Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    6.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.16
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.17
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    firewall {interface-policy | interface-policy6}

    firewall {interface-policy | interface-policy6}

    DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.

    The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6 instead.

    config firewall interface-policy
    edit {policyid}
    # Configure IPv4 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end

    config firewall interface-policy6
    edit {policyid}
    # Configure IPv6 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config service6
            edit {name}
            # Service name.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end

    Additional information

    The following section is for those options that require additional explanation.

    application_list

    Enter the name of the application block/allowlist the FortiGate unit uses when examining network traffic.

    This option is available only when application-list-status is set to enable.

    av-profile

    This is available when av-profile-status is enabled.

    dlp-profile

    This is available when dlp-profile-status is enabled.

    ips-sensor

    This option is available only when ips-sensor-status is set to enable.

    service

    Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.

    spamfilter-profile

    Enter the spamfilter profile to apply. This is available when spamfilter-profile-status is enabled.

    webfilter-profile

    This is available when webfilter-profile-status is enabled.

    Previous
    Next

    firewall {interface-policy | interface-policy6}

    firewall {interface-policy | interface-policy6}

    DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.

    The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6 instead.

    config firewall interface-policy
    edit {policyid}
    # Configure IPv4 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end

    config firewall interface-policy6
    edit {policyid}
    # Configure IPv6 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config service6
            edit {name}
            # Service name.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end

    Additional information

    The following section is for those options that require additional explanation.

    application_list

    Enter the name of the application block/allowlist the FortiGate unit uses when examining network traffic.

    This option is available only when application-list-status is set to enable.

    av-profile

    This is available when av-profile-status is enabled.

    dlp-profile

    This is available when dlp-profile-status is enabled.

    ips-sensor

    This option is available only when ips-sensor-status is set to enable.

    service

    Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.

    spamfilter-profile

    Enter the spamfilter profile to apply. This is available when spamfilter-profile-status is enabled.

    webfilter-profile

    This is available when webfilter-profile-status is enabled.

    Previous
    Next