Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config firewall consolidated policy

Configure consolidated IPv4/IPv6 policies.

config firewall consolidated policy

Description: Configure consolidated IPv4/IPv6 policies.

edit <policyid>

set status [enable|disable]

set name {string}

set uuid {uuid}

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set srcaddr4 <name1>, <name2>, ...

set dstaddr4 <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set internet-service [enable|disable]

set internet-service-id <id1>, <id2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-src [enable|disable]

set internet-service-src-id <id1>, <id2>, ...

set internet-service-src-group <name1>, <name2>, ...

set internet-service-src-custom <name1>, <name2>, ...

set internet-service-src-custom-group <name1>, <name2>, ...

set internet-service-negate [enable|disable]

set internet-service-src-negate [enable|disable]

set action [accept|deny|...]

set schedule {string}

set service <name1>, <name2>, ...

set utm-status [enable|disable]

set inspection-mode [proxy|flow]

set http-policy-redirect [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-profile {string}

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set dnsfilter-profile {string}

set emailfilter-profile {string}

set dlp-sensor {string}

set ips-sensor {string}

set application-list {string}

set voip-profile {string}

set icap-profile {string}

set cifs-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set logtraffic [all|utm|...]

set logtraffic-start [enable|disable]

set auto-asic-offload [enable|disable]

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set diffserv-forward [enable|disable]

set diffserv-reverse [enable|disable]

set diffservcode-forward {user}

set diffservcode-rev {user}

set tcp-mss-sender {integer}

set tcp-mss-receiver {integer}

set webproxy-forward-server {string}

set wanopt [enable|disable]

set wanopt-detection [active|passive|...]

set wanopt-passive-opt [default|transparent|...]

set wanopt-profile {string}

set wanopt-peer {string}

set webcache [enable|disable]

set webcache-https [disable|enable]

set traffic-shaper {string}

set traffic-shaper-reverse {string}

set per-ip-shaper {string}

set nat [enable|disable]

set fixedport [enable|disable]

set ippool [enable|disable]

set poolname4 <name1>, <name2>, ...

set poolname6 <name1>, <name2>, ...

set session-ttl {integer}

set comments {var-string}

set vpntunnel {string}

set inbound [enable|disable]

set outbound [enable|disable]

set captive-portal-exempt [enable|disable]

set fsso-groups <name1>, <name2>, ...

next

end

config firewall consolidated policy

Parameter name

Description

Type

Size

status

Enable or disable this policy.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

srcaddr4 <name>

Source IPv4 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr4 <name>

Destination IPv4 address name and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source IPv6 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr6 <name>

Destination IPv6 address name and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

 

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

 

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

 

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

 

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-id <id>

Internet Service ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

 

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-id <id>

Internet Service source ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

 

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

 

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

action

Policy action (allow/deny/ipsec).

option

-

 

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

schedule

Schedule name.

string

Maximum length: 35

service <name>

Service and service group names.

Service name.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

 

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

 

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

 

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

 

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

 

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

option

-

 

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

User name.

string

Maximum length: 79

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

 

Option

Description

enable

Enable forward (original) traffic DiffServ.

disable

Disable forward (original) traffic DiffServ.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

 

Option

Description

enable

Enable reverse (reply) traffic DiffServ.

disable

Disable reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

wanopt

Enable/disable WAN optimization.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

-

 

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect to server.

option

-

 

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiGate address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

-

 

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

traffic-shaper

Traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

ippool

Enable to use IP Pools for source NAT.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

poolname4 <name>

IPv4 pool names.

IPv4 pool name.

string

Maximum length: 79

poolname6 <name>

IPv6 pool names.

IPv6 pool name.

string

Maximum length: 79

session-ttl

TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).

integer

Minimum value: 300 Maximum value: 2764800

comments

Comment.

var-string

Maximum length: 1023

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

captive-portal-exempt

Enable exemption of some users from the captive portal.

option

-

 

Option

Description

enable

Enable exemption of captive portal.

disable

Disable exemption of captive portal.

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

config firewall consolidated policy

Configure consolidated IPv4/IPv6 policies.

config firewall consolidated policy

Description: Configure consolidated IPv4/IPv6 policies.

edit <policyid>

set status [enable|disable]

set name {string}

set uuid {uuid}

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set srcaddr4 <name1>, <name2>, ...

set dstaddr4 <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set internet-service [enable|disable]

set internet-service-id <id1>, <id2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-src [enable|disable]

set internet-service-src-id <id1>, <id2>, ...

set internet-service-src-group <name1>, <name2>, ...

set internet-service-src-custom <name1>, <name2>, ...

set internet-service-src-custom-group <name1>, <name2>, ...

set internet-service-negate [enable|disable]

set internet-service-src-negate [enable|disable]

set action [accept|deny|...]

set schedule {string}

set service <name1>, <name2>, ...

set utm-status [enable|disable]

set inspection-mode [proxy|flow]

set http-policy-redirect [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-profile {string}

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set dnsfilter-profile {string}

set emailfilter-profile {string}

set dlp-sensor {string}

set ips-sensor {string}

set application-list {string}

set voip-profile {string}

set icap-profile {string}

set cifs-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set logtraffic [all|utm|...]

set logtraffic-start [enable|disable]

set auto-asic-offload [enable|disable]

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set diffserv-forward [enable|disable]

set diffserv-reverse [enable|disable]

set diffservcode-forward {user}

set diffservcode-rev {user}

set tcp-mss-sender {integer}

set tcp-mss-receiver {integer}

set webproxy-forward-server {string}

set wanopt [enable|disable]

set wanopt-detection [active|passive|...]

set wanopt-passive-opt [default|transparent|...]

set wanopt-profile {string}

set wanopt-peer {string}

set webcache [enable|disable]

set webcache-https [disable|enable]

set traffic-shaper {string}

set traffic-shaper-reverse {string}

set per-ip-shaper {string}

set nat [enable|disable]

set fixedport [enable|disable]

set ippool [enable|disable]

set poolname4 <name1>, <name2>, ...

set poolname6 <name1>, <name2>, ...

set session-ttl {integer}

set comments {var-string}

set vpntunnel {string}

set inbound [enable|disable]

set outbound [enable|disable]

set captive-portal-exempt [enable|disable]

set fsso-groups <name1>, <name2>, ...

next

end

config firewall consolidated policy

Parameter name

Description

Type

Size

status

Enable or disable this policy.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

srcaddr4 <name>

Source IPv4 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr4 <name>

Destination IPv4 address name and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source IPv6 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr6 <name>

Destination IPv6 address name and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

 

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

 

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

 

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

 

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-id <id>

Internet Service ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

 

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-id <id>

Internet Service source ID.

Internet Service ID.

integer

Minimum value: 0 Maximum value: 4294967295

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

 

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

 

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

action

Policy action (allow/deny/ipsec).

option

-

 

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

schedule

Schedule name.

string

Maximum length: 35

service <name>

Service and service group names.

Service name.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

 

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

 

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

 

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

 

Option