Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.0
Download PDF
Copy Link

firewall {interface-policy | interface-policy6}

DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.

The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6 instead.

config firewall interface-policy
    edit {policyid}
    # Configure IPv4 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end
config firewall interface-policy6
    edit {policyid}
    # Configure IPv6 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config service6
            edit {name}
            # Service name.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

application_list

Enter the name of the application black/white list the FortiGate unit uses when examining network traffic.

This option is available only when application-list-status is set to enable.

av-profile

This is available when av-profile-status is enabled.

dlp-profile

This is available when dlp-profile-status is enabled.

ips-sensor

This option is available only when ips-sensor-status is set to enable.

service

Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.

spamfilter-profile

Enter the spamfilter profile to apply. This is available when spamfilter-profile-status is enabled.

webfilter-profile

This is available when webfilter-profile-status is enabled.

 

 

 

 

 

firewall {interface-policy | interface-policy6}

DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.

The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6 instead.

config firewall interface-policy
    edit {policyid}
    # Configure IPv4 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end
config firewall interface-policy6
    edit {policyid}
    # Configure IPv6 interface policies.
        set policyid {integer}   Policy ID. range[0-4294967295]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comments. size[1023]
        set logtraffic {all | utm | disable}   Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
                all      Log all sessions accepted or denied by this policy.
                utm      Log traffic that has a security profile applied to it.
                disable  Disable all logging for this policy.
        set address-type {ipv4 | ipv6}   Policy address type (IPv4 or IPv6).
                ipv4  IPv4.
                ipv6  IPv6.
        set interface {string}   Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent from the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr6
            edit {name}
            # IPv6 address object to limit traffic monitoring to network traffic sent to the specified address or range.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config service6
            edit {name}
            # Service name.
                set name {string}   Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set application-list-status {enable | disable}   Enable/disable application control.
        set application-list {string}   Application list name. size[35] - datasource(s): application.list.name
        set ips-sensor-status {enable | disable}   Enable/disable IPS.
        set ips-sensor {string}   IPS sensor name. size[35] - datasource(s): ips.sensor.name
        set dsri {enable | disable}   Enable/disable DSRI.
        set av-profile-status {enable | disable}   Enable/disable antivirus.
        set av-profile {string}   Antivirus profile. size[35] - datasource(s): antivirus.profile.name
        set webfilter-profile-status {enable | disable}   Enable/disable web filtering.
        set webfilter-profile {string}   Web filter profile. size[35] - datasource(s): webfilter.profile.name
        set spamfilter-profile-status {enable | disable}   Enable/disable antispam.
        set spamfilter-profile {string}   Antispam profile. size[35] - datasource(s): spamfilter.profile.name
        set dlp-sensor-status {enable | disable}   Enable/disable DLP.
        set dlp-sensor {string}   DLP sensor name. size[35] - datasource(s): dlp.sensor.name
        set scan-botnet-connections {disable | block | monitor}   Enable/disable scanning for connections to Botnet servers.
                disable  Do not scan for connections to botnet servers.
                block    Block connections to botnet servers.
                monitor  Log connections to botnet servers.
        set label {string}   Label. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

application_list

Enter the name of the application black/white list the FortiGate unit uses when examining network traffic.

This option is available only when application-list-status is set to enable.

av-profile

This is available when av-profile-status is enabled.

dlp-profile

This is available when dlp-profile-status is enabled.

ips-sensor

This option is available only when ips-sensor-status is set to enable.

service

Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.

spamfilter-profile

Enter the spamfilter profile to apply. This is available when spamfilter-profile-status is enabled.

webfilter-profile

This is available when webfilter-profile-status is enabled.