Fortinet black logo

CLI Reference

firewall policy

Configure IPv4 policies.

  config firewall policy
      Description: Configure IPv4 policies.
      edit <policyid>
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-id <id1>, <id2>, ...
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set reputation-minimum {integer}
          set reputation-direction [source|destination]
          set rtp-nat [disable|enable]
          set rtp-addr <name1>, <name2>, ...
          set action [accept|deny|...]
          set send-deny-packet [disable|enable]
          set firewall-session-dirty [check-all|check-new]
          set status [enable|disable]
          set schedule {string}
          set schedule-timeout [enable|disable]
          set service <name1>, <name2>, ...
          set tos {user}
          set tos-mask {user}
          set tos-negate [enable|disable]
          set anti-replay [enable|disable]
          set tcp-session-without-syn [all|data-only|...]
          set geoip-anycast [enable|disable]
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set capture-packet [enable|disable]
          set auto-asic-offload [enable|disable]
          set np-acceleration [enable|disable]
          set wanopt [enable|disable]
          set wanopt-detection [active|passive|...]
          set wanopt-passive-opt [default|transparent|...]
          set wanopt-profile {string}
          set wanopt-peer {string}
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set webproxy-forward-server {string}
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set application <id1>, <id2>, ...
          set app-category <id1>, <id2>, ...
          set url-category <id1>, <id2>, ...
          set app-group <name1>, <name2>, ...
          set nat [enable|disable]
          set permit-any-host [enable|disable]
          set permit-stun-host [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname <name1>, <name2>, ...
          set session-ttl {user}
          set vlan-cos-fwd {integer}
          set vlan-cos-rev {integer}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set natinbound [enable|disable]
          set natoutbound [enable|disable]
          set wccp [enable|disable]
          set ntlm [enable|disable]
          set ntlm-guest [enable|disable]
          set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
          set fsso [enable|disable]
          set wsso [enable|disable]
          set rsso [enable|disable]
          set fsso-agent-for-ntlm {string}
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set fsso-groups <name1>, <name2>, ...
          set auth-path [enable|disable]
          set disclaimer [enable|disable]
          set email-collect [enable|disable]
          set vpntunnel {string}
          set natip {ipv4-classnet}
          set match-vip [enable|disable]
          set match-vip-only [enable|disable]
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set comments {var-string}
          set auth-cert {string}
          set auth-redirect-addr {string}
          set redirect-url {string}
          set identity-based-route {string}
          set block-notification [enable|disable]
          set custom-log-fields <field-id1>, <field-id2>, ...
          set replacemsg-override-group {string}
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-src-negate [enable|disable]
          set timeout-send-rst [enable|disable]
          set captive-portal-exempt [enable|disable]
          set ssl-mirror [enable|disable]
          set ssl-mirror-intf <name1>, <name2>, ...
          set dsri [enable|disable]
          set radius-mac-auth-bypass [enable|disable]
          set delay-tcp-npu-session [enable|disable]
          set vlan-filter {user}
      next
  end

config firewall policy

Parameter Name Description Type Size
name Policy name. string Maximum length: 35
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr <name> Source address and address group names.
Address name.
string Maximum length: 79
dstaddr <name> Destination address and address group names.
Address name.
string Maximum length: 79
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom Internet Service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-src Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.
option -
internet-service-src-id <id> Internet Service source ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-src-group <name> Internet Service source group name.
Internet Service group name.
string Maximum length: 79
internet-service-src-custom <name> Custom Internet Service source name.
Custom Internet Service name.
string Maximum length: 79
internet-service-src-custom-group <name> Custom Internet Service source group name.
Custom Internet Service group name.
string Maximum length: 79
reputation-minimum Minimum Reputation to take action. integer Minimum value: 0 Maximum value: 4294967295
reputation-direction Direction of the initial traffic for reputation to take effect.
source: Check reputation for source address.
destination: Check reputation for destination address.
option -
rtp-nat Enable Real Time Protocol (RTP) NAT.
disable: Disable setting.
enable: Enable setting.
option -
rtp-addr <name> Address names if this is an RTP NAT policy.
Address name.
string Maximum length: 79
action Policy action (allow/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.
option -
send-deny-packet Enable to send a reply when a session is denied or blocked by a firewall policy.
disable: Disable deny-packet sending.
enable: Enable deny-packet sending.
option -
firewall-session-dirty How to handle sessions if the configuration of this firewall policy changes.
check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
check-new: Continue to allow sessions already accepted by this policy.
option -
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
schedule Schedule name. string Maximum length: 35
schedule-timeout Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
enable: Enable schedule timeout.
disable: Disable schedule timeout.
option -
service <name> Service and service group names.
Service and service group names.
string Maximum length: 79
tos ToS (Type of Service) value used for comparison. user Not Specified
tos-mask Non-zero bit positions are used for comparison while zero bit positions are ignored. user Not Specified
tos-negate Enable negated TOS match.
enable: Enable TOS match negate.
disable: Disable TOS match negate.
option -
anti-replay Enable/disable anti-replay check.
enable: Enable anti-replay check.
disable: Disable anti-replay check.
option -
tcp-session-without-syn Enable/disable creation of TCP session without SYN flag.
all: Enable TCP session without SYN.
data-only: Enable TCP session data only.
disable: Disable TCP session without SYN.
option -
geoip-anycast Enable/disable recognition of anycast IP addresses using the geography IP database.
enable: Enable recognition of anycast IP addresses using the geography IP database.
disable: Disable recognition of anycast IP addresses using the geography IP database.
option -
utm-status Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
enable: Enable setting.
disable: Disable setting.
option -
inspection-mode Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.
option -
http-policy-redirect Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-profile Webproxy profile name. string Maximum length: 63
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
capture-packet Enable/disable capture packets.
enable: Enable capture packets.
disable: Disable capture packets.
option -
auto-asic-offload Enable/disable policy traffic ASIC offloading.
enable: Enable auto ASIC offloading.
disable: Disable ASIC offloading.
option -
np-acceleration Enable/disable UTM Network Processor acceleration.
enable: Enable UTM Network Processor acceleration.
disable: Disable UTM Network Processor acceleration.
option -
wanopt Enable/disable WAN optimization.
enable: Enable setting.
disable: Disable setting.
option -
wanopt-detection WAN optimization auto-detection mode.
active: Active WAN optimization peer auto-detection.
passive: Passive WAN optimization peer auto-detection.
off: Turn off WAN optimization peer auto-detection.
option -
wanopt-passive-opt WAN optimization passive mode options. This option decides what IP address will be used to connect server.
default: Allow client side WAN opt peer to decide.
transparent: Use address of client to connect to server.
non-transparent: Use local FortiGate address to connect to server.
option -
wanopt-profile WAN optimization profile. string Maximum length: 35
wanopt-peer WAN optimization peer. string Maximum length: 35
webcache Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
webproxy-forward-server Webproxy forward server name. string Maximum length: 63
traffic-shaper Traffic shaper. string Maximum length: 35
traffic-shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
application <id> Application ID list.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
app-category <id> Application category ID list.
Category IDs.
integer Minimum value: 0 Maximum value: 4294967295
url-category <id> URL category ID list.
URL category ID.
integer Minimum value: 0 Maximum value: 4294967295
app-group <name> Application group names.
Application group names.
string Maximum length: 79
nat Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.
option -
permit-any-host Accept UDP packets from any host.
enable: Enable setting.
disable: Disable setting.
option -
permit-stun-host Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
enable: Enable setting.
disable: Disable setting.
option -
fixedport Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.
option -
ippool Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.
option -
poolname <name> IP Pool names.
IP pool name.
string Maximum length: 79
session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). user Not Specified
vlan-cos-fwd VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. integer Minimum value: 0 Maximum value: 7
vlan-cos-rev VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest. integer Minimum value: 0 Maximum value: 7
inbound Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
outbound Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
natinbound Policy-based IPsec VPN: apply destination NAT to inbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
natoutbound Policy-based IPsec VPN: apply source NAT to outbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
wccp Enable/disable forwarding traffic matching this policy to a configured WCCP server.
enable: Enable WCCP setting.
disable: Disable WCCP setting.
option -
ntlm Enable/disable NTLM authentication.
enable: Enable setting.
disable: Disable setting.
option -
ntlm-guest Enable/disable NTLM guest user access.
enable: Enable setting.
disable: Disable setting.
option -
ntlm-enabled-browsers <user-agent-string> HTTP-User-Agent value of supported browsers.
User agent string.
string Maximum length: 79
fsso Enable/disable Fortinet Single Sign-On.
enable: Enable setting.
disable: Disable setting.
option -
wsso Enable/disable WiFi Single Sign On (WSSO).
enable: Enable setting.
disable: Disable setting.
option -
rsso Enable/disable RADIUS single sign-on (RSSO).
enable: Enable setting.
disable: Disable setting.
option -
fsso-agent-for-ntlm FSSO agent to use for NTLM authentication. string Maximum length: 35
groups <name> Names of user groups that can authenticate with this policy.
Group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
Names of individual users that can authenticate with this policy.
string Maximum length: 79
fsso-groups <name> Names of FSSO groups.
Names of FSSO groups.
string Maximum length: 511
auth-path Enable/disable authentication-based routing.
enable: Enable authentication-based routing.
disable: Disable authentication-based routing.
option -
disclaimer Enable/disable user authentication disclaimer.
enable: Enable user authentication disclaimer.
disable: Disable user authentication disclaimer.
option -
email-collect Enable/disable email collection.
enable: Enable email collection.
disable: Disable email collection.
option -
vpntunnel Policy-based IPsec VPN: name of the IPsec VPN Phase 1. string Maximum length: 35
natip Policy-based IPsec VPN: source NAT IP address for outgoing traffic. ipv4-classnet Not Specified
match-vip Enable to match packets that have had their destination addresses changed by a VIP.
enable: Match DNATed packet.
disable: Do not match DNATed packet.
option -
match-vip-only Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
enable: Enable matching of only those packets that have had their destination addresses changed by a VIP.
disable: Disable matching of only those packets that have had their destination addresses changed by a VIP.
option -
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable setting forward (original) traffic Diffserv.
disable: Disable setting forward (original) traffic Diffserv.
option -
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable setting reverse (reply) traffic DiffServ.
disable: Disable setting reverse (reply) traffic DiffServ.
option -
diffservcode-forward Change packet's DiffServ to this value. user Not Specified
diffservcode-rev Change packet's reverse (reply) DiffServ to this value. user Not Specified
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
tcp-mss-receiver Receiver TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
comments Comment. var-string Maximum length: 1023
auth-cert HTTPS server certificate for policy authentication. string Maximum length: 35
auth-redirect-addr HTTP-to-HTTPS redirect address for firewall authentication. string Maximum length: 63
redirect-url URL users are directed to after seeing and accepting the disclaimer or authenticating. string Maximum length: 255
identity-based-route Name of identity-based routing rule. string Maximum length: 35
block-notification Enable/disable block notification.
enable: Enable setting.
disable: Disable setting.
option -
custom-log-fields <field-id> Custom fields to append to log messages for this policy.
Custom log field.
string Maximum length: 35
replacemsg-override-group Override the default replacement message group for this policy. string Maximum length: 35
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable source address negate.
option -
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
enable: Enable destination address negate.
disable: Disable destination address negate.
option -
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
internet-service-negate When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-src-negate When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.
option -
timeout-send-rst Enable/disable sending RST packets when TCP sessions expire.
enable: Enable sending of RST packet upon TCP session expiration.
disable: Disable sending of RST packet upon TCP session expiration.
option -
captive-portal-exempt Enable to exempt some users from the captive portal.
enable: Enable exemption of captive portal.
disable: Disable exemption of captive portal.
option -
ssl-mirror Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
enable: Enable SSL mirror.
disable: Disable SSL mirror.
option -
ssl-mirror-intf <name> SSL mirror interface name.
Mirror Interface name.
string Maximum length: 79
dsri Enable DSRI to ignore HTTP server responses.
enable: Enable DSRI.
disable: Disable DSRI.
option -
radius-mac-auth-bypass Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
enable: Enable MAC authentication bypass.
disable: Disable MAC authentication bypass.
option -
delay-tcp-npu-session Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
enable: Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
disable: Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
option -
vlan-filter Set VLAN filters. user Not Specified

Configure IPv4 policies.

  config firewall policy
      Description: Configure IPv4 policies.
      edit <policyid>
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-id <id1>, <id2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-id <id1>, <id2>, ...
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set reputation-minimum {integer}
          set reputation-direction [source|destination]
          set rtp-nat [disable|enable]
          set rtp-addr <name1>, <name2>, ...
          set action [accept|deny|...]
          set send-deny-packet [disable|enable]
          set firewall-session-dirty [check-all|check-new]
          set status [enable|disable]
          set schedule {string}
          set schedule-timeout [enable|disable]
          set service <name1>, <name2>, ...
          set tos {user}
          set tos-mask {user}
          set tos-negate [enable|disable]
          set anti-replay [enable|disable]
          set tcp-session-without-syn [all|data-only|...]
          set geoip-anycast [enable|disable]
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set capture-packet [enable|disable]
          set auto-asic-offload [enable|disable]
          set np-acceleration [enable|disable]
          set wanopt [enable|disable]
          set wanopt-detection [active|passive|...]
          set wanopt-passive-opt [default|transparent|...]
          set wanopt-profile {string}
          set wanopt-peer {string}
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set webproxy-forward-server {string}
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set application <id1>, <id2>, ...
          set app-category <id1>, <id2>, ...
          set url-category <id1>, <id2>, ...
          set app-group <name1>, <name2>, ...
          set nat [enable|disable]
          set permit-any-host [enable|disable]
          set permit-stun-host [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname <name1>, <name2>, ...
          set session-ttl {user}
          set vlan-cos-fwd {integer}
          set vlan-cos-rev {integer}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set natinbound [enable|disable]
          set natoutbound [enable|disable]
          set wccp [enable|disable]
          set ntlm [enable|disable]
          set ntlm-guest [enable|disable]
          set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
          set fsso [enable|disable]
          set wsso [enable|disable]
          set rsso [enable|disable]
          set fsso-agent-for-ntlm {string}
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set fsso-groups <name1>, <name2>, ...
          set auth-path [enable|disable]
          set disclaimer [enable|disable]
          set email-collect [enable|disable]
          set vpntunnel {string}
          set natip {ipv4-classnet}
          set match-vip [enable|disable]
          set match-vip-only [enable|disable]
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set comments {var-string}
          set auth-cert {string}
          set auth-redirect-addr {string}
          set redirect-url {string}
          set identity-based-route {string}
          set block-notification [enable|disable]
          set custom-log-fields <field-id1>, <field-id2>, ...
          set replacemsg-override-group {string}
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-src-negate [enable|disable]
          set timeout-send-rst [enable|disable]
          set captive-portal-exempt [enable|disable]
          set ssl-mirror [enable|disable]
          set ssl-mirror-intf <name1>, <name2>, ...
          set dsri [enable|disable]
          set radius-mac-auth-bypass [enable|disable]
          set delay-tcp-npu-session [enable|disable]
          set vlan-filter {user}
      next
  end

config firewall policy

Parameter Name Description Type Size
name Policy name. string Maximum length: 35
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
srcintf <name> Incoming (ingress) interface.
Interface name.
string Maximum length: 79
dstintf <name> Outgoing (egress) interface.
Interface name.
string Maximum length: 79
srcaddr <name> Source address and address group names.
Address name.
string Maximum length: 79
dstaddr <name> Destination address and address group names.
Address name.
string Maximum length: 79
internet-service Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.
option -
internet-service-id <id> Internet Service ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-group <name> Internet Service group name.
Internet Service group name.
string Maximum length: 79
internet-service-custom <name> Custom Internet Service name.
Custom Internet Service name.
string Maximum length: 79
internet-service-custom-group <name> Custom Internet Service group name.
Custom Internet Service group name.
string Maximum length: 79
internet-service-src Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.
option -
internet-service-src-id <id> Internet Service source ID.
Internet Service ID.
integer Minimum value: 0 Maximum value: 4294967295
internet-service-src-group <name> Internet Service source group name.
Internet Service group name.
string Maximum length: 79
internet-service-src-custom <name> Custom Internet Service source name.
Custom Internet Service name.
string Maximum length: 79
internet-service-src-custom-group <name> Custom Internet Service source group name.
Custom Internet Service group name.
string Maximum length: 79
reputation-minimum Minimum Reputation to take action. integer Minimum value: 0 Maximum value: 4294967295
reputation-direction Direction of the initial traffic for reputation to take effect.
source: Check reputation for source address.
destination: Check reputation for destination address.
option -
rtp-nat Enable Real Time Protocol (RTP) NAT.
disable: Disable setting.
enable: Enable setting.
option -
rtp-addr <name> Address names if this is an RTP NAT policy.
Address name.
string Maximum length: 79
action Policy action (allow/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.
option -
send-deny-packet Enable to send a reply when a session is denied or blocked by a firewall policy.
disable: Disable deny-packet sending.
enable: Enable deny-packet sending.
option -
firewall-session-dirty How to handle sessions if the configuration of this firewall policy changes.
check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
check-new: Continue to allow sessions already accepted by this policy.
option -
status Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.
option -
schedule Schedule name. string Maximum length: 35
schedule-timeout Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
enable: Enable schedule timeout.
disable: Disable schedule timeout.
option -
service <name> Service and service group names.
Service and service group names.
string Maximum length: 79
tos ToS (Type of Service) value used for comparison. user Not Specified
tos-mask Non-zero bit positions are used for comparison while zero bit positions are ignored. user Not Specified
tos-negate Enable negated TOS match.
enable: Enable TOS match negate.
disable: Disable TOS match negate.
option -
anti-replay Enable/disable anti-replay check.
enable: Enable anti-replay check.
disable: Disable anti-replay check.
option -
tcp-session-without-syn Enable/disable creation of TCP session without SYN flag.
all: Enable TCP session without SYN.
data-only: Enable TCP session data only.
disable: Disable TCP session without SYN.
option -
geoip-anycast Enable/disable recognition of anycast IP addresses using the geography IP database.
enable: Enable recognition of anycast IP addresses using the geography IP database.
disable: Disable recognition of anycast IP addresses using the geography IP database.
option -
utm-status Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
enable: Enable setting.
disable: Disable setting.
option -
inspection-mode Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.
option -
http-policy-redirect Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.
option -
ssh-policy-redirect Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.
option -
webproxy-profile Webproxy profile name. string Maximum length: 63
profile-type Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.
option -
profile-group Name of profile group. string Maximum length: 35
profile-protocol-options Name of an existing Protocol options profile. string Maximum length: 35
ssl-ssh-profile Name of an existing SSL SSH profile. string Maximum length: 35
av-profile Name of an existing Antivirus profile. string Maximum length: 35
webfilter-profile Name of an existing Web filter profile. string Maximum length: 35
dnsfilter-profile Name of an existing DNS filter profile. string Maximum length: 35
emailfilter-profile Name of an existing email filter profile. string Maximum length: 35
dlp-sensor Name of an existing DLP sensor. string Maximum length: 35
ips-sensor Name of an existing IPS sensor. string Maximum length: 35
application-list Name of an existing Application list. string Maximum length: 35
voip-profile Name of an existing VoIP profile. string Maximum length: 35
icap-profile Name of an existing ICAP profile. string Maximum length: 35
cifs-profile Name of an existing CIFS profile. string Maximum length: 35
waf-profile Name of an existing Web application firewall profile. string Maximum length: 35
ssh-filter-profile Name of an existing SSH filter profile. string Maximum length: 35
logtraffic Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.
option -
logtraffic-start Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.
option -
capture-packet Enable/disable capture packets.
enable: Enable capture packets.
disable: Disable capture packets.
option -
auto-asic-offload Enable/disable policy traffic ASIC offloading.
enable: Enable auto ASIC offloading.
disable: Disable ASIC offloading.
option -
np-acceleration Enable/disable UTM Network Processor acceleration.
enable: Enable UTM Network Processor acceleration.
disable: Disable UTM Network Processor acceleration.
option -
wanopt Enable/disable WAN optimization.
enable: Enable setting.
disable: Disable setting.
option -
wanopt-detection WAN optimization auto-detection mode.
active: Active WAN optimization peer auto-detection.
passive: Passive WAN optimization peer auto-detection.
off: Turn off WAN optimization peer auto-detection.
option -
wanopt-passive-opt WAN optimization passive mode options. This option decides what IP address will be used to connect server.
default: Allow client side WAN opt peer to decide.
transparent: Use address of client to connect to server.
non-transparent: Use local FortiGate address to connect to server.
option -
wanopt-profile WAN optimization profile. string Maximum length: 35
wanopt-peer WAN optimization peer. string Maximum length: 35
webcache Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.
option -
webcache-https Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.
option -
webproxy-forward-server Webproxy forward server name. string Maximum length: 63
traffic-shaper Traffic shaper. string Maximum length: 35
traffic-shaper-reverse Reverse traffic shaper. string Maximum length: 35
per-ip-shaper Per-IP traffic shaper. string Maximum length: 35
application <id> Application ID list.
Application IDs.
integer Minimum value: 0 Maximum value: 4294967295
app-category <id> Application category ID list.
Category IDs.
integer Minimum value: 0 Maximum value: 4294967295
url-category <id> URL category ID list.
URL category ID.
integer Minimum value: 0 Maximum value: 4294967295
app-group <name> Application group names.
Application group names.
string Maximum length: 79
nat Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.
option -
permit-any-host Accept UDP packets from any host.
enable: Enable setting.
disable: Disable setting.
option -
permit-stun-host Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
enable: Enable setting.
disable: Disable setting.
option -
fixedport Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.
option -
ippool Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.
option -
poolname <name> IP Pool names.
IP pool name.
string Maximum length: 79
session-ttl TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). user Not Specified
vlan-cos-fwd VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. integer Minimum value: 0 Maximum value: 7
vlan-cos-rev VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest. integer Minimum value: 0 Maximum value: 7
inbound Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
outbound Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.
option -
natinbound Policy-based IPsec VPN: apply destination NAT to inbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
natoutbound Policy-based IPsec VPN: apply source NAT to outbound traffic.
enable: Enable setting.
disable: Disable setting.
option -
wccp Enable/disable forwarding traffic matching this policy to a configured WCCP server.
enable: Enable WCCP setting.
disable: Disable WCCP setting.
option -
ntlm Enable/disable NTLM authentication.
enable: Enable setting.
disable: Disable setting.
option -
ntlm-guest Enable/disable NTLM guest user access.
enable: Enable setting.
disable: Disable setting.
option -
ntlm-enabled-browsers <user-agent-string> HTTP-User-Agent value of supported browsers.
User agent string.
string Maximum length: 79
fsso Enable/disable Fortinet Single Sign-On.
enable: Enable setting.
disable: Disable setting.
option -
wsso Enable/disable WiFi Single Sign On (WSSO).
enable: Enable setting.
disable: Disable setting.
option -
rsso Enable/disable RADIUS single sign-on (RSSO).
enable: Enable setting.
disable: Disable setting.
option -
fsso-agent-for-ntlm FSSO agent to use for NTLM authentication. string Maximum length: 35
groups <name> Names of user groups that can authenticate with this policy.
Group name.
string Maximum length: 79
users <name> Names of individual users that can authenticate with this policy.
Names of individual users that can authenticate with this policy.
string Maximum length: 79
fsso-groups <name> Names of FSSO groups.
Names of FSSO groups.
string Maximum length: 511
auth-path Enable/disable authentication-based routing.
enable: Enable authentication-based routing.
disable: Disable authentication-based routing.
option -
disclaimer Enable/disable user authentication disclaimer.
enable: Enable user authentication disclaimer.
disable: Disable user authentication disclaimer.
option -
email-collect Enable/disable email collection.
enable: Enable email collection.
disable: Disable email collection.
option -
vpntunnel Policy-based IPsec VPN: name of the IPsec VPN Phase 1. string Maximum length: 35
natip Policy-based IPsec VPN: source NAT IP address for outgoing traffic. ipv4-classnet Not Specified
match-vip Enable to match packets that have had their destination addresses changed by a VIP.
enable: Match DNATed packet.
disable: Do not match DNATed packet.
option -
match-vip-only Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
enable: Enable matching of only those packets that have had their destination addresses changed by a VIP.
disable: Disable matching of only those packets that have had their destination addresses changed by a VIP.
option -
diffserv-forward Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable setting forward (original) traffic Diffserv.
disable: Disable setting forward (original) traffic Diffserv.
option -
diffserv-reverse Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable setting reverse (reply) traffic DiffServ.
disable: Disable setting reverse (reply) traffic DiffServ.
option -
diffservcode-forward Change packet's DiffServ to this value. user Not Specified
diffservcode-rev Change packet's reverse (reply) DiffServ to this value. user Not Specified
tcp-mss-sender Sender TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
tcp-mss-receiver Receiver TCP maximum segment size (MSS). integer Minimum value: 0 Maximum value: 65535
comments Comment. var-string Maximum length: 1023
auth-cert HTTPS server certificate for policy authentication. string Maximum length: 35
auth-redirect-addr HTTP-to-HTTPS redirect address for firewall authentication. string Maximum length: 63
redirect-url URL users are directed to after seeing and accepting the disclaimer or authenticating. string Maximum length: 255
identity-based-route Name of identity-based routing rule. string Maximum length: 35
block-notification Enable/disable block notification.
enable: Enable setting.
disable: Disable setting.
option -
custom-log-fields <field-id> Custom fields to append to log messages for this policy.
Custom log field.
string Maximum length: 35
replacemsg-override-group Override the default replacement message group for this policy. string Maximum length: 35
srcaddr-negate When enabled srcaddr specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable source address negate.
option -
dstaddr-negate When enabled dstaddr specifies what the destination address must NOT be.
enable: Enable destination address negate.
disable: Disable destination address negate.
option -
service-negate When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.
option -
internet-service-negate When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.
option -
internet-service-src-negate When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.
option -
timeout-send-rst Enable/disable sending RST packets when TCP sessions expire.
enable: Enable sending of RST packet upon TCP session expiration.
disable: Disable sending of RST packet upon TCP session expiration.
option -
captive-portal-exempt Enable to exempt some users from the captive portal.
enable: Enable exemption of captive portal.
disable: Disable exemption of captive portal.
option -
ssl-mirror Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
enable: Enable SSL mirror.
disable: Disable SSL mirror.
option -
ssl-mirror-intf <name> SSL mirror interface name.
Mirror Interface name.
string Maximum length: 79
dsri Enable DSRI to ignore HTTP server responses.
enable: Enable DSRI.
disable: Disable DSRI.
option -
radius-mac-auth-bypass Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
enable: Enable MAC authentication bypass.
disable: Disable MAC authentication bypass.
option -
delay-tcp-npu-session Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
enable: Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
disable: Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
option -
vlan-filter Set VLAN filters. user Not Specified