config firewall consolidated policy
Configure consolidated IPv4/IPv6 policies.
config firewall consolidated policy
Description: Configure consolidated IPv4/IPv6 policies.
edit <policyid>
set status [enable|disable]
set name {string}
set uuid {uuid}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr4 <name1>, <name2>, ...
set dstaddr4 <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set service-negate [enable|disable]
set internet-service [enable|disable]
set internet-service-id <id1>, <id2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-id <id1>, <id2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src-negate [enable|disable]
set action [accept|deny|...]
set schedule {string}
set service <name1>, <name2>, ...
set utm-status [enable|disable]
set inspection-mode [proxy|flow]
set http-policy-redirect [enable|disable]
set ssh-policy-redirect [enable|disable]
set webproxy-profile {string}
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-sensor {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set icap-profile {string}
set cifs-profile {string}
set waf-profile {string}
set ssh-filter-profile {string}
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set auto-asic-offload [enable|disable]
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set tcp-mss-sender {integer}
set tcp-mss-receiver {integer}
set webproxy-forward-server {string}
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-profile {string}
set wanopt-peer {string}
set webcache [enable|disable]
set webcache-https [disable|enable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set per-ip-shaper {string}
set nat [enable|disable]
set fixedport [enable|disable]
set ippool [enable|disable]
set poolname4 <name1>, <name2>, ...
set poolname6 <name1>, <name2>, ...
set session-ttl {integer}
set comments {var-string}
set vpntunnel {string}
set inbound [enable|disable]
set outbound [enable|disable]
set captive-portal-exempt [enable|disable]
set fsso-groups <name1>, <name2>, ...
next
end
config firewall consolidated policy
Parameter name |
Description |
Type |
Size |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
status |
Enable or disable this policy. |
option |
- |
||||||||
|
|
||||||||||
name |
Policy name. |
string |
Maximum length: 35 |
||||||||
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
||||||||
srcintf |
Incoming (ingress) interface. Interface name. |
string |
Maximum length: 79 |
||||||||
dstintf |
Outgoing (egress) interface. Interface name. |
string |
Maximum length: 79 |
||||||||
srcaddr4 |
Source IPv4 address name and address group names. Address name. |
string |
Maximum length: 79 |
||||||||
dstaddr4 |
Destination IPv4 address name and address group names. Address name. |
string |
Maximum length: 79 |
||||||||
srcaddr6 |
Source IPv6 address name and address group names. Address name. |
string |
Maximum length: 79 |
||||||||
dstaddr6 |
Destination IPv6 address name and address group names. Address name. |
string |
Maximum length: 79 |
||||||||
srcaddr-negate |
When enabled srcaddr specifies what the source address must NOT be. |
option |
- |
||||||||
|
|
||||||||||
dstaddr-negate |
When enabled dstaddr specifies what the destination address must NOT be. |
option |
- |
||||||||
|
|
||||||||||
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
||||||||
|
|
||||||||||
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
||||||||
|
|
||||||||||
internet-service-id |
Internet Service ID. Internet Service ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
||||||||
internet-service-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-custom |
Custom Internet Service name. Custom Internet Service name. |
string |
Maximum length: 79 |
||||||||
internet-service-custom-group |
Custom Internet Service group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-src |
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. |
option |
- |
||||||||
|
|
||||||||||
internet-service-src-id |
Internet Service source ID. Internet Service ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
||||||||
internet-service-src-group |
Internet Service source group name. Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-src-custom |
Custom Internet Service source name. Custom Internet Service name. |
string |
Maximum length: 79 |
||||||||
internet-service-src-custom-group |
Custom Internet Service source group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-negate |
When enabled internet-service specifies what the service must NOT be. |
option |
- |
||||||||
|
|
||||||||||
internet-service-src-negate |
When enabled internet-service-src specifies what the service must NOT be. |
option |
- |
||||||||
|
|
||||||||||
action |
Policy action (allow/deny/ipsec). |
option |
- |
||||||||
|
|
||||||||||
schedule |
Schedule name. |
string |
Maximum length: 35 |
||||||||
service |
Service and service group names. Service name. |
string |
Maximum length: 79 |
||||||||
utm-status |
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. |
option |
- |
||||||||
|
|
||||||||||
inspection-mode |
Policy inspection mode (Flow/proxy). Default is Flow mode. |
option |
- |
||||||||
|
|
||||||||||
http-policy-redirect |
Redirect HTTP(S) traffic to matching transparent web proxy policy. |
option |
- |
||||||||
|
|
||||||||||
ssh-policy-redirect |
Redirect SSH traffic to matching transparent proxy policy. |
option |
- |
||||||||
|
|
||||||||||
webproxy-profile |
Webproxy profile name. |
string |
Maximum length: 63 |
||||||||
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
||||||||
|
|
||||||||||
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
||||||||
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
||||||||
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
||||||||
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
||||||||
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
||||||||
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
||||||||
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 35 |
||||||||
dlp-sensor |
Name of an existing DLP sensor. |
string |
Maximum length: 35 |
||||||||
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
||||||||
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
||||||||
voip-profile |
Name of an existing VoIP profile. |
string |
Maximum length: 35 |
||||||||
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
||||||||
cifs-profile |
Name of an existing CIFS profile. |
string |
Maximum length: 35 |
||||||||
waf-profile |
Name of an existing Web application firewall profile. |
string |
Maximum length: 35 |
||||||||
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
||||||||
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
||||||||
|
|
||||||||||
logtraffic-start |
Record logs when a session starts. |
option |
- |
||||||||
|
|
||||||||||
auto-asic-offload |
Enable/disable policy traffic ASIC offloading. |
option |
- |
||||||||
|
|
||||||||||
groups |
Names of user groups that can authenticate with this policy. Group name. |
string |
Maximum length: 79 |
||||||||
users |
Names of individual users that can authenticate with this policy. User name. |
string |
Maximum length: 79 |
||||||||
diffserv-forward |
Enable to change packet's DiffServ values to the specified diffservcode-forward value. |
option |
- |
||||||||
|
|
||||||||||
diffserv-reverse |
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. |
option |
- |
||||||||
|
|
||||||||||
diffservcode-forward |
Change packet's DiffServ to this value. |
user |
Not Specified |
||||||||
diffservcode-rev |
Change packet's reverse (reply) DiffServ to this value. |
user |
Not Specified |
||||||||
tcp-mss-sender |
Sender TCP maximum segment size (MSS). |
integer |
Minimum value: 0 Maximum value: 65535 |
||||||||
tcp-mss-receiver |
Receiver TCP maximum segment size (MSS). |
integer |
Minimum value: 0 Maximum value: 65535 |
||||||||
webproxy-forward-server |
Webproxy forward server name. |
string |
Maximum length: 63 |
||||||||
wanopt |
Enable/disable WAN optimization. |
option |
- |
||||||||
|
|
||||||||||
wanopt-detection |
WAN optimization auto-detection mode. |
option |
- |
||||||||
|
|
||||||||||
wanopt-passive-opt |
WAN optimization passive mode options. This option decides what IP address will be used to connect to server. |
option |
- |
||||||||
|
|
||||||||||
wanopt-profile |
WAN optimization profile. |
string |
Maximum length: 35 |
||||||||
wanopt-peer |
WAN optimization peer. |
string |
Maximum length: 35 |
||||||||
webcache |
Enable/disable web cache. |
option |
- |
||||||||
|
|
||||||||||
webcache-https |
Enable/disable web cache for HTTPS. |
option |
- |
||||||||
|
|
||||||||||
traffic-shaper |
Traffic shaper. |
string |
Maximum length: 35 |
||||||||
traffic-shaper-reverse |
Reverse traffic shaper. |
string |
Maximum length: 35 |
||||||||
per-ip-shaper |
Per-IP traffic shaper. |
string |
Maximum length: 35 |
||||||||
nat |
Enable/disable source NAT. |
option |
- |
||||||||
|
|
||||||||||
fixedport |
Enable to prevent source NAT from changing a session's source port. |
option |
- |
||||||||
|
|
||||||||||
ippool |
Enable to use IP Pools for source NAT. |
option |
- |
||||||||
|
|
||||||||||
poolname4 |
IPv4 pool names. IPv4 pool name. |
string |
Maximum length: 79 |
||||||||
poolname6 |
IPv6 pool names. IPv6 pool name. |
string |
Maximum length: 79 |
||||||||
session-ttl |
TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). |
integer |
Minimum value: 300 Maximum value: 2764800 |
||||||||
comments |
Comment. |
var-string |
Maximum length: 1023 |
||||||||
vpntunnel |
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. |
string |
Maximum length: 35 |
||||||||
inbound |
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. |
option |
- |
||||||||
|
|
||||||||||
outbound |
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. |
option |
- |
||||||||
|
|
||||||||||
captive-portal-exempt |
Enable exemption of some users from the captive portal. |
option |
- |
||||||||
|
|
||||||||||
fsso-groups |
Names of FSSO groups. Names of FSSO groups. |
string |
Maximum length: 511 |