policy for IPv4 policies
  • Use config firewall policy6 for IPv6 policies

Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow the connection, deny the connection, require authentication before the connection is allowed, or apply IPSec processing. The commands config firewall policy and config firewall policy6 enter the system into the correct context of the configuration file to make changes to firewall policies. From here, a specific policy is chosen to be acted upon.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config application group

New configuration method to apply application groups for policies in NGFW policy-based mode, in which either applications and/or categories can be set as members.

set devices {amazon-device | ...}

New Amazon device type category.

set ssh-filter-profile <name>

Assign SSH profiles to IPv6 firewall policies, as part of supporting SSH traffic through IPv6.

set internet-service {enable | disable}

set internet-service-id <service-id>

set internet-service-custom <service-name>

set internet-service-src {enable | disable}

set internet-service-src-id <source-id>

set internet-service-src-custom <source-name>

The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhances traffic shaping criteria for firewall policies. To use Internet services in a policy, you must set the source and destination to one of the Internet services.

For all related commands to be available, both internet-service and internet-service-src must be set to enable.

config firewall policy
    edit {policyid}
    # Configure IPv4 policies.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set name {string}   Policy name. size[35]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        config srcintf
            edit {name}
            # Incoming (ingress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config dstintf
            edit {name}
            # Outgoing (egress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config srcaddr
            edit {name}
            # Source address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.vip.name,firewall.vipgrp.name
            next
        set internet-service {enable | disable}   Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. 
        config internet-service-id
            edit {id}
            # Internet Service ID.
                set id {integer}   Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
            next
        config internet-service-custom
            edit {name}
            # Custom Internet Service name.
                set name {string}   Custom Internet Service name. size[64] - datasource(s): firewall.internet-service-custom.name
            next
        set internet-service-src {enable | disable}   Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. 
        config internet-service-src-id
            edit {id}
            # Internet Service source ID.
                set id {integer}   Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
            next
        config internet-service-src-custom
            edit {name}
            # Custom Internet Service source name.
                set name {string}   Custom Internet Service name. size[64] - datasource(s): firewall.internet-service-custom.name
            next
        set rtp-nat {disable | enable}   Enable Real Time Protocol (RTP) NAT.
        config rtp-addr
            edit {name}
            # Address names if this is an RTP NAT policy.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set learning-mode {enable | disable}   Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
        set action {accept | deny | ipsec}   Policy action (allow/deny/ipsec).
                accept  Allows session that match the firewall policy.
                deny    Blocks sessions that match the firewall policy.
                ipsec   Firewall policy becomes a policy-based IPsec VPN policy.
        set send-deny-packet {disable | enable}   Enable to send a reply when a session is denied or blocked by a firewall policy.
        set firewall-session-dirty {check-all | check-new}   How to handle sessions if the configuration of this firewall policy changes.
                check-all  Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
                check-new  Continue to allow sessions already accepted by this policy.
        set status {enable | disable}   Enable or disable this policy.
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set schedule-timeout {enable | disable}   Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
        config service
            edit {name}
            # Service and service group names.
                set name {string}   Service and service group names. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set dscp-match {enable | disable}   Enable DSCP check.
        set dscp-negate {enable | disable}   Enable negated DSCP match.
        set dscp-value {string}   DSCP value.
        set tcp-session-without-syn {all | data-only | disable}   Enable/disable creation of TCP session without SYN flag.
                all        Enable TCP session without SYN.
                data-only  Enable TCP session data only.
                disable    Disable TCP session without SYN.
        set utm-status {enable | disable}   Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
        set profile-type {single | group}   Determine whether the firewall policy allows security profile groups or single profiles only.
                single  Do not allow security profile groups.
                group   Allow security profile groups.
        set profile-group {string}   Name of profile group. size[35] - datasource(s): firewall.profile-group.name
        set av-profile {string}   Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile {string}   Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set dnsfilter-profile {string}   Name of an existing DNS filter profile. size[35] - datasource(s): dnsfilter.profile.name
        set spamfilter-profile {string}   Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set application-list {string}   Name of an existing Application list. size[35] - datasource(s): application.list.name
        set voip-profile {string}   Name of an existing VoIP profile. size[35] - datasource(s): voip.profile.name
        set icap-profile {string}   Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name
        set waf-profile {string}   Name of an existing Web application firewall profile. size[35] - datasource(s): waf.profile.name
        set ssh-filter-profile {string}   Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name
        set profile-protocol-options {string}   Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name
        set ssl-ssh-profile {string}   Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name
        set logtraffic {all | utm | disable}   Enable or disable logging. Log all sessions or security profile sessions.
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set logtraffic-start {enable | disable}   Record logs when a session starts and ends.
        set capture-packet {enable | disable}   Enable/disable capture packets.
        set auto-asic-offload {enable | disable}   Enable/disable offloading security profile processing to CP processors.
        set np-acceleration {enable | disable}   Enable/disable UTM Network Processor acceleration.
        set wanopt {enable | disable}   Enable/disable WAN optimization.
        set wanopt-detection {active | passive | off}   WAN optimization auto-detection mode.
                active   Active WAN optimization peer auto-detection.
                passive  Passive WAN optimization peer auto-detection.
                off      Turn off WAN optimization peer auto-detection.
        set wanopt-passive-opt {default | transparent | non-transparent}   WAN optimization passive mode options. This option decides what IP address will be used to connect server.
                default          Allow client side WAN opt peer to decide.
                transparent      Use address of client to connect to server.
                non-transparent  Use local FortiGate address to connect to server.
        set wanopt-profile {string}   WAN optimization profile. size[35] - datasource(s): wanopt.profile.name
        set wanopt-peer {string}   WAN optimization peer. size[35] - datasource(s): wanopt.peer.peer-host-id
        set webcache {enable | disable}   Enable/disable web cache.
        set webcache-https {disable | enable}   Enable/disable web cache for HTTPS.
        set traffic-shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        config application
            edit {id}
            # Application ID list.
                set id {integer}   Application IDs. range[0-4294967295]
            next
        config app-category
            edit {id}
            # Application category ID list.
                set id {integer}   Category IDs. range[0-4294967295]
            next
        config url-category
            edit {id}
            # URL category ID list.
                set id {integer}   URL category ID. range[0-4294967295]
            next
        config app-group
            edit {name}
            # Application group names.
                set name {string}   Application group names. size[64] - datasource(s): application.group.name
            next
        set nat {enable | disable}   Enable/disable source NAT.
        set permit-any-host {enable | disable}   Accept UDP packets from any host.
        set permit-stun-host {enable | disable}   Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
        set fixedport {enable | disable}   Enable to prevent source NAT from changing a session's source port.
        set ippool {enable | disable}   Enable to use IP Pools for source NAT.
        config poolname
            edit {name}
            # IP Pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool.name
            next
        set session-ttl {integer}   TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). range[300-604800]
        set vlan-cos-fwd {integer}   VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. range[0-7]
        set vlan-cos-rev {integer}   VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.. range[0-7]
        set inbound {enable | disable}   Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
        set outbound {enable | disable}   Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
        set natinbound {enable | disable}   Policy-based IPsec VPN: apply destination NAT to inbound traffic.
        set natoutbound {enable | disable}   Policy-based IPsec VPN: apply source NAT to outbound traffic.
        set wccp {enable | disable}   Enable/disable forwarding traffic matching this policy to a configured WCCP server.
        set ntlm {enable | disable}   Enable/disable NTLM authentication.
        set ntlm-guest {enable | disable}   Enable/disable NTLM guest user access.
        config ntlm-enabled-browsers
            edit {user-agent-string}
            # HTTP-User-Agent value of supported browsers.
                set user-agent-string {string}   User agent string. size[64]
            next
        set fsso {enable | disable}   Enable/disable Fortinet Single Sign-On.
        set wsso {enable | disable}   Enable/disable WiFi Single Sign On (WSSO).
        set rsso {enable | disable}   Enable/disable RADIUS single sign-on (RSSO).
        set fsso-agent-for-ntlm {string}   FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
        config groups
            edit {name}
            # Names of user groups that can authenticate with this policy.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        config users
            edit {name}
            # Names of individual users that can authenticate with this policy.
                set name {string}   Names of individual users that can authenticate with this policy. size[64] - datasource(s): user.local.name
            next
        config devices
            edit {name}
            # Names of devices or device groups that can be matched by the policy.
                set name {string}   Device or group name. size[35] - datasource(s): user.device.alias,user.device-group.name,user.device-category.name
            next
        set auth-path {enable | disable}   Enable/disable authentication-based routing.
        set disclaimer {enable | disable}   Enable/disable user authentication disclaimer.
        set vpntunnel {string}   Policy-based IPsec VPN: name of the IPsec VPN Phase 1. size[35] - datasource(s): vpn.ipsec.phase1.name,vpn.ipsec.manualkey.name
        set natip {ipv4 classnet}   Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
        set match-vip {enable | disable}   Enable to match packets that have had their destination addresses changed by a VIP.
        set diffserv-forward {enable | disable}   Enable to change packet's DiffServ values to the specified diffservcode-forward value.
        set diffserv-reverse {enable | disable}   Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
        set diffservcode-forward {string}   Change packet's DiffServ to this value.
        set diffservcode-rev {string}   Change packet's reverse (reply) DiffServ to this value.
        set tcp-mss-sender {integer}   Sender TCP maximum segment size (MSS). range[0-65535]
        set tcp-mss-receiver {integer}   Receiver TCP maximum segment size (MSS). range[0-65535]
        set comments {string}   Comment. size[1023]
        set label {string}   Label for the policy that appears when the GUI is in Section View mode. size[63]
        set global-label {string}   Label for the policy that appears when the GUI is in Global View mode. size[63]
        set auth-cert {string}   HTTPS server certificate for policy authentication. size[35] - datasource(s): vpn.certificate.local.name
        set auth-redirect-addr {string}   HTTP-to-HTTPS redirect address for firewall authentication. size[63]
        set redirect-url {string}   URL users are directed to after seeing and accepting the disclaimer or authenticating. size[255]
        set identity-based-route {string}   Name of identity-based routing rule. size[35] - datasource(s): firewall.identity-based-route.name
        set block-notification {enable | disable}   Enable/disable block notification.
        config custom-log-fields
            edit {field-id}
            # Custom fields to append to log messages for this policy.
                set field-id {string}   Custom log field. size[35] - datasource(s): log.custom-field.id
            next
        set replacemsg-override-group {string}   Override the default replacement message group for this policy. size[35] - datasource(s): system.replacemsg-group.name
        set srcaddr-negate {enable | disable}   When enabled srcaddr specifies what the source address must NOT be.
        set dstaddr-negate {enable | disable}   When enabled dstaddr specifies what the destination address must NOT be.
        set service-negate {enable | disable}   When enabled service specifies what the service must NOT be.
        set internet-service-negate {enable | disable}   When enabled internet-service specifies what the service must NOT be.
        set internet-service-src-negate {enable | disable}   When enabled internet-service-src specifies what the service must NOT be.
        set timeout-send-rst {enable | disable}   Enable/disable sending RST packets when TCP sessions expire.
        set captive-portal-exempt {enable | disable}   Enable to exempt some users from the captive portal.
        set ssl-mirror {enable | disable}   Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
        config ssl-mirror-intf
            edit {name}
            # SSL mirror interface name.
                set name {string}   Mirror Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        set scan-botnet-connections {disable | block | monitor}   Block or monitor connections to Botnet servers or disable Botnet scanning.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set dsri {enable | disable}   Enable DSRI to ignore HTTP server responses.
        set radius-mac-auth-bypass {enable | disable}   Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
        set delay-tcp-npu-session {enable | disable}   Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
        set vlan-filter {string}   Set VLAN filters.
    next
end
config firewall policy6
    edit {policyid}
    # Configure IPv6 policies.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set name {string}   Policy name. size[35]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        config srcintf
            edit {name}
            # Incoming (ingress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.zone.name,system.interface.name
            next
        config dstintf
            edit {name}
            # Outgoing (egress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config srcaddr
            edit {name}
            # Source address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,firewall.vip6.name,firewall.vipgrp6.name
            next
        set action {accept | deny | ipsec}   Policy action (allow/deny/ipsec).
                accept  Allows session that match the firewall policy.
                deny    Blocks sessions that match the firewall policy.
                ipsec   Firewall policy becomes a policy-based IPsec VPN policy.
        set firewall-session-dirty {check-all | check-new}   How to handle sessions if the configuration of this firewall policy changes.
                check-all  Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
                check-new  Continue to allow sessions already accepted by this policy.
        set status {enable | disable}   Enable or disable this policy.
        set vlan-cos-fwd {integer}   VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest range[0-7]
        set vlan-cos-rev {integer}   VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest range[0-7]
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        config service
            edit {name}
            # Service and service group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set dscp-match {enable | disable}   Enable DSCP check.
        set dscp-negate {enable | disable}   Enable negated DSCP match.
        set dscp-value {string}   DSCP value.
        set tcp-session-without-syn {all | data-only | disable}   Enable/disable creation of TCP session without SYN flag.
                all        Enable TCP session without SYN.
                data-only  Enable TCP session data only.
                disable    Disable TCP session without SYN.
        set utm-status {enable | disable}   Enable AV/web/ips protection profile.
        set profile-type {single | group}   Determine whether the firewall policy allows security profile groups or single profiles only.
                single  Do not allow security profile groups.
                group   Allow security profile groups.
        set profile-group {string}   Name of profile group. size[35] - datasource(s): firewall.profile-group.name
        set av-profile {string}   Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile {string}   Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile {string}   Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set application-list {string}   Name of an existing Application list. size[35] - datasource(s): application.list.name
        set voip-profile {string}   Name of an existing VoIP profile. size[35] - datasource(s): voip.profile.name
        set icap-profile {string}   Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name
        set ssh-filter-profile {string}   Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name
        set profile-protocol-options {string}   Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name
        set ssl-ssh-profile {string}   Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name
        set logtraffic {all | utm | disable}   Enable or disable logging. Log all sessions or security profile sessions.
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set logtraffic-start {enable | disable}   Record logs when a session starts and ends.
        set auto-asic-offload {enable | disable}   Enable/disable policy traffic ASIC offloading.
        set np-acceleration {enable | disable}   Enable/disable UTM Network Processor acceleration.
        set traffic-shaper {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        config application
            edit {id}
            # Application ID list.
                set id {integer}   Application IDs. range[0-4294967295]
            next
        config app-category
            edit {id}
            # Application category ID list.
                set id {integer}   Category IDs. range[0-4294967295]
            next
        config url-category
            edit {id}
            # URL category ID list.
                set id {integer}   URL category ID. range[0-4294967295]
            next
        config app-group
            edit {name}
            # Application group names.
                set name {string}   Application group names. size[64] - datasource(s): application.group.name
            next
        set nat {enable | disable}   Enable/disable source NAT.
        set fixedport {enable | disable}   Enable to prevent source NAT from changing a session's source port.
        set ippool {enable | disable}   Enable to use IP Pools for source NAT.
        config poolname
            edit {name}
            # IP Pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool6.name
            next
        set session-ttl {integer}   Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. range[300-604800]
        set inbound {enable | disable}   Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
        set outbound {enable | disable}   Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
        set natinbound {enable | disable}   Policy-based IPsec VPN: apply destination NAT to inbound traffic.
        set natoutbound {enable | disable}   Policy-based IPsec VPN: apply source NAT to outbound traffic.
        set send-deny-packet {enable | disable}   Enable/disable return of deny-packet.
        set vpntunnel {string}   Policy-based IPsec VPN: name of the IPsec VPN Phase 1. size[35] - datasource(s): vpn.ipsec.phase1.name,vpn.ipsec.manualkey.name
        set diffserv-forward {enable | disable}   Enable to change packet's DiffServ values to the specified diffservcode-forward value.
        set diffserv-reverse {enable | disable}   Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
        set diffservcode-forward {string}   Change packet's DiffServ to this value.
        set diffservcode-rev {string}   Change packet's reverse (reply) DiffServ to this value.
        set tcp-mss-sender {integer}   Sender TCP maximum segment size (MSS). range[0-65535]
        set tcp-mss-receiver {integer}   Receiver TCP maximum segment size (MSS). range[0-65535]
        set comments {string}   Comment. size[1023]
        set label {string}   Label for the policy that appears when the GUI is in Section View mode. size[63]
        set global-label {string}   Label for the policy that appears when the GUI is in Global View mode. size[63]
        set rsso {enable | disable}   Enable/disable RADIUS single sign-on (RSSO).
        config custom-log-fields
            edit {field-id}
            # Log field index numbers to append custom log fields to log messages for this policy.
                set field-id {string}   Custom log field. size[35] - datasource(s): log.custom-field.id
            next
        set replacemsg-override-group {string}   Override the default replacement message group for this policy. size[35] - datasource(s): system.replacemsg-group.name
        set srcaddr-negate {enable | disable}   When enabled srcaddr specifies what the source address must NOT be.
        set dstaddr-negate {enable | disable}   When enabled dstaddr specifies what the destination address must NOT be.
        set service-negate {enable | disable}   When enabled service specifies what the service must NOT be.
        config groups
            edit {name}
            # Names of user groups that can authenticate with this policy.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        config users
            edit {name}
            # Names of individual users that can authenticate with this policy.
                set name {string}   Names of individual users that can authenticate with this policy. size[64] - datasource(s): user.local.name
            next
        config devices
            edit {name}
            # Names of devices or device groups that can be matched by the policy.
                set name {string}   Device or group name. size[35] - datasource(s): user.device.alias,user.device-group.name,user.device-category.name
            next
        set timeout-send-rst {enable | disable}   Enable/disable sending RST packets when TCP sessions expire.
        set ssl-mirror {enable | disable}   Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
        config ssl-mirror-intf
            edit {name}
            # SSL mirror interface name.
                set name {string}   Interface name. size[64] - datasource(s): system.zone.name,system.interface.name
            next
        set dsri {enable | disable}   Enable DSRI to ignore HTTP server responses.
        set vlan-filter {string}   Set VLAN filters.
    next
end

Additional information

The following section is for those options that require additional explanation.

Managing policy objects

The configuration of specific policy options or settings is the most common activity when using the firewall policy command but some commands affect the policy objects as a whole.

edit

Used to select which individual policy to configure or edit values.

Syntax:
edit <policyid>
  • Chosing 0 as the <policyid> will add a new policy using the next available number as the <policyid>. While first editing the policy the context at the command prompt will indicate that the <policyid> is 0 but subsequent editing will require going to the new <policyid>.

delete

Used to delete an existing firewall policy

Syntax:
delete <policyid>
  • The <policyid> can be an integer value between 0 and 4294967294

purge

Used delete all of the existing firewall policies. It deletes all of the values within the table that holds the information about firewall policies within the VDOM.

Syntax:
purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

move

Used to move the position of a policy, relative to another policy, in the sequence order of how policies are applied.

Syntax:
move <policyid> {after | before} <policyid>

clone

Used to copy all of the attributes of an existing policy to another policy.

Syntax:
clone <policyid> to <policyid>

Options and settings within a policy

name

A unique name given to the policy. By default, this is a required field but the requirement can be disabled.

Syntax:
set name <string>
Examples:
config firewall policy
	edit 0
	set name example
	or..
	set name "example policy name"
end

uuid

Each policy has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited.

Syntax:
set uuid <uuid_value>

Default value: autogenerated

Example:
config firewall policy
	edit 0
	set uuid a3c9ccb8-a84a-51e6-d72c-6a5189cadb83
end

srcintf

Sets the source interface of the traffic that the policy will manage. The value is a <string> that should be the name of one of the existing interfaces configured on the device. Separate multiple interfaces with a space.

Syntax:
{set|append} srcintf <name_of_interface> [<name_of_interface> ...]
Example:
config firewall policy
	edit 0
	set srcintf port1 
	or ...
	set srcintf port2 port3 
	or ...
	append srcintf port4
end

dstintf

Sets the destination interface of the traffic that the policy will manage. The value is a <string> that should be the name of one of the existing interfaces configured on the device. Separate multiple interfaces with a space.

Syntax:
{set|append} dstintf <name_of_interface> [<name_of_interface> ...]
Example:
config firewall policy
	edit 0
	set dstintf port11 
	or ...
	set dstintf port12 port13 
	or ...
	append distintf port14
end

srcaddr

Sets the source address object(s), whose traffic will be managed by this policy. More than once object can be assigned to this option. Separate multiple addresses with a space.

Syntax:
{set|append} srcaddr <address_object> [<address_object> ...]
Examples:
config firewall policy
	edit 0 
	set srcaddr example_address1 
	or ...
	set srcaddress "example address2" "example_address3" 
	or ...
	append srcaddr example_address4
end

dstaddr

Sets the destination address object(s), whose traffic will be managed by this policy. More than once object can be assigned to this option. Separate multiple addresses with a space.

Syntax:
{set|append} dstaddr <address_object> [<address_object> ...]
Examples:
config firewall policy
	edit 0
	set dstaddr example_address1
	or ... 
	set dstaddr "example address2" "example_address3"
	or ...
	append dstaddr example_address4 
end

rtp-nat

Enables or disables the application of source NAT to RTP packets received by the firewall policy. This field is used for redundant SIP configurations. If rtp-nat is enabled you must add one or more firewall addresses to the rtp-addr field.

Syntax:
set rtp-nat {enable|disable}

Default value: disable

rtp-addr

Used to enter one or more RTP firewall addresses for the policy. This field is only available when rtp-nat is enabled. Separate multiple addresses with a space.

Syntax:
{set|append} rtp-addr <address_object> [<address_object> ...]
Examples:
config firewall policy
	edit 0
	set rtp-addr example_address1
	or ...
	set rtp-addr "example address 2" "example_address3 
	or ...
	append example_address4
end

learning-mode

Enables or disables a specialized action option that monitors and logs traffic based on hard coded security profiles.

Syntax:
set learning-mode {enable|disable}

Default value: disable

action

Sets the action that the FortiGate unit will perform on traffic matching this firewall policy.

  • accept — Allow packets that match the firewall policy. Optionally, also enable nat to make this a NAT policy (NAT mode only).
  • deny — Deny packets that match the firewall policy.
  • ipsec — Allow and apply IPSec VPN. You must specify the vpntunnel attribute. You may also enable or disable the inbound, outbound, natoutbound, and natinbound attributes and/or specify a natip value.

Limitations:

  • If learning-mode is enabled the action setting will not be available
  • For IPv6 policies, only accept and deny options are available.
Syntax:
set action [accept|deny|ipsec]

Default value: deny

Examples:
config firewall policy
	edit 0
	set action accept
end

send-deny-packet

Enables or disables the ability to send a packet in reply to denied TCP, UDP or ICMP traffic. When deny‑tcp‑with‑icmp is enabled in system settings, a Communication Prohibited ICMP packet is sent. Otherwise, denied TCP traffic is sent a TCP reset.

Syntax:
set send-deny-packet {enable|disable}

Default value: disable

firewall-session-dirty

Used to determine whether changes to a firewall policy affect all sessions or just new ones.

  • check‑all — flushs all current sessions in order to re-evaluate them
  • check‑new — keeps existing sessions and applies policy change only to new sessions

This field is available if firewall-session-dirty in config system settings is set to check‑policy‑option.

Syntax:
set firewall-session-dirty [check-all|check-new]

Default value: check-all

Examples:
config firewall policy
	edit 0
	set firewall-session-dirty check-new
end

status

Enables or disables a policy.

Syntax:
set status {enable|disable}

Default value: enable

schedule

Sets the schedule used by the policy. The variable is the name of the existing one-time or reoccurring schedule, or schedule group.

Syntax:
set schedule <schedule_object>
Examples:
config firewall policy
	edit 0
	set schedule work_week
end

schedule-timeout

When enabled, sessions are forced to end when the schedule's end time is reached. If disabled, sessions can go past the schedule's end time, but no new sessions can start.

Syntax:
set schedule-timeout {enable|disable}

Default value: disable

service

Used to set the services matched by the policy. The variable can be one or more services or service groups. Separate multiple services with a space.

Syntax:
{set|append} service <service_object> [<service_object> ...]
Examples:
config firewall policy
	edit 0
	set service http
	or ...
	set service http "Email Access"
	or ...
	append service ftp
end
		

utm-status

Enables or disables adding security profiles on the firewall policy. If enabled, at least one profile must be added to the policy. This setting is not available until the source, destination, and action (accept) parameters of the policy have been configured.

Syntax:
set utm-status {enable|disable}

Default value: disable

profile-type

Sets whether or not to use individual UTM profiles or a UTM profile group to the firewall policy.

Syntax:
set profile-type {single | group}

Default value: single

Examples:
config firewall policy
	edit 0
	set profile-type group
end

profile-group

Determines the name of a UTM profile group in the firewall policy. This option is available if profile-type is set to group.

Syntax:
set profile-group <string>
Examples:
config firewall policy
	edit 0
	set profile-group example_profile_group
end 
		

av-profile

Sets the name of the antivirus profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set av-profile <string>
Examples:
config firewall policy
	edit 0
	set av-profile default_av_profile
end

webfilter-profile

Sets the name of the webfilter profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set webfilter-profile <string>
Example:
config firewall policy
	edit 0
	set webfilter-profile "example web profile"
end

dnsfilter-profile

Sets the name of the DNS filter profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set dnsfilter-profile <string>
Examples:
config firewall policy
	edit 0
	set dnsfilter-profile dns_for_developers
end

spamfilter-profile

Sets the name of the spam filter profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set spamfilter-profile <string>
Examples:
config firewall policy
	edit 0
	set spamfilter-profile spam-filter1
end

dlp-sensor

Sets the name of the DLP sensor profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set dlp-sensor <string>
Examples:
config firewall policy
	edit 0
	set dlp-sensor dlp-classified
end

ips-sensor

Sets the name of the IPS profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set ips-sensor <string>
Examples:
config firewall policy
	edit 0
	set ips-sensor production_ips
end

application-list

Sets the name of the pre-packaged list of applications associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set application-list <string>
Examples:
config firewall policy
	edit 0
	set application-list allowed-apps
end

casi-profile

Sets the name of the CASI profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set casi-profile <string>
Examples:
config firewall policy
	edit 0
	set casi-profile casi-default
end

voip-profile

Sets the name of the VoIP profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set voip-profile <string>
Examples:
config firewall policy
	edit 0
	set voip-profile voip-example
end

icap-profile

Sets the name of the ICAP profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set icap-profile <string>
Examples:
config firewall policy
	edit 0
	set icap-profile icap-test
end

waf-profile

Sets the name of the WAF profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set waf-profile <string>
Examples:
config firewall policy
	edit 0
	set waf-profile waf-profile1
end

profile-protocol-options

Sets the name of the protocol options profile associated with the firewall policy.

Syntax:
set profile-protocol-options <string>
Examples:
config firewall policy
	edit 0
	set profile-protocol-options company_default
end

ssl-ssh-profile

Sets the name of the SSL/SSH profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set ssl-ssh-profile <string>
Examples:
config firewall policy
	edit 0
	set ssl-ssh-profile default-profile
end

logtraffic

Used to set how traffic logs are recorded for this policy.

  • all - record logs for all traffic accepted by this policy
  • utm log traffic traffic that has a security profile applied to it
  • disable - disable logging for this policy
Syntax:
set logtraffic {all | utm | disable}

Default value: utm

Example:
config firewall policy
	edit 0
	set logtraffic utm
end

logtraffic-start

Enables or disables the ability to log session starts and stops.

Syntax:
set logtraffic-start {enable|disable}

Default value: disable

capture-packet

Enables or disables the packet capture feature. This is available if the logtraffic setting is all or utm.

Default value: disable

Syntax:
set capture-packet {enable|disable}set 

auto-asic-offload {disable | enable}

Enables or disables offloading policy traffic to CPx processors. Disabling auto-asic-offload also disables offloading traffic to NPx processors.

Syntax:
set auto-asic-offload {enable|disable}

Default value: enable

wanopt

Enables or disables the use the WAN optimization feature on this policy. This feature is only available if the action setting is accept.

Syntax:
set wanopt {enable|disable}

Default value: disable

wanopt-detection

Used to select the wanopt peer auto-detection mode.

Syntax:
set wanopt-detection {active | passive | off}

Default value: off

Example:
config firewall policy
	edit 0
	set wanopt-detection active
end

wanopt-passive-opt

Used to set passive WAN Optimization policy address translation behavior.

  • default - Use the transparent setting in the WAN Optimization profile added to the active policy (client-side configuration).
  • transparent - Impose transparent mode (override the active policy transparent mode setting). Packets exiting the FortiGate keep their original source addresses.
  • non-transparent - Impose non-transparent mode (override the active policy transparent mode setting). Packets exiting the FortiGate have their source address changed to the address of the server-side FortiGate unit interface that sends the packets to the servers.
Syntax:
set wanopt-passive-opt {default | transparent | non-transparent}

Default value: default

Example:
config firewall policy
	edit 0
	set wanopt-passive-opt transparent
end

wanopt-profile

Sets the name of the WAN optimization profile associated with the firewall policy.

Syntax:
set wanopt-profile <string>
Example:
config firewall policy
	edit 0
	set wanopt-profile "Company default WANopt"
end

wanopt-peer

Used to set the WAN optimization peer.

Syntax:
set wanopt-peer <string>

webcache

Enables or disables the WAN optimization web caching for HTTP traffic accepted by the firewall policy. This option is available only on FortiGate units that support WAN Optimization and web caching.

Syntax:
set webcache {enable|disable}

Default value: disable

webcache-https

Sets the level of webcaching for HTTPS traffic.

  • disable — no caching of HTTPS traffic
  • enable — caching of HTTPS traffic

This field is available only if webcache is enabled. This field is not available if srcintf is ftp-proxy or wanopt.

Syntax:
set webcache-https {disable| enable}

Default value: disable

Example:
config firewall policy
	edit 0
	set webcache enable
	set webcache-https enable
end

traffic-shaper

Select a traffic shaper for the policy. A traffic shaper controls the bandwidth available to, and sets the priority of the traffic processed by, the policy.

Syntax:
set traffic-shaper <string>

traffic-shaper-reverse

Select a reverse traffic shaper. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

Syntax:
set traffic-shaper-reverse <string>

per-ip-shaper

Enter the name of the per-IP traffic shaper to associate with this policy. For information about per-IP traffic shapers, see firewall shaper per-ip-shaper.

Syntax:
set per-ip-shaper <string>

nat

Enables or disables the use of Network Address Translation (NAT)

Syntax:
set nat {enable|disable}

Default value: disable

permit-any-host

Enables or disables the ability to accept UDP packets from any host. This can help support the FaceTime application on NAT’d iPhones.

Syntax:
set permit-any-host {enable|disable}

Default value: disable

permit-stun-host

Enables or disables the ability to accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. This can help support the FaceTime application on NAT’d iPhones.

Syntax:
set permit-stun-host {enable|disable}

Default value: disable

fixedport

Enables or disables the ability to preserve packets’ source port number, which may otherwise be changed by a NAT policy. Some applications do not function correctly if the source port number is changed, and may require this option. If fixedport is enable, you should usually also enable IP pools; if you do not configure an IP pool for the policy, only one connection can occur at a time for this port.

Syntax:
set fixedport {enable|disable}

Default value: disable

ippool

Enables or disables the use of ippools for NAT. When the action is set to accept and NAT is enabled, the ippool function allows a NAT policy to translate the source address to an address randomly selected from the first IP pool added to the destination interface of the policy.

Syntax:
set ippool {enable|disable}

Default value: disable

poolname

The name of the IP pool to be used for NAT. To use this option requires that ippool be enabled. Separate multiple addresses with a space.

Syntax:
{set|append} poolname <ippool> [<ippool> ...]
Example:
config firewall policy
	edit 0
	set poolname testpool1
	or ...
	append poolname "testpool 1" "testpool2"
	or ...
	clear poolname
end

session-ttl

Used to set the timeout value in the policy to override the global timeout setting defined by using config system session-ttl. When it is on default value, it will not take effect. Value is in seconds.

Syntax:
set session-ttl <integer>

Default value: 0

Example:
config firewall policy
	edit 0
	set session-ttl 3600
end

vlan-cos-fwd

Used to set the VLAN forward direction user priority, CoS. Range 0 (lowest) to 7 (highest), 255 for passthrough.

Syntax:
set vlan-cos-fwd <integer>

Default value: 255

Example:
config firewall policy
	edit 0
	set vlan-cos-fwd 7
end

vlan-cos-rev

Used to set the VLAN reverse direction user priority, CoS. Range 0 (lowest) to 7 (highest), 255 for passthrough.

Syntax:
set vlan-cos-rev <integer>

Default value: 255

Example:
config firewall policy
	edit 0
	set vlan-cos-rev 3
end

inbound

When action is set to ipsec, this setting enables or disables traffic from computers on the remote private network to initiate an IPSec VPN tunnel.

Syntax:
set inbound {enable | disable}

Default value: disable

outbound

When action is set to ipsec, this setting enables or disables traffic from computers on the local private network to initiate an IPSec VPN tunnel.

Syntax:
set outbound {enable | disable}

Default value: disable

natinbound

Enables or disables the function of translating the source addresses IP packets emerging from an IPsec tunnel into the IP address of the FortiGate unit’s network interface to the local private network. This option appears only if action is ipsec.

Syntax:
set natinbound {enable | disable}

Default value: disable

natoutbound

Enables or disables the function of translating the source addresses of outbound encrypted packets into the IP address of the FortiGate unit’s outbound interface. Enable this attribute in combination with the natip attribute to change the source addresses of IP packets before they go into the tunnel. This option appears only if attribute to change the source addresses of IP packets before they go into the tunnel. This option appears only if action is ipsec.

Syntax:
set natoutbound {enable | disable}

Default value: disable

wccp

Enables or disables Web Cache Coordination Protocol (WCCP). If enabled, the traffic accepted by this policy is sent to a configured WCCP server as configured by the config system wccp command.

Syntax:
set wccp {enable|disable}

Default value: disable

ntlm

Enables or disables Directory Service authentication via NTLM. If you enable this option, you must also define the user groups. This field is available only if the groups or users fields are specified.

Syntax:
set ntlm {enable|disable}

Default value: disable

ntlm-guest

Enables or disables NTLM guest user access.

Syntax:
set ntlm-guest {enable|disable}

Default value: disable

ntlm-enabled-browsers

Sets the value for the HTTP-User-Agent of supported browsers. Enclose each string in quotes and separate strings with a space. Browsers with non-matching strings get guest access.

Syntax:
{set|append|clear} ntlm-enabled-browsers <user_agent_string>

fsso

Enables or disables Fortinet Single Sign On. This field is available when groups is populated.

Syntax:
set fsso {enable|disable}

Default value: enable

wsso

Enables or disables WiFi Single Sign On.

Syntax:
set wsso {enable|disable}

Default value: disable

rsso

Enables or disables RADIUS-based single sign-on (SSO) for this policy.

Syntax:
set rsso {enable|disable}

Default value: disable

fsso-agent-for-ntlm

Specify FSSO agent for NTLM authentication.

Syntax:
set fsso-agent-for-ntlm <string>

groups

A listing of the names of the user groups allowed to use this policy. Separate multiple groups with a space.

Syntax:
{set|append} groups <user-group_object> [<user-group_object> ...]
Examples:
config firewall policy
	edit 0
	set groups group1
	or ...
	set groups group2 "Group 3"
	or ...
	append groups group4
end

users

A listing of the names of the users allowed to use this policy. Separate multiple users with a space.

Syntax:
{set|append} users <user_object> [<user_object> ...]
Examples:
config firewall policy
	edit 0
	set users adam
	or ...
	set users burt "Charlie C"
	or ...
	append users david
end

devices

A listing of of the names of devices or device categories that apply to this policy. Separate multiple devices with a space.

Syntax:
{set|append} devices <device_object> [<device_object> ...]
Examples:
config firewall policy
	edit 0
	set devices "adams pc"
	or ...
	set user bob-pc linux-pc
	or ...
	append user windows-pc
end

auth-path

Enables or disables authentication-based routing. You must also specify a RADIUS server, and the RADIUS server must be configured to supply the name of an object specified in config router auth-path. For details on configuring authentication-based routes, see router auth-path. This field is available only when the FortiGate unit is operating in NAT mode and the groups or users fields are specified.

Syntax:
set auth-path {enable|disable}

Default value: disable

disclaimer

Enables or disables the display of the authentication disclaimer page, which is configured with other replacement messages. The user must accept the disclaimer to connect to the destination.

Syntax:
set disclaimer {enable|disable}

Default value: disable

vpntunnel

Sets the name of a Phase 1 IPSec VPN configuration to apply to the IPsec tunnel. This field is available only if action is ipsec.

Syntax:
set vpntunnel <string>
Example:
config firewall policy
	edit 0
	set vpntunnel "TunnelA Phase 1"
end

natip

Used to specify the source IP address and subnet mask to apply to outbound clear text packets before they are sent through the tunnel. If you do not specify a natip value when natoutbound is enabled, the source addresses of outbound encrypted packets are translated into the IP address of the FortiGate unit’s external interface. When a natip value is specified, the FortiGate unit uses a static subnetwork-to-subnetwork mapping scheme to translate the source addresses of outbound IP packets into corresponding IP addresses on the subnetwork that you specify. For example, if the source address in the firewall encryption policy is 192.168.1.0/24 and the natip value is 172.16.2.0/24, a source address of 192.168.1.7 will be translated to 172.16.2.7. This field is available only if ipsec and natoutbound is enabled.

Syntax:
set natip <IP_address> <IPv4mask>

match-vip

Enables or disables the function of matching DNATed packets. If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to all) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped. In some cases, when a virtual IP performs destination NAT (DNAT) on a packet, the translated packet may not be accepted by a firewall policy. If this happens, the packet is silently dropped and therefore not matched with the general policy at the bottom of the policy list. To catch these packets, enable match-vip in the general policy. Then the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.

Syntax:
set match-vip {enable|disable}

Default value: disable

diffserv-forward

Enables or disables application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, diffservcode-forward also needs to be configured.

Syntax:
set diffserv-forward {enable|disable}

Default value: disable

diffserv-reverse

Enables or disables application of the differentiated services code point (DSCP) value to the DSCP field of reverse (reply) traffic. If enabled, diffservcode-rev also needs to be configured.

Syntax:
set diffserv-reverse {enable | disable}

Default value: disable

diffservcode-forward

Used to set the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. This option appears only if diffserv-forward is enabled.

Syntax:
set diffservcode-forward <binary>

Default value: 000000

Example:
config firewall policy
	edit 0
	set diffservcode-forward 001001
end

diffservcode-rev

Used to set the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. This option appears only if diffserv-rev is enabled.

Syntax:
set diffservcode-rev <binary>

Default value: 000000

tcp-mss-sender

Used to set the TCP Maximum Segment Size (MSS) number for the sender. When a FortiGate unit is configured to use PPPoE to connect to an ISP, certain web sites may not be accessible to users. This occurs because a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with DF bit set to 1, the ADSL provider’s router either does not send an “ICMP fragmentation needed” packet or the packet is dropped along the path to the web server. In either case, the web server never knows fragmentation is required to reach the client. Used to set the TCP Maximum Segment Size (MSS) number for the sender. When a FortiGate unit is configured to use PPPoE to connect to an ISP, certain web sites may not be accessible to users. This occurs because a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with DF bit set to 1, the ADSL provider’s router either does not send an “ICMP fragmentation needed” packet or the packet is dropped along the path to the web server. In either case, the web server never knows fragmentation is required to reach the client.

Syntax:
set tcp-mss-sender <integer>

tcp-mss-receiver

Used to set the TCP MSS number for the receiver.

Syntax:
set tcp-mss-receiver <integer>

Default value: 0

comments

Field to store descriptive information about the policy such as its intended purpose and targets. The field is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

Syntax:
set comments <string>

Default value: 0

Example:
config firewall policy
	edit 0
	set comments "Default outgoing traffic policy for corporate users"
end

label

Used to set a label for this policy. The label is visible in the GUI in Section View.

Syntax:
set label <string>

global-label

Puts policy in the named subsection in the web-based manager. Subsection is created if it does not already exist.

Syntax:
set global-label <string>

auth-cert

Used to select an HTTPS server certificate for policy authentication. self-sign is the built-in, self-signed certificate; if you have added other certificates, you may select them instead. This field is available only if the groups or users fields are specified.

Syntax:
set auth-cert <string>

auth-redirect-addr

Used to set the IP address or domain name to redirect user HTTP requests after accepting the authentication disclaimer. The redirect URL could be to a web page with extra information (for example, terms of usage). To prevent web browser security warnings, this should match the CN field of the specified auth-cert, which is usually a fully qualified domain name (FQDN). This field is available only if the groups or users fields are specified.

Syntax:
set auth-redirect-addr <string>

redirect-url

Set the URL, if any, that the user is redirected to after authenticating and/or accepting the user authentication disclaimer. This field is available only if disclaimer is set to enable.

Syntax:
set redirect-url <string>

identity-based-route

Used to specify an identity-based route to be associated with the policy. Identity-based routes are defined in firewall identity-based-route.

Syntax:
set identity-based-route <string>

block-notification

Enables or disables the feature that displays the Fortinet Bar in the browser when a site is blocked and provides a block page via HTTP/HTTPS.

Syntax:
set block-notification {enable|disable}

Default value: disable

custom-log-fields

Used to enter log field index numbers to append one or more custom log fields to the log message for this policy. This option takes effect only if logging is enabled for the policy, and requires that you first define custom log fields. Separate multiple values with a space.

Syntax:
{set|append|clear} custom-log-fields <string> [<string> ...]

replacemsg-override-group

Used to select a replacement message override group from the available configured groups. This will override the default replacement message for this policy.

Syntax:
set replacemsg-override-group <string>

srcaddr-negate

Enables or disables the negate source address match function. When enabled, this causes the srcaddr field to specify what the source address must not be.

Syntax:
set srcaddr-negate {enable|disable}

Default value: disable

dstaddr-negate

Enables or disables the negate destination address match function. When enabled, this causes the dstaddr field to specify what the destination address must not be.

Syntax:
set dstaddr-negate {enable|disable}

Default value: disable

service-negate

Enables or disables the negate service match function. When enabled, this causes the service field to specify what the service traffic must not be.

Syntax:
set service-negate {enable|disable}

Default value: disable

timeout-send-rst

Enables or disables the sending of RST packet upon TCP session expiration.

Syntax:
set timeout-send-rst {enable|disable}

Default value: disable

captive-portal-exempt

Enables or disables the exemption of users of this policy from the captive portal interface.

Syntax:
set captive-portal-exempt {enable|disable}

Default value: disable

ssl-mirror

Enables or disables the SSL mirror function. This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis. This feature is only available if the inspection mode is set do flow-based. Enables or disables the SSL mirror function. This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis. This feature is only available if the inspection mode is set do flow-based.

Syntax:
set ssl-mirror {enable|disable}

Default value: disable

ssl-mirror-intf

Used to set the name of the SSL interface mirror. The value must be one of the existing interface names.

Syntax:
{set|append|clear} ssl-mirror-intf <string> [<string> ...]
Example:
config firewall policy
	edit 0
	set ssl-mirror-intf port11
	or ...
	set ssl-mirror-intf port12 port13
	or ...
	append ssl-mirror-intf port14
end

scan-botnet-connections

Sets the scanning level traffic for connections to Botnet servers.

Syntax:
set scan-botnet-connections {disable | block | monitor}

Default value: disable

dsri

Enables or disables Disable Server Response Inspection (DSRI) which is used to assist performance when only using URL filtering as it allows the system to ignore the HTTP server responses.

Syntax:
set dsri {enable|disable}

Default value: disable

delay-tcp-npu-sessoin

Enables or disables the TCP NPU session delay in order to guarantee packet order of 3-way handshake.

Syntax:
set delay-tcp-npu-sessoin {enable|disable}

Default value: disable

firewall {policy | policy6}

Used to change firewall policies or their individual configurations. In addition to editing an existing policy, policies can be added, deleted, moved or cloned. It is also possible to purge all of the policy content from the table that holds them.

  • Use config firewall policy for IPv4 policies
  • Use config firewall policy6 for IPv6 policies

Firewall policies control all traffic passing through the FortiGate unit. Firewall policies are instructions used by the FortiGate unit to decide what to do with a connection request. The policy directs the firewall to allow the connection, deny the connection, require authentication before the connection is allowed, or apply IPSec processing. The commands config firewall policy and config firewall policy6 enter the system into the correct context of the configuration file to make changes to firewall policies. From here, a specific policy is chosen to be acted upon.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

config application group

New configuration method to apply application groups for policies in NGFW policy-based mode, in which either applications and/or categories can be set as members.

set devices {amazon-device | ...}

New Amazon device type category.

set ssh-filter-profile <name>

Assign SSH profiles to IPv6 firewall policies, as part of supporting SSH traffic through IPv6.

set internet-service {enable | disable}

set internet-service-id <service-id>

set internet-service-custom <service-name>

set internet-service-src {enable | disable}

set internet-service-src-id <source-id>

set internet-service-src-custom <source-name>

The Internet Service Database (ISDB) and IP Reputation Database (IRDB) enhances traffic shaping criteria for firewall policies. To use Internet services in a policy, you must set the source and destination to one of the Internet services.

For all related commands to be available, both internet-service and internet-service-src must be set to enable.

config firewall policy
    edit {policyid}
    # Configure IPv4 policies.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set name {string}   Policy name. size[35]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        config srcintf
            edit {name}
            # Incoming (ingress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config dstintf
            edit {name}
            # Outgoing (egress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config srcaddr
            edit {name}
            # Source address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name,firewall.vip.name,firewall.vipgrp.name
            next
        set internet-service {enable | disable}   Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. 
        config internet-service-id
            edit {id}
            # Internet Service ID.
                set id {integer}   Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
            next
        config internet-service-custom
            edit {name}
            # Custom Internet Service name.
                set name {string}   Custom Internet Service name. size[64] - datasource(s): firewall.internet-service-custom.name
            next
        set internet-service-src {enable | disable}   Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. 
        config internet-service-src-id
            edit {id}
            # Internet Service source ID.
                set id {integer}   Internet Service ID. range[0-4294967295] - datasource(s): firewall.internet-service.id
            next
        config internet-service-src-custom
            edit {name}
            # Custom Internet Service source name.
                set name {string}   Custom Internet Service name. size[64] - datasource(s): firewall.internet-service-custom.name
            next
        set rtp-nat {disable | enable}   Enable Real Time Protocol (RTP) NAT.
        config rtp-addr
            edit {name}
            # Address names if this is an RTP NAT policy.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        set learning-mode {enable | disable}   Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
        set action {accept | deny | ipsec}   Policy action (allow/deny/ipsec).
                accept  Allows session that match the firewall policy.
                deny    Blocks sessions that match the firewall policy.
                ipsec   Firewall policy becomes a policy-based IPsec VPN policy.
        set send-deny-packet {disable | enable}   Enable to send a reply when a session is denied or blocked by a firewall policy.
        set firewall-session-dirty {check-all | check-new}   How to handle sessions if the configuration of this firewall policy changes.
                check-all  Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
                check-new  Continue to allow sessions already accepted by this policy.
        set status {enable | disable}   Enable or disable this policy.
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        set schedule-timeout {enable | disable}   Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
        config service
            edit {name}
            # Service and service group names.
                set name {string}   Service and service group names. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set dscp-match {enable | disable}   Enable DSCP check.
        set dscp-negate {enable | disable}   Enable negated DSCP match.
        set dscp-value {string}   DSCP value.
        set tcp-session-without-syn {all | data-only | disable}   Enable/disable creation of TCP session without SYN flag.
                all        Enable TCP session without SYN.
                data-only  Enable TCP session data only.
                disable    Disable TCP session without SYN.
        set utm-status {enable | disable}   Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
        set profile-type {single | group}   Determine whether the firewall policy allows security profile groups or single profiles only.
                single  Do not allow security profile groups.
                group   Allow security profile groups.
        set profile-group {string}   Name of profile group. size[35] - datasource(s): firewall.profile-group.name
        set av-profile {string}   Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile {string}   Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set dnsfilter-profile {string}   Name of an existing DNS filter profile. size[35] - datasource(s): dnsfilter.profile.name
        set spamfilter-profile {string}   Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set application-list {string}   Name of an existing Application list. size[35] - datasource(s): application.list.name
        set voip-profile {string}   Name of an existing VoIP profile. size[35] - datasource(s): voip.profile.name
        set icap-profile {string}   Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name
        set waf-profile {string}   Name of an existing Web application firewall profile. size[35] - datasource(s): waf.profile.name
        set ssh-filter-profile {string}   Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name
        set profile-protocol-options {string}   Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name
        set ssl-ssh-profile {string}   Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name
        set logtraffic {all | utm | disable}   Enable or disable logging. Log all sessions or security profile sessions.
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set logtraffic-start {enable | disable}   Record logs when a session starts and ends.
        set capture-packet {enable | disable}   Enable/disable capture packets.
        set auto-asic-offload {enable | disable}   Enable/disable offloading security profile processing to CP processors.
        set np-acceleration {enable | disable}   Enable/disable UTM Network Processor acceleration.
        set wanopt {enable | disable}   Enable/disable WAN optimization.
        set wanopt-detection {active | passive | off}   WAN optimization auto-detection mode.
                active   Active WAN optimization peer auto-detection.
                passive  Passive WAN optimization peer auto-detection.
                off      Turn off WAN optimization peer auto-detection.
        set wanopt-passive-opt {default | transparent | non-transparent}   WAN optimization passive mode options. This option decides what IP address will be used to connect server.
                default          Allow client side WAN opt peer to decide.
                transparent      Use address of client to connect to server.
                non-transparent  Use local FortiGate address to connect to server.
        set wanopt-profile {string}   WAN optimization profile. size[35] - datasource(s): wanopt.profile.name
        set wanopt-peer {string}   WAN optimization peer. size[35] - datasource(s): wanopt.peer.peer-host-id
        set webcache {enable | disable}   Enable/disable web cache.
        set webcache-https {disable | enable}   Enable/disable web cache for HTTPS.
        set traffic-shaper {string}   Traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        config application
            edit {id}
            # Application ID list.
                set id {integer}   Application IDs. range[0-4294967295]
            next
        config app-category
            edit {id}
            # Application category ID list.
                set id {integer}   Category IDs. range[0-4294967295]
            next
        config url-category
            edit {id}
            # URL category ID list.
                set id {integer}   URL category ID. range[0-4294967295]
            next
        config app-group
            edit {name}
            # Application group names.
                set name {string}   Application group names. size[64] - datasource(s): application.group.name
            next
        set nat {enable | disable}   Enable/disable source NAT.
        set permit-any-host {enable | disable}   Accept UDP packets from any host.
        set permit-stun-host {enable | disable}   Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
        set fixedport {enable | disable}   Enable to prevent source NAT from changing a session's source port.
        set ippool {enable | disable}   Enable to use IP Pools for source NAT.
        config poolname
            edit {name}
            # IP Pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool.name
            next
        set session-ttl {integer}   TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). range[300-604800]
        set vlan-cos-fwd {integer}   VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. range[0-7]
        set vlan-cos-rev {integer}   VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.. range[0-7]
        set inbound {enable | disable}   Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
        set outbound {enable | disable}   Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
        set natinbound {enable | disable}   Policy-based IPsec VPN: apply destination NAT to inbound traffic.
        set natoutbound {enable | disable}   Policy-based IPsec VPN: apply source NAT to outbound traffic.
        set wccp {enable | disable}   Enable/disable forwarding traffic matching this policy to a configured WCCP server.
        set ntlm {enable | disable}   Enable/disable NTLM authentication.
        set ntlm-guest {enable | disable}   Enable/disable NTLM guest user access.
        config ntlm-enabled-browsers
            edit {user-agent-string}
            # HTTP-User-Agent value of supported browsers.
                set user-agent-string {string}   User agent string. size[64]
            next
        set fsso {enable | disable}   Enable/disable Fortinet Single Sign-On.
        set wsso {enable | disable}   Enable/disable WiFi Single Sign On (WSSO).
        set rsso {enable | disable}   Enable/disable RADIUS single sign-on (RSSO).
        set fsso-agent-for-ntlm {string}   FSSO agent to use for NTLM authentication. size[35] - datasource(s): user.fsso.name
        config groups
            edit {name}
            # Names of user groups that can authenticate with this policy.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        config users
            edit {name}
            # Names of individual users that can authenticate with this policy.
                set name {string}   Names of individual users that can authenticate with this policy. size[64] - datasource(s): user.local.name
            next
        config devices
            edit {name}
            # Names of devices or device groups that can be matched by the policy.
                set name {string}   Device or group name. size[35] - datasource(s): user.device.alias,user.device-group.name,user.device-category.name
            next
        set auth-path {enable | disable}   Enable/disable authentication-based routing.
        set disclaimer {enable | disable}   Enable/disable user authentication disclaimer.
        set vpntunnel {string}   Policy-based IPsec VPN: name of the IPsec VPN Phase 1. size[35] - datasource(s): vpn.ipsec.phase1.name,vpn.ipsec.manualkey.name
        set natip {ipv4 classnet}   Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
        set match-vip {enable | disable}   Enable to match packets that have had their destination addresses changed by a VIP.
        set diffserv-forward {enable | disable}   Enable to change packet's DiffServ values to the specified diffservcode-forward value.
        set diffserv-reverse {enable | disable}   Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
        set diffservcode-forward {string}   Change packet's DiffServ to this value.
        set diffservcode-rev {string}   Change packet's reverse (reply) DiffServ to this value.
        set tcp-mss-sender {integer}   Sender TCP maximum segment size (MSS). range[0-65535]
        set tcp-mss-receiver {integer}   Receiver TCP maximum segment size (MSS). range[0-65535]
        set comments {string}   Comment. size[1023]
        set label {string}   Label for the policy that appears when the GUI is in Section View mode. size[63]
        set global-label {string}   Label for the policy that appears when the GUI is in Global View mode. size[63]
        set auth-cert {string}   HTTPS server certificate for policy authentication. size[35] - datasource(s): vpn.certificate.local.name
        set auth-redirect-addr {string}   HTTP-to-HTTPS redirect address for firewall authentication. size[63]
        set redirect-url {string}   URL users are directed to after seeing and accepting the disclaimer or authenticating. size[255]
        set identity-based-route {string}   Name of identity-based routing rule. size[35] - datasource(s): firewall.identity-based-route.name
        set block-notification {enable | disable}   Enable/disable block notification.
        config custom-log-fields
            edit {field-id}
            # Custom fields to append to log messages for this policy.
                set field-id {string}   Custom log field. size[35] - datasource(s): log.custom-field.id
            next
        set replacemsg-override-group {string}   Override the default replacement message group for this policy. size[35] - datasource(s): system.replacemsg-group.name
        set srcaddr-negate {enable | disable}   When enabled srcaddr specifies what the source address must NOT be.
        set dstaddr-negate {enable | disable}   When enabled dstaddr specifies what the destination address must NOT be.
        set service-negate {enable | disable}   When enabled service specifies what the service must NOT be.
        set internet-service-negate {enable | disable}   When enabled internet-service specifies what the service must NOT be.
        set internet-service-src-negate {enable | disable}   When enabled internet-service-src specifies what the service must NOT be.
        set timeout-send-rst {enable | disable}   Enable/disable sending RST packets when TCP sessions expire.
        set captive-portal-exempt {enable | disable}   Enable to exempt some users from the captive portal.
        set ssl-mirror {enable | disable}   Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
        config ssl-mirror-intf
            edit {name}
            # SSL mirror interface name.
                set name {string}   Mirror Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        set scan-botnet-connections {disable | block | monitor}   Block or monitor connections to Botnet servers or disable Botnet scanning.
                disable  Do not scan connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set dsri {enable | disable}   Enable DSRI to ignore HTTP server responses.
        set radius-mac-auth-bypass {enable | disable}   Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
        set delay-tcp-npu-session {enable | disable}   Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
        set vlan-filter {string}   Set VLAN filters.
    next
end
config firewall policy6
    edit {policyid}
    # Configure IPv6 policies.
        set policyid {integer}   Policy ID. range[0-4294967294]
        set name {string}   Policy name. size[35]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        config srcintf
            edit {name}
            # Incoming (ingress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.zone.name,system.interface.name
            next
        config dstintf
            edit {name}
            # Outgoing (egress) interface.
                set name {string}   Interface name. size[64] - datasource(s): system.interface.name,system.zone.name
            next
        config srcaddr
            edit {name}
            # Source address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address and address group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name,firewall.vip6.name,firewall.vipgrp6.name
            next
        set action {accept | deny | ipsec}   Policy action (allow/deny/ipsec).
                accept  Allows session that match the firewall policy.
                deny    Blocks sessions that match the firewall policy.
                ipsec   Firewall policy becomes a policy-based IPsec VPN policy.
        set firewall-session-dirty {check-all | check-new}   How to handle sessions if the configuration of this firewall policy changes.
                check-all  Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
                check-new  Continue to allow sessions already accepted by this policy.
        set status {enable | disable}   Enable or disable this policy.
        set vlan-cos-fwd {integer}   VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest range[0-7]
        set vlan-cos-rev {integer}   VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest range[0-7]
        set schedule {string}   Schedule name. size[35] - datasource(s): firewall.schedule.onetime.name,firewall.schedule.recurring.name,firewall.schedule.group.name
        config service
            edit {name}
            # Service and service group names.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set dscp-match {enable | disable}   Enable DSCP check.
        set dscp-negate {enable | disable}   Enable negated DSCP match.
        set dscp-value {string}   DSCP value.
        set tcp-session-without-syn {all | data-only | disable}   Enable/disable creation of TCP session without SYN flag.
                all        Enable TCP session without SYN.
                data-only  Enable TCP session data only.
                disable    Disable TCP session without SYN.
        set utm-status {enable | disable}   Enable AV/web/ips protection profile.
        set profile-type {single | group}   Determine whether the firewall policy allows security profile groups or single profiles only.
                single  Do not allow security profile groups.
                group   Allow security profile groups.
        set profile-group {string}   Name of profile group. size[35] - datasource(s): firewall.profile-group.name
        set av-profile {string}   Name of an existing Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile {string}   Name of an existing Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile {string}   Name of an existing Spam filter profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor {string}   Name of an existing DLP sensor. size[35] - datasource(s): dlp.sensor.name
        set ips-sensor {string}   Name of an existing IPS sensor. size[35] - datasource(s): ips.sensor.name
        set application-list {string}   Name of an existing Application list. size[35] - datasource(s): application.list.name
        set voip-profile {string}   Name of an existing VoIP profile. size[35] - datasource(s): voip.profile.name
        set icap-profile {string}   Name of an existing ICAP profile. size[35] - datasource(s): icap.profile.name
        set ssh-filter-profile {string}   Name of an existing SSH filter profile. size[35] - datasource(s): ssh-filter.profile.name
        set profile-protocol-options {string}   Name of an existing Protocol options profile. size[35] - datasource(s): firewall.profile-protocol-options.name
        set ssl-ssh-profile {string}   Name of an existing SSL SSH profile. size[35] - datasource(s): firewall.ssl-ssh-profile.name
        set logtraffic {all | utm | disable}   Enable or disable logging. Log all sessions or security profile sessions.
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set logtraffic-start {enable | disable}   Record logs when a session starts and ends.
        set auto-asic-offload {enable | disable}   Enable/disable policy traffic ASIC offloading.
        set np-acceleration {enable | disable}   Enable/disable UTM Network Processor acceleration.
        set traffic-shaper {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set traffic-shaper-reverse {string}   Reverse traffic shaper. size[35] - datasource(s): firewall.shaper.traffic-shaper.name
        set per-ip-shaper {string}   Per-IP traffic shaper. size[35] - datasource(s): firewall.shaper.per-ip-shaper.name
        config application
            edit {id}
            # Application ID list.
                set id {integer}   Application IDs. range[0-4294967295]
            next
        config app-category
            edit {id}
            # Application category ID list.
                set id {integer}   Category IDs. range[0-4294967295]
            next
        config url-category
            edit {id}
            # URL category ID list.
                set id {integer}   URL category ID. range[0-4294967295]
            next
        config app-group
            edit {name}
            # Application group names.
                set name {string}   Application group names. size[64] - datasource(s): application.group.name
            next
        set nat {enable | disable}   Enable/disable source NAT.
        set fixedport {enable | disable}   Enable to prevent source NAT from changing a session's source port.
        set ippool {enable | disable}   Enable to use IP Pools for source NAT.
        config poolname
            edit {name}
            # IP Pool names.
                set name {string}   IP pool name. size[64] - datasource(s): firewall.ippool6.name
            next
        set session-ttl {integer}   Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. range[300-604800]
        set inbound {enable | disable}   Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
        set outbound {enable | disable}   Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
        set natinbound {enable | disable}   Policy-based IPsec VPN: apply destination NAT to inbound traffic.
        set natoutbound {enable | disable}   Policy-based IPsec VPN: apply source NAT to outbound traffic.
        set send-deny-packet {enable | disable}   Enable/disable return of deny-packet.
        set vpntunnel {string}   Policy-based IPsec VPN: name of the IPsec VPN Phase 1. size[35] - datasource(s): vpn.ipsec.phase1.name,vpn.ipsec.manualkey.name
        set diffserv-forward {enable | disable}   Enable to change packet's DiffServ values to the specified diffservcode-forward value.
        set diffserv-reverse {enable | disable}   Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
        set diffservcode-forward {string}   Change packet's DiffServ to this value.
        set diffservcode-rev {string}   Change packet's reverse (reply) DiffServ to this value.
        set tcp-mss-sender {integer}   Sender TCP maximum segment size (MSS). range[0-65535]
        set tcp-mss-receiver {integer}   Receiver TCP maximum segment size (MSS). range[0-65535]
        set comments {string}   Comment. size[1023]
        set label {string}   Label for the policy that appears when the GUI is in Section View mode. size[63]
        set global-label {string}   Label for the policy that appears when the GUI is in Global View mode. size[63]
        set rsso {enable | disable}   Enable/disable RADIUS single sign-on (RSSO).
        config custom-log-fields
            edit {field-id}
            # Log field index numbers to append custom log fields to log messages for this policy.
                set field-id {string}   Custom log field. size[35] - datasource(s): log.custom-field.id
            next
        set replacemsg-override-group {string}   Override the default replacement message group for this policy. size[35] - datasource(s): system.replacemsg-group.name
        set srcaddr-negate {enable | disable}   When enabled srcaddr specifies what the source address must NOT be.
        set dstaddr-negate {enable | disable}   When enabled dstaddr specifies what the destination address must NOT be.
        set service-negate {enable | disable}   When enabled service specifies what the service must NOT be.
        config groups
            edit {name}
            # Names of user groups that can authenticate with this policy.
                set name {string}   Group name. size[64] - datasource(s): user.group.name
            next
        config users
            edit {name}
            # Names of individual users that can authenticate with this policy.
                set name {string}   Names of individual users that can authenticate with this policy. size[64] - datasource(s): user.local.name
            next
        config devices
            edit {name}
            # Names of devices or device groups that can be matched by the policy.
                set name {string}   Device or group name. size[35] - datasource(s): user.device.alias,user.device-group.name,user.device-category.name
            next
        set timeout-send-rst {enable | disable}   Enable/disable sending RST packets when TCP sessions expire.
        set ssl-mirror {enable | disable}   Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
        config ssl-mirror-intf
            edit {name}
            # SSL mirror interface name.
                set name {string}   Interface name. size[64] - datasource(s): system.zone.name,system.interface.name
            next
        set dsri {enable | disable}   Enable DSRI to ignore HTTP server responses.
        set vlan-filter {string}   Set VLAN filters.
    next
end

Additional information

The following section is for those options that require additional explanation.

Managing policy objects

The configuration of specific policy options or settings is the most common activity when using the firewall policy command but some commands affect the policy objects as a whole.

edit

Used to select which individual policy to configure or edit values.

Syntax:
edit <policyid>
  • Chosing 0 as the <policyid> will add a new policy using the next available number as the <policyid>. While first editing the policy the context at the command prompt will indicate that the <policyid> is 0 but subsequent editing will require going to the new <policyid>.

delete

Used to delete an existing firewall policy

Syntax:
delete <policyid>
  • The <policyid> can be an integer value between 0 and 4294967294

purge

Used delete all of the existing firewall policies. It deletes all of the values within the table that holds the information about firewall policies within the VDOM.

Syntax:
purge
  • There are no options, parameters or qualifiers. Just use the enter key after entering the command
  • This command has a serious impact. Use cautiously.

move

Used to move the position of a policy, relative to another policy, in the sequence order of how policies are applied.

Syntax:
move <policyid> {after | before} <policyid>

clone

Used to copy all of the attributes of an existing policy to another policy.

Syntax:
clone <policyid> to <policyid>

Options and settings within a policy

name

A unique name given to the policy. By default, this is a required field but the requirement can be disabled.

Syntax:
set name <string>
Examples:
config firewall policy
	edit 0
	set name example
	or..
	set name "example policy name"
end

uuid

Each policy has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited.

Syntax:
set uuid <uuid_value>

Default value: autogenerated

Example:
config firewall policy
	edit 0
	set uuid a3c9ccb8-a84a-51e6-d72c-6a5189cadb83
end

srcintf

Sets the source interface of the traffic that the policy will manage. The value is a <string> that should be the name of one of the existing interfaces configured on the device. Separate multiple interfaces with a space.

Syntax:
{set|append} srcintf <name_of_interface> [<name_of_interface> ...]
Example:
config firewall policy
	edit 0
	set srcintf port1 
	or ...
	set srcintf port2 port3 
	or ...
	append srcintf port4
end

dstintf

Sets the destination interface of the traffic that the policy will manage. The value is a <string> that should be the name of one of the existing interfaces configured on the device. Separate multiple interfaces with a space.

Syntax:
{set|append} dstintf <name_of_interface> [<name_of_interface> ...]
Example:
config firewall policy
	edit 0
	set dstintf port11 
	or ...
	set dstintf port12 port13 
	or ...
	append distintf port14
end

srcaddr

Sets the source address object(s), whose traffic will be managed by this policy. More than once object can be assigned to this option. Separate multiple addresses with a space.

Syntax:
{set|append} srcaddr <address_object> [<address_object> ...]
Examples:
config firewall policy
	edit 0 
	set srcaddr example_address1 
	or ...
	set srcaddress "example address2" "example_address3" 
	or ...
	append srcaddr example_address4
end

dstaddr

Sets the destination address object(s), whose traffic will be managed by this policy. More than once object can be assigned to this option. Separate multiple addresses with a space.

Syntax:
{set|append} dstaddr <address_object> [<address_object> ...]
Examples:
config firewall policy
	edit 0
	set dstaddr example_address1
	or ... 
	set dstaddr "example address2" "example_address3"
	or ...
	append dstaddr example_address4 
end

rtp-nat

Enables or disables the application of source NAT to RTP packets received by the firewall policy. This field is used for redundant SIP configurations. If rtp-nat is enabled you must add one or more firewall addresses to the rtp-addr field.

Syntax:
set rtp-nat {enable|disable}

Default value: disable

rtp-addr

Used to enter one or more RTP firewall addresses for the policy. This field is only available when rtp-nat is enabled. Separate multiple addresses with a space.

Syntax:
{set|append} rtp-addr <address_object> [<address_object> ...]
Examples:
config firewall policy
	edit 0
	set rtp-addr example_address1
	or ...
	set rtp-addr "example address 2" "example_address3 
	or ...
	append example_address4
end

learning-mode

Enables or disables a specialized action option that monitors and logs traffic based on hard coded security profiles.

Syntax:
set learning-mode {enable|disable}

Default value: disable

action

Sets the action that the FortiGate unit will perform on traffic matching this firewall policy.

  • accept — Allow packets that match the firewall policy. Optionally, also enable nat to make this a NAT policy (NAT mode only).
  • deny — Deny packets that match the firewall policy.
  • ipsec — Allow and apply IPSec VPN. You must specify the vpntunnel attribute. You may also enable or disable the inbound, outbound, natoutbound, and natinbound attributes and/or specify a natip value.

Limitations:

  • If learning-mode is enabled the action setting will not be available
  • For IPv6 policies, only accept and deny options are available.
Syntax:
set action [accept|deny|ipsec]

Default value: deny

Examples:
config firewall policy
	edit 0
	set action accept
end

send-deny-packet

Enables or disables the ability to send a packet in reply to denied TCP, UDP or ICMP traffic. When deny‑tcp‑with‑icmp is enabled in system settings, a Communication Prohibited ICMP packet is sent. Otherwise, denied TCP traffic is sent a TCP reset.

Syntax:
set send-deny-packet {enable|disable}

Default value: disable

firewall-session-dirty

Used to determine whether changes to a firewall policy affect all sessions or just new ones.

  • check‑all — flushs all current sessions in order to re-evaluate them
  • check‑new — keeps existing sessions and applies policy change only to new sessions

This field is available if firewall-session-dirty in config system settings is set to check‑policy‑option.

Syntax:
set firewall-session-dirty [check-all|check-new]

Default value: check-all

Examples:
config firewall policy
	edit 0
	set firewall-session-dirty check-new
end

status

Enables or disables a policy.

Syntax:
set status {enable|disable}

Default value: enable

schedule

Sets the schedule used by the policy. The variable is the name of the existing one-time or reoccurring schedule, or schedule group.

Syntax:
set schedule <schedule_object>
Examples:
config firewall policy
	edit 0
	set schedule work_week
end

schedule-timeout

When enabled, sessions are forced to end when the schedule's end time is reached. If disabled, sessions can go past the schedule's end time, but no new sessions can start.

Syntax:
set schedule-timeout {enable|disable}

Default value: disable

service

Used to set the services matched by the policy. The variable can be one or more services or service groups. Separate multiple services with a space.

Syntax:
{set|append} service <service_object> [<service_object> ...]
Examples:
config firewall policy
	edit 0
	set service http
	or ...
	set service http "Email Access"
	or ...
	append service ftp
end
		

utm-status

Enables or disables adding security profiles on the firewall policy. If enabled, at least one profile must be added to the policy. This setting is not available until the source, destination, and action (accept) parameters of the policy have been configured.

Syntax:
set utm-status {enable|disable}

Default value: disable

profile-type

Sets whether or not to use individual UTM profiles or a UTM profile group to the firewall policy.

Syntax:
set profile-type {single | group}

Default value: single

Examples:
config firewall policy
	edit 0
	set profile-type group
end

profile-group

Determines the name of a UTM profile group in the firewall policy. This option is available if profile-type is set to group.

Syntax:
set profile-group <string>
Examples:
config firewall policy
	edit 0
	set profile-group example_profile_group
end 
		

av-profile

Sets the name of the antivirus profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set av-profile <string>
Examples:
config firewall policy
	edit 0
	set av-profile default_av_profile
end

webfilter-profile

Sets the name of the webfilter profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set webfilter-profile <string>
Example:
config firewall policy
	edit 0
	set webfilter-profile "example web profile"
end

dnsfilter-profile

Sets the name of the DNS filter profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set dnsfilter-profile <string>
Examples:
config firewall policy
	edit 0
	set dnsfilter-profile dns_for_developers
end

spamfilter-profile

Sets the name of the spam filter profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set spamfilter-profile <string>
Examples:
config firewall policy
	edit 0
	set spamfilter-profile spam-filter1
end

dlp-sensor

Sets the name of the DLP sensor profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set dlp-sensor <string>
Examples:
config firewall policy
	edit 0
	set dlp-sensor dlp-classified
end

ips-sensor

Sets the name of the IPS profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set ips-sensor <string>
Examples:
config firewall policy
	edit 0
	set ips-sensor production_ips
end

application-list

Sets the name of the pre-packaged list of applications associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set application-list <string>
Examples:
config firewall policy
	edit 0
	set application-list allowed-apps
end

casi-profile

Sets the name of the CASI profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set casi-profile <string>
Examples:
config firewall policy
	edit 0
	set casi-profile casi-default
end

voip-profile

Sets the name of the VoIP profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set voip-profile <string>
Examples:
config firewall policy
	edit 0
	set voip-profile voip-example
end

icap-profile

Sets the name of the ICAP profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set icap-profile <string>
Examples:
config firewall policy
	edit 0
	set icap-profile icap-test
end

waf-profile

Sets the name of the WAF profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set waf-profile <string>
Examples:
config firewall policy
	edit 0
	set waf-profile waf-profile1
end

profile-protocol-options

Sets the name of the protocol options profile associated with the firewall policy.

Syntax:
set profile-protocol-options <string>
Examples:
config firewall policy
	edit 0
	set profile-protocol-options company_default
end

ssl-ssh-profile

Sets the name of the SSL/SSH profile associated with the firewall policy. This field is available only if utm-status is enabled.

Syntax:
set ssl-ssh-profile <string>
Examples:
config firewall policy
	edit 0
	set ssl-ssh-profile default-profile
end

logtraffic

Used to set how traffic logs are recorded for this policy.

  • all - record logs for all traffic accepted by this policy
  • utm log traffic traffic that has a security profile applied to it
  • disable - disable logging for this policy
Syntax:
set logtraffic {all | utm | disable}

Default value: utm

Example:
config firewall policy
	edit 0
	set logtraffic utm
end

logtraffic-start

Enables or disables the ability to log session starts and stops.

Syntax:
set logtraffic-start {enable|disable}

Default value: disable

capture-packet

Enables or disables the packet capture feature. This is available if the logtraffic setting is all or utm.

Default value: disable

Syntax:
set capture-packet {enable|disable}set 

auto-asic-offload {disable | enable}

Enables or disables offloading policy traffic to CPx processors. Disabling auto-asic-offload also disables offloading traffic to NPx processors.

Syntax:
set auto-asic-offload {enable|disable}

Default value: enable

wanopt

Enables or disables the use the WAN optimization feature on this policy. This feature is only available if the action setting is accept.

Syntax:
set wanopt {enable|disable}

Default value: disable

wanopt-detection

Used to select the wanopt peer auto-detection mode.

Syntax:
set wanopt-detection {active | passive | off}

Default value: off

Example:
config firewall policy
	edit 0
	set wanopt-detection active
end

wanopt-passive-opt

Used to set passive WAN Optimization policy address translation behavior.

  • default - Use the transparent setting in the WAN Optimization profile added to the active policy (client-side configuration).
  • transparent - Impose transparent mode (override the active policy transparent mode setting). Packets exiting the FortiGate keep their original source addresses.
  • non-transparent - Impose non-transparent mode (override the active policy transparent mode setting). Packets exiting the FortiGate have their source address changed to the address of the server-side FortiGate unit interface that sends the packets to the servers.
Syntax:
set wanopt-passive-opt {default | transparent | non-transparent}

Default value: default

Example:
config firewall policy
	edit 0
	set wanopt-passive-opt transparent
end

wanopt-profile

Sets the name of the WAN optimization profile associated with the firewall policy.

Syntax:
set wanopt-profile <string>
Example:
config firewall policy
	edit 0
	set wanopt-profile "Company default WANopt"
end

wanopt-peer

Used to set the WAN optimization peer.

Syntax:
set wanopt-peer <string>

webcache

Enables or disables the WAN optimization web caching for HTTP traffic accepted by the firewall policy. This option is available only on FortiGate units that support WAN Optimization and web caching.

Syntax:
set webcache {enable|disable}

Default value: disable

webcache-https

Sets the level of webcaching for HTTPS traffic.

  • disable — no caching of HTTPS traffic
  • enable — caching of HTTPS traffic

This field is available only if webcache is enabled. This field is not available if srcintf is ftp-proxy or wanopt.

Syntax:
set webcache-https {disable| enable}

Default value: disable

Example:
config firewall policy
	edit 0
	set webcache enable
	set webcache-https enable
end

traffic-shaper

Select a traffic shaper for the policy. A traffic shaper controls the bandwidth available to, and sets the priority of the traffic processed by, the policy.

Syntax:
set traffic-shaper <string>

traffic-shaper-reverse

Select a reverse traffic shaper. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.

Syntax:
set traffic-shaper-reverse <string>

per-ip-shaper

Enter the name of the per-IP traffic shaper to associate with this policy. For information about per-IP traffic shapers, see firewall shaper per-ip-shaper.

Syntax:
set per-ip-shaper <string>

nat

Enables or disables the use of Network Address Translation (NAT)

Syntax:
set nat {enable|disable}

Default value: disable

permit-any-host

Enables or disables the ability to accept UDP packets from any host. This can help support the FaceTime application on NAT’d iPhones.

Syntax:
set permit-any-host {enable|disable}

Default value: disable

permit-stun-host

Enables or disables the ability to accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. This can help support the FaceTime application on NAT’d iPhones.

Syntax:
set permit-stun-host {enable|disable}

Default value: disable

fixedport

Enables or disables the ability to preserve packets’ source port number, which may otherwise be changed by a NAT policy. Some applications do not function correctly if the source port number is changed, and may require this option. If fixedport is enable, you should usually also enable IP pools; if you do not configure an IP pool for the policy, only one connection can occur at a time for this port.

Syntax:
set fixedport {enable|disable}

Default value: disable

ippool

Enables or disables the use of ippools for NAT. When the action is set to accept and NAT is enabled, the ippool function allows a NAT policy to translate the source address to an address randomly selected from the first IP pool added to the destination interface of the policy.

Syntax:
set ippool {enable|disable}

Default value: disable

poolname

The name of the IP pool to be used for NAT. To use this option requires that ippool be enabled. Separate multiple addresses with a space.

Syntax:
{set|append} poolname <ippool> [<ippool> ...]
Example:
config firewall policy
	edit 0
	set poolname testpool1
	or ...
	append poolname "testpool 1" "testpool2"
	or ...
	clear poolname
end

session-ttl

Used to set the timeout value in the policy to override the global timeout setting defined by using config system session-ttl. When it is on default value, it will not take effect. Value is in seconds.

Syntax:
set session-ttl <integer>

Default value: 0

Example:
config firewall policy
	edit 0
	set session-ttl 3600
end

vlan-cos-fwd

Used to set the VLAN forward direction user priority, CoS. Range 0 (lowest) to 7 (highest), 255 for passthrough.

Syntax:
set vlan-cos-fwd <integer>

Default value: 255

Example:
config firewall policy
	edit 0
	set vlan-cos-fwd 7
end

vlan-cos-rev

Used to set the VLAN reverse direction user priority, CoS. Range 0 (lowest) to 7 (highest), 255 for passthrough.

Syntax:
set vlan-cos-rev <integer>

Default value: 255

Example:
config firewall policy
	edit 0
	set vlan-cos-rev 3
end

inbound

When action is set to ipsec, this setting enables or disables traffic from computers on the remote private network to initiate an IPSec VPN tunnel.

Syntax:
set inbound {enable | disable}

Default value: disable

outbound

When action is set to ipsec, this setting enables or disables traffic from computers on the local private network to initiate an IPSec VPN tunnel.

Syntax:
set outbound {enable | disable}

Default value: disable

natinbound

Enables or disables the function of translating the source addresses IP packets emerging from an IPsec tunnel into the IP address of the FortiGate unit’s network interface to the local private network. This option appears only if action is ipsec.

Syntax:
set natinbound {enable | disable}

Default value: disable

natoutbound

Enables or disables the function of translating the source addresses of outbound encrypted packets into the IP address of the FortiGate unit’s outbound interface. Enable this attribute in combination with the natip attribute to change the source addresses of IP packets before they go into the tunnel. This option appears only if attribute to change the source addresses of IP packets before they go into the tunnel. This option appears only if action is ipsec.

Syntax:
set natoutbound {enable | disable}

Default value: disable

wccp

Enables or disables Web Cache Coordination Protocol (WCCP). If enabled, the traffic accepted by this policy is sent to a configured WCCP server as configured by the config system wccp command.

Syntax:
set wccp {enable|disable}

Default value: disable

ntlm

Enables or disables Directory Service authentication via NTLM. If you enable this option, you must also define the user groups. This field is available only if the groups or users fields are specified.

Syntax:
set ntlm {enable|disable}

Default value: disable

ntlm-guest

Enables or disables NTLM guest user access.

Syntax:
set ntlm-guest {enable|disable}

Default value: disable

ntlm-enabled-browsers

Sets the value for the HTTP-User-Agent of supported browsers. Enclose each string in quotes and separate strings with a space. Browsers with non-matching strings get guest access.

Syntax:
{set|append|clear} ntlm-enabled-browsers <user_agent_string>

fsso

Enables or disables Fortinet Single Sign On. This field is available when groups is populated.

Syntax:
set fsso {enable|disable}

Default value: enable

wsso

Enables or disables WiFi Single Sign On.

Syntax:
set wsso {enable|disable}

Default value: disable

rsso

Enables or disables RADIUS-based single sign-on (SSO) for this policy.

Syntax:
set rsso {enable|disable}

Default value: disable

fsso-agent-for-ntlm

Specify FSSO agent for NTLM authentication.

Syntax:
set fsso-agent-for-ntlm <string>

groups

A listing of the names of the user groups allowed to use this policy. Separate multiple groups with a space.

Syntax:
{set|append} groups <user-group_object> [<user-group_object> ...]
Examples:
config firewall policy
	edit 0
	set groups group1
	or ...
	set groups group2 "Group 3"
	or ...
	append groups group4
end

users

A listing of the names of the users allowed to use this policy. Separate multiple users with a space.

Syntax:
{set|append} users <user_object> [<user_object> ...]
Examples:
config firewall policy
	edit 0
	set users adam
	or ...
	set users burt "Charlie C"
	or ...
	append users david
end

devices

A listing of of the names of devices or device categories that apply to this policy. Separate multiple devices with a space.

Syntax:
{set|append} devices <device_object> [<device_object> ...]
Examples:
config firewall policy
	edit 0
	set devices "adams pc"
	or ...
	set user bob-pc linux-pc
	or ...
	append user windows-pc
end

auth-path

Enables or disables authentication-based routing. You must also specify a RADIUS server, and the RADIUS server must be configured to supply the name of an object specified in config router auth-path. For details on configuring authentication-based routes, see router auth-path. This field is available only when the FortiGate unit is operating in NAT mode and the groups or users fields are specified.

Syntax:
set auth-path {enable|disable}

Default value: disable

disclaimer

Enables or disables the display of the authentication disclaimer page, which is configured with other replacement messages. The user must accept the disclaimer to connect to the destination.

Syntax:
set disclaimer {enable|disable}

Default value: disable

vpntunnel

Sets the name of a Phase 1 IPSec VPN configuration to apply to the IPsec tunnel. This field is available only if action is ipsec.

Syntax:
set vpntunnel <string>
Example:
config firewall policy
	edit 0
	set vpntunnel "TunnelA Phase 1"
end

natip

Used to specify the source IP address and subnet mask to apply to outbound clear text packets before they are sent through the tunnel. If you do not specify a natip value when natoutbound is enabled, the source addresses of outbound encrypted packets are translated into the IP address of the FortiGate unit’s external interface. When a natip value is specified, the FortiGate unit uses a static subnetwork-to-subnetwork mapping scheme to translate the source addresses of outbound IP packets into corresponding IP addresses on the subnetwork that you specify. For example, if the source address in the firewall encryption policy is 192.168.1.0/24 and the natip value is 172.16.2.0/24, a source address of 192.168.1.7 will be translated to 172.16.2.7. This field is available only if ipsec and natoutbound is enabled.

Syntax:
set natip <IP_address> <IPv4mask>

match-vip

Enables or disables the function of matching DNATed packets. If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to all) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped. In some cases, when a virtual IP performs destination NAT (DNAT) on a packet, the translated packet may not be accepted by a firewall policy. If this happens, the packet is silently dropped and therefore not matched with the general policy at the bottom of the policy list. To catch these packets, enable match-vip in the general policy. Then the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.

Syntax:
set match-vip {enable|disable}

Default value: disable

diffserv-forward

Enables or disables application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, diffservcode-forward also needs to be configured.

Syntax:
set diffserv-forward {enable|disable}

Default value: disable

diffserv-reverse

Enables or disables application of the differentiated services code point (DSCP) value to the DSCP field of reverse (reply) traffic. If enabled, diffservcode-rev also needs to be configured.

Syntax:
set diffserv-reverse {enable | disable}

Default value: disable

diffservcode-forward

Used to set the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. This option appears only if diffserv-forward is enabled.

Syntax:
set diffservcode-forward <binary>

Default value: 000000

Example:
config firewall policy
	edit 0
	set diffservcode-forward 001001
end

diffservcode-rev

Used to set the differentiated services code point (DSCP) value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. This option appears only if diffserv-rev is enabled.

Syntax:
set diffservcode-rev <binary>

Default value: 000000

tcp-mss-sender

Used to set the TCP Maximum Segment Size (MSS) number for the sender. When a FortiGate unit is configured to use PPPoE to connect to an ISP, certain web sites may not be accessible to users. This occurs because a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with DF bit set to 1, the ADSL provider’s router either does not send an “ICMP fragmentation needed” packet or the packet is dropped along the path to the web server. In either case, the web server never knows fragmentation is required to reach the client. Used to set the TCP Maximum Segment Size (MSS) number for the sender. When a FortiGate unit is configured to use PPPoE to connect to an ISP, certain web sites may not be accessible to users. This occurs because a PPPoE frame takes an extra 8 bytes off the standard Ethernet MTU of 1500. When the server sends the large packet with DF bit set to 1, the ADSL provider’s router either does not send an “ICMP fragmentation needed” packet or the packet is dropped along the path to the web server. In either case, the web server never knows fragmentation is required to reach the client.

Syntax:
set tcp-mss-sender <integer>

tcp-mss-receiver

Used to set the TCP MSS number for the receiver.

Syntax:
set tcp-mss-receiver <integer>

Default value: 0

comments

Field to store descriptive information about the policy such as its intended purpose and targets. The field is limited to 63 characters. Enclose the string in single quotes to enter special characters or spaces.

Syntax:
set comments <string>

Default value: 0

Example:
config firewall policy
	edit 0
	set comments "Default outgoing traffic policy for corporate users"
end

label

Used to set a label for this policy. The label is visible in the GUI in Section View.

Syntax:
set label <string>

global-label

Puts policy in the named subsection in the web-based manager. Subsection is created if it does not already exist.

Syntax:
set global-label <string>

auth-cert

Used to select an HTTPS server certificate for policy authentication. self-sign is the built-in, self-signed certificate; if you have added other certificates, you may select them instead. This field is available only if the groups or users fields are specified.

Syntax:
set auth-cert <string>

auth-redirect-addr

Used to set the IP address or domain name to redirect user HTTP requests after accepting the authentication disclaimer. The redirect URL could be to a web page with extra information (for example, terms of usage). To prevent web browser security warnings, this should match the CN field of the specified auth-cert, which is usually a fully qualified domain name (FQDN). This field is available only if the groups or users fields are specified.

Syntax:
set auth-redirect-addr <string>

redirect-url

Set the URL, if any, that the user is redirected to after authenticating and/or accepting the user authentication disclaimer. This field is available only if disclaimer is set to enable.

Syntax:
set redirect-url <string>

identity-based-route

Used to specify an identity-based route to be associated with the policy. Identity-based routes are defined in firewall identity-based-route.

Syntax:
set identity-based-route <string>

block-notification

Enables or disables the feature that displays the Fortinet Bar in the browser when a site is blocked and provides a block page via HTTP/HTTPS.

Syntax:
set block-notification {enable|disable}

Default value: disable

custom-log-fields

Used to enter log field index numbers to append one or more custom log fields to the log message for this policy. This option takes effect only if logging is enabled for the policy, and requires that you first define custom log fields. Separate multiple values with a space.

Syntax:
{set|append|clear} custom-log-fields <string> [<string> ...]

replacemsg-override-group

Used to select a replacement message override group from the available configured groups. This will override the default replacement message for this policy.

Syntax:
set replacemsg-override-group <string>

srcaddr-negate

Enables or disables the negate source address match function. When enabled, this causes the srcaddr field to specify what the source address must not be.

Syntax:
set srcaddr-negate {enable|disable}

Default value: disable

dstaddr-negate

Enables or disables the negate destination address match function. When enabled, this causes the dstaddr field to specify what the destination address must not be.

Syntax:
set dstaddr-negate {enable|disable}

Default value: disable

service-negate

Enables or disables the negate service match function. When enabled, this causes the service field to specify what the service traffic must not be.

Syntax:
set service-negate {enable|disable}

Default value: disable

timeout-send-rst

Enables or disables the sending of RST packet upon TCP session expiration.

Syntax:
set timeout-send-rst {enable|disable}

Default value: disable

captive-portal-exempt

Enables or disables the exemption of users of this policy from the captive portal interface.

Syntax:
set captive-portal-exempt {enable|disable}

Default value: disable

ssl-mirror

Enables or disables the SSL mirror function. This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis. This feature is only available if the inspection mode is set do flow-based. Enables or disables the SSL mirror function. This feature sends a copy of traffic decrypted by SSL inspection to one or more FortiGate interfaces so that it can be collected by raw packet capture tool for archiving and analysis. This feature is only available if the inspection mode is set do flow-based.

Syntax:
set ssl-mirror {enable|disable}

Default value: disable

ssl-mirror-intf

Used to set the name of the SSL interface mirror. The value must be one of the existing interface names.

Syntax:
{set|append|clear} ssl-mirror-intf <string> [<string> ...]
Example:
config firewall policy
	edit 0
	set ssl-mirror-intf port11
	or ...
	set ssl-mirror-intf port12 port13
	or ...
	append ssl-mirror-intf port14
end

scan-botnet-connections

Sets the scanning level traffic for connections to Botnet servers.

Syntax:
set scan-botnet-connections {disable | block | monitor}

Default value: disable

dsri

Enables or disables Disable Server Response Inspection (DSRI) which is used to assist performance when only using URL filtering as it allows the system to ignore the HTTP server responses.

Syntax:
set dsri {enable|disable}

Default value: disable

delay-tcp-npu-sessoin

Enables or disables the TCP NPU session delay in order to guarantee packet order of 3-way handshake.

Syntax:
set delay-tcp-npu-sessoin {enable|disable}

Default value: disable