Fortinet black logo

CLI Reference

firewall security-policy

Configure NGFW IPv4/IPv6 application policies.

  config firewall security-policy
      Description: Configure NGFW IPv4/IPv6 application policies.
      edit <policyid>
          set uuid {uuid}
          set name {string}
          set comments {var-string}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr4 <name1>, <name2>, ...
          set dstaddr4 <name1>, <name2>, ...
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-negate [enable|disable]
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-id <id1>, <id2>, ...
          set internet-service-src-negate [enable|disable]
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set enforce-default-app-port [enable|disable]
          set service <name1>, <name2>, ...
          set service-negate [enable|disable]
          set action [accept|deny]
          set send-deny-packet [disable|enable]
          set schedule {string}
          set status [enable|disable]
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set ssh-filter-profile {string}
          set application <id1>, <id2>, ...
          set app-category <id1>, <id2>, ...
          set url-category <id1>, <id2>, ...
          set app-group <name1>, <name2>, ...
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set fsso-groups <name1>, <name2>, ...
      next
  end

config firewall security-policy

Parameter Name Description Type Size
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
name Policy name. string Maximum length: 35
comments Comment. var-string Maximum length: 1023
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr4 <name> Source IPv4 address name and address group names.
Address name.
string Maximum length: 79
dstaddr4 <name> Destination IPv4 address name and address group names.
Address name.
string Maximum length: 79
srcaddr6 <name> Source IPv6 address name and address group names.
Address name.
string Maximum length: 79
dstaddr6 <name> Destination IPv6 address name and address group names.
Address name.
string Maximum length: 79
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-negate When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom Internet Service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-src Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.
option -
internet-service-src-id <id> Internet Service source ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-src-negate When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.
option -
internet-service-src-group <name> Internet Service source group name.
Internet Service group name.
string Maximum length: 79
internet-service-src-custom <name> Custom Internet Service source name.
Custom Internet Service name.
string Maximum length: 79
internet-service-src-custom-group <name> Custom Internet Service source group name.
Custom Internet Service group name.
string Maximum length: 79
enforce-default-app-port Enable/disable default application port enforcement for allowed applications.
enable: Enable setting.
disable: Disable setting.
option -
service <name> Service and service group names.
Service name.
string Maximum length: 79
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
action Policy action (accept/deny).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
option -
send-deny-packet Enable to send a reply when a session is denied or blocked by a firewall policy.
disable: Disable deny-packet sending.
enable: Enable deny-packet sending.
option -
schedule Schedule name. string Maximum length: 35
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
application <id> Application ID list.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
app-category <id> Application category ID list.
Category IDs.
integer Minimum value: 0 Maximum value: 4294967295
url-category <id> URL category ID list.
URL category ID.
integer Minimum value: 0 Maximum value: 4294967295
app-group <name> Application group names.
Application group names.
string Maximum length: 79
groups <name> Names of user groups that can authenticate with this policy.
User group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
User name.
string Maximum length: 79
fsso-groups <name> Names of FSSO groups.
Names of FSSO groups.
string Maximum length: 511

Configure NGFW IPv4/IPv6 application policies.

  config firewall security-policy
      Description: Configure NGFW IPv4/IPv6 application policies.
      edit <policyid>
          set uuid {uuid}
          set name {string}
          set comments {var-string}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr4 <name1>, <name2>, ...
          set dstaddr4 <name1>, <name2>, ...
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-negate [enable|disable]
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-id <id1>, <id2>, ...
          set internet-service-src-negate [enable|disable]
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set enforce-default-app-port [enable|disable]
          set service <name1>, <name2>, ...
          set service-negate [enable|disable]
          set action [accept|deny]
          set send-deny-packet [disable|enable]
          set schedule {string}
          set status [enable|disable]
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set ssh-filter-profile {string}
          set application <id1>, <id2>, ...
          set app-category <id1>, <id2>, ...
          set url-category <id1>, <id2>, ...
          set app-group <name1>, <name2>, ...
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set fsso-groups <name1>, <name2>, ...
      next
  end

config firewall security-policy

Parameter Name Description Type Size
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
name Policy name. string Maximum length: 35
comments Comment. var-string Maximum length: 1023
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr4 <name> Source IPv4 address name and address group names.
Address name.
string Maximum length: 79
dstaddr4 <name> Destination IPv4 address name and address group names.
Address name.
string Maximum length: 79
srcaddr6 <name> Source IPv6 address name and address group names.
Address name.
string Maximum length: 79
dstaddr6 <name> Destination IPv6 address name and address group names.
Address name.
string Maximum length: 79
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-negate When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom Internet Service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-src Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.
option -
internet-service-src-id <id> Internet Service source ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-src-negate When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.
option -
internet-service-src-group <name> Internet Service source group name.
Internet Service group name.
string Maximum length: 79
internet-service-src-custom <name> Custom Internet Service source name.
Custom Internet Service name.
string Maximum length: 79
internet-service-src-custom-group <name> Custom Internet Service source group name.
Custom Internet Service group name.
string Maximum length: 79
enforce-default-app-port Enable/disable default application port enforcement for allowed applications.
enable: Enable setting.
disable: Disable setting.
option -
service <name> Service and service group names.
Service name.
string Maximum length: 79
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
action Policy action (accept/deny).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
option -
send-deny-packet Enable to send a reply when a session is denied or blocked by a firewall policy.
disable: Disable deny-packet sending.
enable: Enable deny-packet sending.
option -
schedule Schedule name. string Maximum length: 35
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
application <id> Application ID list.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
app-category <id> Application category ID list.
Category IDs.
integer Minimum value: 0 Maximum value: 4294967295
url-category <id> URL category ID list.
URL category ID.
integer Minimum value: 0 Maximum value: 4294967295
app-group <name> Application group names.
Application group names.
string Maximum length: 79
groups <name> Names of user groups that can authenticate with this policy.
User group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
User name.
string Maximum length: 79
fsso-groups <name> Names of FSSO groups.
Names of FSSO groups.
string Maximum length: 511