Fortinet black logo

CLI Reference

firewall consolidated policy

Configure consolidated IPv4/IPv6 policies.

  config firewall consolidated policy
      Description: Configure consolidated IPv4/IPv6 policies.
      edit <policyid>
          set status [enable|disable]
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr4 <name1>, <name2>, ...
          set dstaddr4 <name1>, <name2>, ...
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set internet-service [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-id <id1>, <id2>, ...
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set internet-service-negate [enable|disable]
          set internet-service-src-negate [enable|disable]
          set action [accept|deny|...]
          set schedule {string}
          set service <name1>, <name2>, ...
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set auto-asic-offload [enable|disable]
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set webproxy-forward-server {string}
          set wanopt [enable|disable]
          set wanopt-detection [active|passive|...]
          set wanopt-passive-opt [default|transparent|...]
          set wanopt-profile {string}
          set wanopt-peer {string}
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set nat [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname4 <name1>, <name2>, ...
          set poolname6 <name1>, <name2>, ...
          set session-ttl {integer}
          set comments {var-string}
          set vpntunnel {string}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set captive-portal-exempt [enable|disable]
      next
  end

config firewall consolidated policy

Parameter Name Description Type Size
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
name Policy name. string Maximum length: 35
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr4 <name> Source IPv4 address name and address group names.
Address name.
string Maximum length: 79
dstaddr4 <name> Destination IPv4 address name and address group names.
Address name.
string Maximum length: 79
srcaddr6 <name> Source IPv6 address name and address group names.
Address name.
string Maximum length: 79
dstaddr6 <name> Destination IPv6 address name and address group names.
Address name.
string Maximum length: 79
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable source address negate.
option -
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
enable: Enable destination address negate.
disable: Disable destination address negate.
option -
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom Internet Service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-src Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.
option -
internet-service-src-id <id> Internet Service source ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-src-group <name> Internet Service source group name.
Internet Service group name.
string Maximum length: 79
internet-service-src-custom <name> Custom Internet Service source name.
Custom Internet Service name.
string Maximum length: 79
internet-service-src-custom-group <name> Custom Internet Service source group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-negate When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-src-negate When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.
option -
action Policy action (allow/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.
option -
schedule Schedule name. string Maximum length: 35
service <name> Service and service group names.
Service name.
string Maximum length: 79
utm-status Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
enable: Enable setting.
disable: Disable setting.
option -
inspection-mode Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.
option -
http-policy-redirect Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-profile Webproxy profile name. string Maximum length: 63
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
auto-asic-offload Enable/disable policy traffic ASIC offloading.
enable: Enable auto ASIC offloading.
disable: Disable ASIC offloading.
option -
groups <name> Names of user groups that can authenticate with this policy.
Group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
User name.
string Maximum length: 79
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable forward (original) traffic DiffServ.
disable: Disable forward (original) traffic DiffServ.
option -
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable reverse (reply) traffic DiffServ.
disable: Disable reverse (reply) traffic DiffServ.
option -
diffservcode-forward Change packet's DiffServ to this value. user Not Specified
diffservcode-rev Change packet's reverse (reply) DiffServ to this value. user Not Specified
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
tcp-mss-receiver Receiver TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
webproxy-forward-server Webproxy forward server name. string Maximum length: 63
wanopt Enable/disable WAN optimization.
enable: Enable setting.
disable: Disable setting.
option -
wanopt-detection WAN optimization auto-detection mode.
active: Active WAN optimization peer auto-detection.
passive: Passive WAN optimization peer auto-detection.
off: Turn off WAN optimization peer auto-detection.
option -
wanopt-passive-opt WAN optimization passive mode options. This option decides what IP address will be used to connect to server.
default: Allow client side WAN opt peer to decide.
transparent: Use address of client to connect to server.
non-transparent: Use local FortiGate address to connect to server.
option -
wanopt-profile WAN optimization profile. string Maximum length: 35
wanopt-peer WAN optimization peer. string Maximum length: 35
webcache Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
traffic-shaper Traffic shaper. string Maximum length: 35
traffic-shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
nat Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.
option -
fixedport Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.
option -
ippool Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.
option -
poolname4 <name> IPv4 pool names.
IPv4 pool name.
string Maximum length: 79
poolname6 <name> IPv6 pool names.
IPv6 pool name.
string Maximum length: 79
session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). integer Minimum value: 300 Maximum value: 2764800
comments Comment. var-string Maximum length: 1023
vpntunnel Policy-based IPsec VPN: name of the IPsec VPN Phase 1. string Maximum length: 35
inbound Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
outbound Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
captive-portal-exempt Enable exemption of some users from the captive portal.
enable: Enable exemption of captive portal.
disable: Disable exemption of captive portal.
option -

Configure consolidated IPv4/IPv6 policies.

  config firewall consolidated policy
      Description: Configure consolidated IPv4/IPv6 policies.
      edit <policyid>
          set status [enable|disable]
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr4 <name1>, <name2>, ...
          set dstaddr4 <name1>, <name2>, ...
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set internet-service [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-id <id1>, <id2>, ...
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set internet-service-negate [enable|disable]
          set internet-service-src-negate [enable|disable]
          set action [accept|deny|...]
          set schedule {string}
          set service <name1>, <name2>, ...
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set auto-asic-offload [enable|disable]
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set webproxy-forward-server {string}
          set wanopt [enable|disable]
          set wanopt-detection [active|passive|...]
          set wanopt-passive-opt [default|transparent|...]
          set wanopt-profile {string}
          set wanopt-peer {string}
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set nat [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname4 <name1>, <name2>, ...
          set poolname6 <name1>, <name2>, ...
          set session-ttl {integer}
          set comments {var-string}
          set vpntunnel {string}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set captive-portal-exempt [enable|disable]
      next
  end

config firewall consolidated policy

Parameter Name Description Type Size
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
name Policy name. string Maximum length: 35
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr4 <name> Source IPv4 address name and address group names.
Address name.
string Maximum length: 79
dstaddr4 <name> Destination IPv4 address name and address group names.
Address name.
string Maximum length: 79
srcaddr6 <name> Source IPv6 address name and address group names.
Address name.
string Maximum length: 79
dstaddr6 <name> Destination IPv6 address name and address group names.
Address name.
string Maximum length: 79
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable source address negate.
option -
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
enable: Enable destination address negate.
disable: Disable destination address negate.
option -
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom Internet Service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-src Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.
option -
internet-service-src-id <id> Internet Service source ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-src-group <name> Internet Service source group name.
Internet Service group name.
string Maximum length: 79
internet-service-src-custom <name> Custom Internet Service source name.
Custom Internet Service name.
string Maximum length: 79
internet-service-src-custom-group <name> Custom Internet Service source group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-negate When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-src-negate When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.
option -
action Policy action (allow/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.
option -
schedule Schedule name. string Maximum length: 35
service <name> Service and service group names.
Service name.
string Maximum length: 79
utm-status Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
enable: Enable setting.
disable: Disable setting.
option -
inspection-mode Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.
option -
http-policy-redirect Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-profile Webproxy profile name. string Maximum length: 63
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
auto-asic-offload Enable/disable policy traffic ASIC offloading.
enable: Enable auto ASIC offloading.
disable: Disable ASIC offloading.
option -
groups <name> Names of user groups that can authenticate with this policy.
Group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
User name.
string Maximum length: 79
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable forward (original) traffic DiffServ.
disable: Disable forward (original) traffic DiffServ.
option -
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable reverse (reply) traffic DiffServ.
disable: Disable reverse (reply) traffic DiffServ.
option -
diffservcode-forward Change packet's DiffServ to this value. user Not Specified
diffservcode-rev Change packet's reverse (reply) DiffServ to this value. user Not Specified
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
tcp-mss-receiver Receiver TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
webproxy-forward-server Webproxy forward server name. string Maximum length: 63
wanopt Enable/disable WAN optimization.
enable: Enable setting.
disable: Disable setting.
option -
wanopt-detection WAN optimization auto-detection mode.
active: Active WAN optimization peer auto-detection.
passive: Passive WAN optimization peer auto-detection.
off: Turn off WAN optimization peer auto-detection.
option -
wanopt-passive-opt WAN optimization passive mode options. This option decides what IP address will be used to connect to server.
default: Allow client side WAN opt peer to decide.
transparent: Use address of client to connect to server.
non-transparent: Use local FortiGate address to connect to server.
option -
wanopt-profile WAN optimization profile. string Maximum length: 35
wanopt-peer WAN optimization peer. string Maximum length: 35
webcache Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
traffic-shaper Traffic shaper. string Maximum length: 35
traffic-shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
nat Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.
option -
fixedport Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.
option -
ippool Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.
option -
poolname4 <name> IPv4 pool names.
IPv4 pool name.
string Maximum length: 79
poolname6 <name> IPv6 pool names.
IPv6 pool name.
string Maximum length: 79
session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). integer Minimum value: 300 Maximum value: 2764800
comments Comment. var-string Maximum length: 1023
vpntunnel Policy-based IPsec VPN: name of the IPsec VPN Phase 1. string Maximum length: 35
inbound Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
outbound Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
captive-portal-exempt Enable exemption of some users from the captive portal.
enable: Enable exemption of captive portal.
disable: Disable exemption of captive portal.
option -