Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure IPv6 policies.

  config firewall policy6
      Description: Configure IPv6 policies.
      edit <policyid>
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set action [accept|deny|...]
          set firewall-session-dirty [check-all|check-new]
          set status [enable|disable]
          set vlan-cos-fwd {integer}
          set vlan-cos-rev {integer}
          set schedule {string}
          set service <name1>, <name2>, ...
          set tos {user}
          set tos-mask {user}
          set tos-negate [enable|disable]
          set tcp-session-without-syn [all|data-only|...]
          set anti-replay [enable|disable]
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set webproxy-forward-server {string}
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set application <id1>, <id2>, ...
          set app-category <id1>, <id2>, ...
          set url-category <id1>, <id2>, ...
          set app-group <name1>, <name2>, ...
          set nat [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname <name1>, <name2>, ...
          set session-ttl {integer}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set natinbound [enable|disable]
          set natoutbound [enable|disable]
          set send-deny-packet [enable|disable]
          set vpntunnel {string}
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set comments {var-string}
          set label {string}
          set global-label {string}
          set rsso [enable|disable]
          set custom-log-fields <field-id1>, <field-id2>, ...
          set replacemsg-override-group {string}
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set devices <name1>, <name2>, ...
          set timeout-send-rst [enable|disable]
          set ssl-mirror [enable|disable]
          set ssl-mirror-intf <name1>, <name2>, ...
          set dsri [enable|disable]
          set vlan-filter {user}
      next
  end

config firewall policy6

Parameter Name Description Type Size
name Policy name. string Maximum length: 35
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr <name> Source address and address group names.
Address name.
string Maximum length: 79
dstaddr <name> Destination address and address group names.
Address name.
string Maximum length: 79
action Policy action (allow/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.
option -
firewall-session-dirty How to handle sessions if the configuration of this firewall policy changes.
check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
check-new: Continue to allow sessions already accepted by this policy.
option -
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
vlan-cos-fwd VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest integer Minimum value: 0 Maximum value: 7
vlan-cos-rev VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest integer Minimum value: 0 Maximum value: 7
schedule Schedule name. string Maximum length: 35
service <name> Service and service group names.
Address name.
string Maximum length: 79
tos ToS (Type of Service) value used for comparison. user Not Specified
tos-mask Non-zero bit positions are used for comparison while zero bit positions are ignored. user Not Specified
tos-negate Enable negated TOS match.
enable: Enable TOS match negate.
disable: Disable TOS match negate.
option -
tcp-session-without-syn Enable/disable creation of TCP session without SYN flag.
all: Enable TCP session without SYN.
data-only: Enable TCP session data only.
disable: Disable TCP session without SYN.
option -
anti-replay Enable/disable anti-replay check.
enable: Enable anti-replay check.
disable: Disable anti-replay check.
option -
utm-status Enable AV/web/ips protection profile.
enable: Enable setting.
disable: Disable setting.
option -
inspection-mode Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.
option -
webcache Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
http-policy-redirect Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-profile Webproxy profile name. string Maximum length: 63
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
webproxy-forward-server Web proxy forward server name. string Maximum length: 63
traffic-shaper Reverse traffic shaper. string Maximum length: 35
traffic-shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
application <id> Application ID list.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
app-category <id> Application category ID list.
Category IDs.
integer Minimum value: 0 Maximum value: 4294967295
url-category <id> URL category ID list.
URL category ID.
integer Minimum value: 0 Maximum value: 4294967295
app-group <name> Application group names.
Application group names.
string Maximum length: 79
nat Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.
option -
fixedport Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.
option -
ippool Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.
option -
poolname <name> IP Pool names.
IP pool name.
string Maximum length: 79
session-ttl Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. integer Minimum value: 300 Maximum value: 2764800
inbound Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
outbound Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
natinbound Policy-based IPsec VPN: apply destination NAT to inbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
natoutbound Policy-based IPsec VPN: apply source NAT to outbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
send-deny-packet Enable/disable return of deny-packet.
enable: Enable setting.
disable: Disable setting.
option -
vpntunnel Policy-based IPsec VPN: name of the IPsec VPN Phase 1. string Maximum length: 35
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable forward (original) traffic DiffServ.
disable: Disable forward (original) traffic DiffServ.
option -
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable reverse (reply) traffic DiffServ.
disable: Disable reverse (reply) traffic DiffServ.
option -
diffservcode-forward Change packet's DiffServ to this value. user Not Specified
diffservcode-rev Change packet's reverse (reply) DiffServ to this value. user Not Specified
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
tcp-mss-receiver Receiver TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
comments Comment. var-string Maximum length: 1023
label Label for the policy that appears when the GUI is in Section View mode. string Maximum length: 63
global-label Label for the policy that appears when the GUI is in Global View mode. string Maximum length: 63
rsso Enable/disable RADIUS single sign-on (RSSO).
enable: Enable setting.
disable: Disable setting.
option -
custom-log-fields <field-id> Log field index numbers to append custom log fields to log messages for this policy.
Custom log field.
string Maximum length: 35
replacemsg-override-group Override the default replacement message group for this policy. string Maximum length: 35
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
groups <name> Names of user groups that can authenticate with this policy.
Group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
Names of individual users that can authenticate with this policy.
string Maximum length: 79
devices <name> Names of devices or device groups that can be matched by the policy.
Device or group name.
string Maximum length: 35
timeout-send-rst Enable/disable sending RST packets when TCP sessions expire.
enable: Send RST when session times out.
disable: Donot send RST when session times out.
option -
ssl-mirror Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
enable: Enable SSL mirror.
disable: Disable SSL mirror.
option -
ssl-mirror-intf <name> SSL mirror interface name.
Interface name.
string Maximum length: 79
dsri Enable DSRI to ignore HTTP server responses.
enable: Enable DSRI.
disable: Disable DSRI.
option -
vlan-filter Set VLAN filters. user Not Specified

Configure IPv6 policies.

  config firewall policy6
      Description: Configure IPv6 policies.
      edit <policyid>
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set action [accept|deny|...]
          set firewall-session-dirty [check-all|check-new]
          set status [enable|disable]
          set vlan-cos-fwd {integer}
          set vlan-cos-rev {integer}
          set schedule {string}
          set service <name1>, <name2>, ...
          set tos {user}
          set tos-mask {user}
          set tos-negate [enable|disable]
          set tcp-session-without-syn [all|data-only|...]
          set anti-replay [enable|disable]
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set webproxy-forward-server {string}
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set application <id1>, <id2>, ...
          set app-category <id1>, <id2>, ...
          set url-category <id1>, <id2>, ...
          set app-group <name1>, <name2>, ...
          set nat [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname <name1>, <name2>, ...
          set session-ttl {integer}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set natinbound [enable|disable]
          set natoutbound [enable|disable]
          set send-deny-packet [enable|disable]
          set vpntunnel {string}
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set comments {var-string}
          set label {string}
          set global-label {string}
          set rsso [enable|disable]
          set custom-log-fields <field-id1>, <field-id2>, ...
          set replacemsg-override-group {string}
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set devices <name1>, <name2>, ...
          set timeout-send-rst [enable|disable]
          set ssl-mirror [enable|disable]
          set ssl-mirror-intf <name1>, <name2>, ...
          set dsri [enable|disable]
          set vlan-filter {user}
      next
  end

config firewall policy6

Parameter Name Description Type Size
name Policy name. string Maximum length: 35
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr <name> Source address and address group names.
Address name.
string Maximum length: 79
dstaddr <name> Destination address and address group names.
Address name.
string Maximum length: 79
action Policy action (allow/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.
option -
firewall-session-dirty How to handle sessions if the configuration of this firewall policy changes.
check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
check-new: Continue to allow sessions already accepted by this policy.
option -
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
vlan-cos-fwd VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest integer Minimum value: 0 Maximum value: 7
vlan-cos-rev VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest integer Minimum value: 0 Maximum value: 7
schedule Schedule name. string Maximum length: 35
service <name> Service and service group names.
Address name.
string Maximum length: 79
tos ToS (Type of Service) value used for comparison. user Not Specified
tos-mask Non-zero bit positions are used for comparison while zero bit positions are ignored. user Not Specified
tos-negate Enable negated TOS match.
enable: Enable TOS match negate.
disable: Disable TOS match negate.
option -
tcp-session-without-syn Enable/disable creation of TCP session without SYN flag.
all: Enable TCP session without SYN.
data-only: Enable TCP session data only.
disable: Disable TCP session without SYN.
option -
anti-replay Enable/disable anti-replay check.
enable: Enable anti-replay check.
disable: Disable anti-replay check.
option -
utm-status Enable AV/web/ips protection profile.
enable: Enable setting.
disable: Disable setting.
option -
inspection-mode Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.
option -
webcache Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
http-policy-redirect Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-profile Webproxy profile name. string Maximum length: 63
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
webproxy-forward-server Web proxy forward server name. string Maximum length: 63
traffic-shaper Reverse traffic shaper. string Maximum length: 35
traffic-shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
application <id> Application ID list.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
app-category <id> Application category ID list.
Category IDs.
integer Minimum value: 0 Maximum value: 4294967295
url-category <id> URL category ID list.
URL category ID.
integer Minimum value: 0 Maximum value: 4294967295
app-group <name> Application group names.
Application group names.
string Maximum length: 79
nat Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.
option -
fixedport Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.
option -
ippool Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.
option -
poolname <name> IP Pool names.
IP pool name.
string Maximum length: 79
session-ttl Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL. integer Minimum value: 300 Maximum value: 2764800
inbound Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
outbound Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
natinbound Policy-based IPsec VPN: apply destination NAT to inbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
natoutbound Policy-based IPsec VPN: apply source NAT to outbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
send-deny-packet Enable/disable return of deny-packet.
enable: Enable setting.
disable: Disable setting.
option -
vpntunnel Policy-based IPsec VPN: name of the IPsec VPN Phase 1. string Maximum length: 35
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable forward (original) traffic DiffServ.
disable: Disable forward (original) traffic DiffServ.
option -
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable reverse (reply) traffic DiffServ.
disable: Disable reverse (reply) traffic DiffServ.
option -
diffservcode-forward Change packet's DiffServ to this value. user Not Specified
diffservcode-rev Change packet's reverse (reply) DiffServ to this value. user Not Specified
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
tcp-mss-receiver Receiver TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
comments Comment. var-string Maximum length: 1023
label Label for the policy that appears when the GUI is in Section View mode. string Maximum length: 63
global-label Label for the policy that appears when the GUI is in Global View mode. string Maximum length: 63
rsso Enable/disable RADIUS single sign-on (RSSO).
enable: Enable setting.
disable: Disable setting.
option -
custom-log-fields <field-id> Log field index numbers to append custom log fields to log messages for this policy.
Custom log field.
string Maximum length: 35
replacemsg-override-group Override the default replacement message group for this policy. string Maximum length: 35
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
enable: Enable source address negate.
disable: Disable destination address negate.
option -
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
groups <name> Names of user groups that can authenticate with this policy.
Group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
Names of individual users that can authenticate with this policy.
string Maximum length: 79
devices <name> Names of devices or device groups that can be matched by the policy.
Device or group name.
string Maximum length: 35
timeout-send-rst Enable/disable sending RST packets when TCP sessions expire.
enable: Send RST when session times out.
disable: Donot send RST when session times out.
option -
ssl-mirror Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
enable: Enable SSL mirror.
disable: Disable SSL mirror.
option -
ssl-mirror-intf <name> SSL mirror interface name.
Interface name.
string Maximum length: 79
dsri Enable DSRI to ignore HTTP server responses.
enable: Enable DSRI.
disable: Disable DSRI.
option -
vlan-filter Set VLAN filters. user Not Specified