firewall {interface-policy | interface-policy6}
DoS policies, called interface policies in the CLI, are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. You can also use the Interface-policy command to invoke an IPS sensor as part of a DoS policy.
The interface-policy
command is used for DoS policies applied to IPv4 addresses. For IPv6 addresses, use interface-policy6
instead.
config firewall interface-policy edit {policyid} # Configure IPv4 interface policies. set policyid {integer} Policy ID. range[0-4294967295] set status {enable | disable} Enable/disable this policy. set comments {string} Comments. size[1023] set logtraffic {all | utm | disable} Logging type to be used in this policy (Options: all | utm | disable, Default: utm). all Log all sessions accepted or denied by this policy. utm Log traffic that has a security profile applied to it. disable Disable all logging for this policy. set address-type {ipv4 | ipv6} Policy address type (IPv4 or IPv6). ipv4 IPv4. ipv6 IPv6. set interface {string} Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name config srcaddr edit {name} # Address object to limit traffic monitoring to network traffic sent from the specified address or range. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config dstaddr edit {name} # Address object to limit traffic monitoring to network traffic sent to the specified address or range. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config service edit {name} # Service object from available options. set name {string} Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next set application-list-status {enable | disable} Enable/disable application control. set application-list {string} Application list name. size[35] - datasource(s): application.list.name set ips-sensor-status {enable | disable} Enable/disable IPS. set ips-sensor {string} IPS sensor name. size[35] - datasource(s): ips.sensor.name set dsri {enable | disable} Enable/disable DSRI. set av-profile-status {enable | disable} Enable/disable antivirus. set av-profile {string} Antivirus profile. size[35] - datasource(s): antivirus.profile.name set webfilter-profile-status {enable | disable} Enable/disable web filtering. set webfilter-profile {string} Web filter profile. size[35] - datasource(s): webfilter.profile.name set spamfilter-profile-status {enable | disable} Enable/disable antispam. set spamfilter-profile {string} Antispam profile. size[35] - datasource(s): spamfilter.profile.name set dlp-sensor-status {enable | disable} Enable/disable DLP. set dlp-sensor {string} DLP sensor name. size[35] - datasource(s): dlp.sensor.name set scan-botnet-connections {disable | block | monitor} Enable/disable scanning for connections to Botnet servers. disable Do not scan for connections to botnet servers. block Block connections to botnet servers. monitor Log connections to botnet servers. set label {string} Label. size[63] next end
config firewall interface-policy6 edit {policyid} # Configure IPv6 interface policies. set policyid {integer} Policy ID. range[0-4294967295] set status {enable | disable} Enable/disable this policy. set comments {string} Comments. size[1023] set logtraffic {all | utm | disable} Logging type to be used in this policy (Options: all | utm | disable, Default: utm). all Log all sessions accepted or denied by this policy. utm Log traffic that has a security profile applied to it. disable Disable all logging for this policy. set address-type {ipv4 | ipv6} Policy address type (IPv4 or IPv6). ipv4 IPv4. ipv6 IPv6. set interface {string} Monitored interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name config srcaddr6 edit {name} # IPv6 address object to limit traffic monitoring to network traffic sent from the specified address or range. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config dstaddr6 edit {name} # IPv6 address object to limit traffic monitoring to network traffic sent to the specified address or range. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config service6 edit {name} # Service name. set name {string} Address name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next set application-list-status {enable | disable} Enable/disable application control. set application-list {string} Application list name. size[35] - datasource(s): application.list.name set ips-sensor-status {enable | disable} Enable/disable IPS. set ips-sensor {string} IPS sensor name. size[35] - datasource(s): ips.sensor.name set dsri {enable | disable} Enable/disable DSRI. set av-profile-status {enable | disable} Enable/disable antivirus. set av-profile {string} Antivirus profile. size[35] - datasource(s): antivirus.profile.name set webfilter-profile-status {enable | disable} Enable/disable web filtering. set webfilter-profile {string} Web filter profile. size[35] - datasource(s): webfilter.profile.name set spamfilter-profile-status {enable | disable} Enable/disable antispam. set spamfilter-profile {string} Antispam profile. size[35] - datasource(s): spamfilter.profile.name set dlp-sensor-status {enable | disable} Enable/disable DLP. set dlp-sensor {string} DLP sensor name. size[35] - datasource(s): dlp.sensor.name set scan-botnet-connections {disable | block | monitor} Enable/disable scanning for connections to Botnet servers. disable Do not scan for connections to botnet servers. block Block connections to botnet servers. monitor Log connections to botnet servers. set label {string} Label. size[63] next end
Additional information
The following section is for those options that require additional explanation.
application_list
Enter the name of the application block/allowlist the FortiGate unit uses when examining network traffic.
This option is available only when application-list-status
is set to enable.
av-profile
This is available when av-profile-status
is enabled.
dlp-profile
This is available when dlp-profile-status
is enabled.
ips-sensor
This option is available only when ips-sensor-status
is set to enable.
service
Enter a service to limit traffic monitoring to only the selected type. You may also specify a service group, or multiple services separated by spaces.
spamfilter-profile
Enter the spamfilter profile to apply. This is available when spamfilter-profile-status
is enabled.
webfilter-profile
This is available when webfilter-profile-status
is enabled.