firewall {interface-policy | interface-policy6}
DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.
The interface-policy command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6 instead.
config firewall interface-policy
edit {policyid}
# Configure IPv4 interface policies.
set policyid {integer} Policy ID. range[0-4294967295]
set status {enable | disable} Enable/disable this policy.
set comments {string} Comments. size[1023]
set logtraffic {all | utm | disable} Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
all Log all sessions accepted or denied by this policy.
utm Log traffic that has a security profile applied to it.
disable Disable all logging for this policy.
set address-type {ipv4 | ipv6} Policy address type (IPv4 or IPv6).
ipv4 IPv4.
ipv6 IPv6.
set interface {string} Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
config srcaddr
edit {name}
# Address object to limit traffic monitoring to network traffic sent from the specified address or range.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
config dstaddr
edit {name}
# Address object to limit traffic monitoring to network traffic sent to the specified address or range.
set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
next
config service
edit {name}
# Service object from available options.
set name {string} Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
next
set application-list-status {enable | disable} Enable/disable application control.
set application-list {string} Application list name. size[35] - datasource(s): application.list.name
set ips-sensor-status {enable | disable} Enable/disable IPS.
set ips-sensor {string} IPS sensor name. size[35] - datasource(s): ips.sensor.name
set dsri {enable | disable} Enable/disable DSRI.
set av-profile-status {enable | disable} Enable/disable antivirus.
set av-profile {string} Antivirus profile. size[35] - datasource(s): antivirus.profile.name
set webfilter-profile-status {enable | disable} Enable/disable web filtering.
set webfilter-profile {string} Web filter profile. size[35] - datasource(s): webfilter.profile.name
set spamfilter-profile-status {enable | disable} Enable/disable antispam.
set spamfilter-profile {string} Antispam profile. size[35] - datasource(s): spamfilter.profile.name
set dlp-sensor-status {enable | disable} Enable/disable DLP.
set dlp-sensor {string} DLP sensor name. size[35] - datasource(s): dlp.sensor.name
set scan-botnet-connections {disable | block | monitor} Enable/disable scanning for connections to Botnet servers.
disable Do not scan for connections to botnet servers.
block Block connections to botnet servers.
monitor Log connections to botnet servers.
set label {string} Label. size[63]
next
end
config firewall interface-policy6
edit {policyid}
# Configure IPv6 interface policies.
set policyid {integer} Policy ID. range[0-4294967295]
set status {enable | disable} Enable/disable this policy.
set comments {string} Comments. size[1023]
set logtraffic {all | utm | disable} Logging type to be used in this policy (Options: all | utm | disable, Default: utm).
all Log all sessions accepted or denied by this policy.
utm Log traffic that has a security profile applied to it.
disable Disable all logging for this policy.
set address-type {ipv4 | ipv6} Policy address type (IPv4 or IPv6).
ipv4 IPv4.
ipv6 IPv6.
set interface {string} Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
config srcaddr6
edit {name}
# IPv6 address object to limit traffic monitoring to network traffic sent from the specified address or range.
set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
next
config dstaddr6
edit {name}
# IPv6 address object to limit traffic monitoring to network traffic sent to the specified address or range.
set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
next
config service6
edit {name}
# Service name.
set name {string} Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
next
set application-list-status {enable | disable} Enable/disable application control.
set application-list {string} Application list name. size[35] - datasource(s): application.list.name
set ips-sensor-status {enable | disable} Enable/disable IPS.
set ips-sensor {string} IPS sensor name. size[35] - datasource(s): ips.sensor.name
set dsri {enable | disable} Enable/disable DSRI.
set av-profile-status {enable | disable} Enable/disable antivirus.
set av-profile {string} Antivirus profile. size[35] - datasource(s): antivirus.profile.name
set webfilter-profile-status {enable | disable} Enable/disable web filtering.
set webfilter-profile {string} Web filter profile. size[35] - datasource(s): webfilter.profile.name
set spamfilter-profile-status {enable | disable} Enable/disable antispam.
set spamfilter-profile {string} Antispam profile. size[35] - datasource(s): spamfilter.profile.name
set dlp-sensor-status {enable | disable} Enable/disable DLP.
set dlp-sensor {string} DLP sensor name. size[35] - datasource(s): dlp.sensor.name
set scan-botnet-connections {disable | block | monitor} Enable/disable scanning for connections to Botnet servers.
disable Do not scan for connections to botnet servers.
block Block connections to botnet servers.
monitor Log connections to botnet servers.
set label {string} Label. size[63]
next
end
Additional information
The following section is for those options that require additional explanation.
application_list
Enter the name of the application block/allowlist the FortiGate unit uses when examining network traffic.
This option is available only when application-list-status is set to enable.
av-profile
This is available when av-profile-status is enabled.
dlp-profile
This is available when dlp-profile-status is enabled.
ips-sensor
This option is available only when ips-sensor-status is set to enable.
service
Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.
spamfilter-profile
Enter the spamfilter profile to apply. This is available when spamfilter-profile-status is enabled.
webfilter-profile
This is available when webfilter-profile-status is enabled.