Fortinet white logo
Fortinet white logo

CLI Reference

config firewall policy6

config firewall policy6

Configure IPv6 policies.

config firewall policy6
    Description: Configure IPv6 policies.
    edit <policyid>
        set action [accept|deny|...]
        set anti-replay [enable|disable]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set auto-asic-offload [enable|disable]
        set av-profile {string}
        set cifs-profile {string}
        set comments {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set diffserv-forward [enable|disable]
        set diffserv-reverse [enable|disable]
        set diffservcode-forward {user}
        set diffservcode-rev {user}
        set dlp-sensor {string}
        set dnsfilter-profile {string}
        set dsri [enable|disable]
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstintf <name1>, <name2>, ...
        set emailfilter-profile {string}
        set firewall-session-dirty [check-all|check-new]
        set fixedport [enable|disable]
        set fsso-groups <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set http-policy-redirect [enable|disable]
        set icap-profile {string}
        set inbound [enable|disable]
        set inspection-mode [proxy|flow]
        set ippool [enable|disable]
        set ips-sensor {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set mms-profile {string}
        set name {string}
        set nat [enable|disable]
        set natinbound [enable|disable]
        set natoutbound [enable|disable]
        set np-acceleration [enable|disable]
        set outbound [enable|disable]
        set per-ip-shaper {string}
        set poolname <name1>, <name2>, ...
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set replacemsg-override-group {string}
        set rsso [enable|disable]
        set schedule {string}
        set send-deny-packet [enable|disable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set session-ttl {user}
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssh-policy-redirect [enable|disable]
        set ssl-mirror [enable|disable]
        set ssl-mirror-intf <name1>, <name2>, ...
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set tcp-mss-receiver {integer}
        set tcp-mss-sender {integer}
        set tcp-session-without-syn [all|data-only|...]
        set timeout-send-rst [enable|disable]
        set tos {user}
        set tos-mask {user}
        set tos-negate [enable|disable]
        set traffic-shaper {string}
        set traffic-shaper-reverse {string}
        set url-category <id1>, <id2>, ...
        set users <name1>, <name2>, ...
        set utm-status [enable|disable]
        set uuid {uuid}
        set vlan-cos-fwd {integer}
        set vlan-cos-rev {integer}
        set vlan-filter {user}
        set voip-profile {string}
        set vpntunnel {string}
        set waf-profile {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set webfilter-profile {string}
        set webproxy-forward-server {string}
        set webproxy-profile {string}
    next
end

config firewall policy6

Parameter

Description

Type

Size

action

Policy action (allow/deny/ipsec).

option

-

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

anti-replay

Enable/disable anti-replay check.

option

-

Option

Description

enable

Enable anti-replay check.

disable

Disable anti-replay check.

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

Application group names.

Application group names.

string

Maximum length: 79

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

application-list

Name of an existing Application list.

string

Maximum length: 35

auto-asic-offload *

Enable/disable policy traffic ASIC offloading.

option

-

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

comments

Comment.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Log field index numbers to append custom log fields to log messages for this policy.

Custom log field.

string

Maximum length: 35

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

Option

Description

enable

Enable forward (original) traffic DiffServ.

disable

Disable forward (original) traffic DiffServ.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

Option

Description

enable

Enable reverse (reply) traffic DiffServ.

disable

Disable reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.

option

-

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.

option

-

Option

Description

check-all

Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.

check-new

Continue to allow sessions already accepted by this policy.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

ippool

Enable to use IP Pools for source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

mms-profile *

Name of an existing MMS profile.

string

Maximum length: 35

name

Policy name.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

np-acceleration *

Enable/disable UTM Network Processor acceleration.

option

-

Option

Description

enable

Enable UTM Network Processor acceleration.

disable

Disable UTM Network Processor acceleration.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

poolname <name>

IP Pool names.

IP pool name.

string

Maximum length: 79

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

rsso

Enable/disable RADIUS single sign-on (RSSO).

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

schedule

Schedule name.

string

Maximum length: 35

send-deny-packet

Enable/disable return of deny-packet.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

service <name>

Service and service group names.

Address name.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

session-ttl

Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL.

user

Not Specified

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

ssl-mirror

Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).

option

-

Option

Description

enable

Enable SSL mirror.

disable

Disable SSL mirror.

ssl-mirror-intf <name>

SSL mirror interface name.

Interface name.

string

Maximum length: 79

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

status

Enable or disable this policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.

option

-

Option

Description

all

Enable TCP session without SYN.

data-only

Enable TCP session data only.

disable

Disable TCP session without SYN.

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.

option

-

Option

Description

enable

Send RST when session times out.

disable

Donot send RST when session times out.

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.

option

-

Option

Description

enable

Enable TOS match negate.

disable

Disable TOS match negate.

traffic-shaper

Reverse traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

url-category <id>

URL category ID list.

URL category ID.

integer

Minimum value: 0 Maximum value: 4294967295

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

utm-status

Enable AV/web/ips protection profile.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest

integer

Minimum value: 0 Maximum value: 7

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest

integer

Minimum value: 0 Maximum value: 7

vlan-filter

Set VLAN filters.

user

Not Specified

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

webcache *

Enable/disable web cache.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https *

Enable/disable web cache for HTTPS.

option

-

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

* This parameter may not exist in some models.

config firewall policy6

config firewall policy6

Configure IPv6 policies.

config firewall policy6
    Description: Configure IPv6 policies.
    edit <policyid>
        set action [accept|deny|...]
        set anti-replay [enable|disable]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set auto-asic-offload [enable|disable]
        set av-profile {string}
        set cifs-profile {string}
        set comments {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set diffserv-forward [enable|disable]
        set diffserv-reverse [enable|disable]
        set diffservcode-forward {user}
        set diffservcode-rev {user}
        set dlp-sensor {string}
        set dnsfilter-profile {string}
        set dsri [enable|disable]
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstintf <name1>, <name2>, ...
        set emailfilter-profile {string}
        set firewall-session-dirty [check-all|check-new]
        set fixedport [enable|disable]
        set fsso-groups <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set http-policy-redirect [enable|disable]
        set icap-profile {string}
        set inbound [enable|disable]
        set inspection-mode [proxy|flow]
        set ippool [enable|disable]
        set ips-sensor {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set mms-profile {string}
        set name {string}
        set nat [enable|disable]
        set natinbound [enable|disable]
        set natoutbound [enable|disable]
        set np-acceleration [enable|disable]
        set outbound [enable|disable]
        set per-ip-shaper {string}
        set poolname <name1>, <name2>, ...
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set replacemsg-override-group {string}
        set rsso [enable|disable]
        set schedule {string}
        set send-deny-packet [enable|disable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set session-ttl {user}
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssh-policy-redirect [enable|disable]
        set ssl-mirror [enable|disable]
        set ssl-mirror-intf <name1>, <name2>, ...
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set tcp-mss-receiver {integer}
        set tcp-mss-sender {integer}
        set tcp-session-without-syn [all|data-only|...]
        set timeout-send-rst [enable|disable]
        set tos {user}
        set tos-mask {user}
        set tos-negate [enable|disable]
        set traffic-shaper {string}
        set traffic-shaper-reverse {string}
        set url-category <id1>, <id2>, ...
        set users <name1>, <name2>, ...
        set utm-status [enable|disable]
        set uuid {uuid}
        set vlan-cos-fwd {integer}
        set vlan-cos-rev {integer}
        set vlan-filter {user}
        set voip-profile {string}
        set vpntunnel {string}
        set waf-profile {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set webfilter-profile {string}
        set webproxy-forward-server {string}
        set webproxy-profile {string}
    next
end

config firewall policy6

Parameter

Description

Type

Size

action

Policy action (allow/deny/ipsec).

option

-

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

anti-replay

Enable/disable anti-replay check.

option

-

Option

Description

enable

Enable anti-replay check.

disable

Disable anti-replay check.

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

Application group names.

Application group names.

string

Maximum length: 79

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

application-list

Name of an existing Application list.

string

Maximum length: 35

auto-asic-offload *

Enable/disable policy traffic ASIC offloading.

option

-

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

comments

Comment.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Log field index numbers to append custom log fields to log messages for this policy.

Custom log field.

string

Maximum length: 35

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

Option

Description

enable

Enable forward (original) traffic DiffServ.

disable

Disable forward (original) traffic DiffServ.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

Option

Description

enable

Enable reverse (reply) traffic DiffServ.

disable

Disable reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.

option

-

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.

option

-

Option

Description

check-all

Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.

check-new

Continue to allow sessions already accepted by this policy.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

ippool

Enable to use IP Pools for source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

mms-profile *

Name of an existing MMS profile.

string

Maximum length: 35

name

Policy name.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

np-acceleration *

Enable/disable UTM Network Processor acceleration.

option

-

Option

Description

enable

Enable UTM Network Processor acceleration.

disable

Disable UTM Network Processor acceleration.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

poolname <name>

IP Pool names.

IP pool name.

string

Maximum length: 79

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

rsso

Enable/disable RADIUS single sign-on (RSSO).

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

schedule

Schedule name.

string

Maximum length: 35

send-deny-packet

Enable/disable return of deny-packet.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

service <name>

Service and service group names.

Address name.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

session-ttl

Session TTL in seconds for sessions accepted by this policy. 0 means use the system default session TTL.

user

Not Specified

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

Option

Description

enable

Enable source address negate.

disable

Disable destination address negate.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

ssl-mirror

Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).

option

-

Option

Description

enable

Enable SSL mirror.

disable

Disable SSL mirror.

ssl-mirror-intf <name>

SSL mirror interface name.

Interface name.

string

Maximum length: 79

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

status

Enable or disable this policy.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.

option

-

Option

Description

all

Enable TCP session without SYN.

data-only

Enable TCP session data only.

disable

Disable TCP session without SYN.

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.

option

-

Option

Description

enable

Send RST when session times out.

disable

Donot send RST when session times out.

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.

option

-

Option

Description

enable

Enable TOS match negate.

disable

Disable TOS match negate.

traffic-shaper

Reverse traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

url-category <id>

URL category ID list.

URL category ID.

integer

Minimum value: 0 Maximum value: 4294967295

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

utm-status

Enable AV/web/ips protection profile.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest

integer

Minimum value: 0 Maximum value: 7

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest

integer

Minimum value: 0 Maximum value: 7

vlan-filter

Set VLAN filters.

user

Not Specified

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

webcache *

Enable/disable web cache.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https *

Enable/disable web cache for HTTPS.

option

-

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

webproxy-forward-server

Web proxy forward server name.

string

Maximum length: 63

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

* This parameter may not exist in some models.