CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
credential-store
- credential-store domain-controller
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
extender-controller
- extender-controller dataplan
- extender-controller extender
file-filter
- file-filter profile
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall city
- firewall country
- firewall decrypted-traffic-mirror
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-botnet
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-name
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall region
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vendor-mac
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller global
- switch-controller initial-config template
- switch-controller initial-config vlans
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-policy
- switch-controller managed-switch
- switch-controller nac-device
- switch-controller nac-settings
- switch-controller port-policy
- switch-controller ptp policy
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller virtual-port-pool
- switch-controller vlan-policy
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system sdwan
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system standalone-cluster
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wire-pair
- system vne-tunnel
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user nac-policy
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller access-control-list
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller apcfg-profile
- wireless-controller arrp-profile
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller mpsk-profile
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.4.3 CLI Reference

6.4.3

firewall policy

Configure IPv4/IPv6 policies.

  config firewall policy
      Description: Configure IPv4/IPv6 policies.
      edit <policyid>
          set status [enable|disable]
          set name {string}
          set uuid {uuid}
          set srcintf <name1>, <name2>, ...
          set dstintf <name1>, <name2>, ...
          set srcaddr <name1>, <name2>, ...
          set dstaddr <name1>, <name2>, ...
          set srcaddr6 <name1>, <name2>, ...
          set dstaddr6 <name1>, <name2>, ...
          set internet-service [enable|disable]
          set internet-service-name <name1>, <name2>, ...
          set internet-service-group <name1>, <name2>, ...
          set internet-service-custom <name1>, <name2>, ...
          set internet-service-custom-group <name1>, <name2>, ...
          set internet-service-src [enable|disable]
          set internet-service-src-name <name1>, <name2>, ...
          set internet-service-src-group <name1>, <name2>, ...
          set internet-service-src-custom <name1>, <name2>, ...
          set internet-service-src-custom-group <name1>, <name2>, ...
          set reputation-minimum {integer}
          set reputation-direction [source|destination]
          set src-vendor-mac <id1>, <id2>, ...
          set rtp-nat [disable|enable]
          set rtp-addr <name1>, <name2>, ...
          set action [accept|deny|...]
          set send-deny-packet [disable|enable]
          set firewall-session-dirty [check-all|check-new]
          set schedule {string}
          set schedule-timeout [enable|disable]
          set service <name1>, <name2>, ...
          set tos {user}
          set tos-mask {user}
          set tos-negate [enable|disable]
          set anti-replay [enable|disable]
          set tcp-session-without-syn [all|data-only|...]
          set geoip-anycast [enable|disable]
          set geoip-match [physical-location|registered-location]
          set utm-status [enable|disable]
          set inspection-mode [proxy|flow]
          set http-policy-redirect [enable|disable]
          set ssh-policy-redirect [enable|disable]
          set webproxy-profile {string}
          set profile-type [single|group]
          set profile-group {string}
          set profile-protocol-options {string}
          set ssl-ssh-profile {string}
          set av-profile {string}
          set webfilter-profile {string}
          set dnsfilter-profile {string}
          set emailfilter-profile {string}
          set dlp-sensor {string}
          set file-filter-profile {string}
          set ips-sensor {string}
          set application-list {string}
          set voip-profile {string}
          set icap-profile {string}
          set cifs-profile {string}
          set waf-profile {string}
          set ssh-filter-profile {string}
          set logtraffic [all|utm|...]
          set logtraffic-start [enable|disable]
          set capture-packet [enable|disable]
          set auto-asic-offload [enable|disable]
          set np-acceleration [enable|disable]
          set wanopt [enable|disable]
          set wanopt-detection [active|passive|...]
          set wanopt-passive-opt [default|transparent|...]
          set wanopt-profile {string}
          set wanopt-peer {string}
          set webcache [enable|disable]
          set webcache-https [disable|enable]
          set webproxy-forward-server {string}
          set traffic-shaper {string}
          set traffic-shaper-reverse {string}
          set per-ip-shaper {string}
          set nat [enable|disable]
          set permit-any-host [enable|disable]
          set permit-stun-host [enable|disable]
          set fixedport [enable|disable]
          set ippool [enable|disable]
          set poolname <name1>, <name2>, ...
          set poolname6 <name1>, <name2>, ...
          set session-ttl {user}
          set vlan-cos-fwd {integer}
          set vlan-cos-rev {integer}
          set inbound [enable|disable]
          set outbound [enable|disable]
          set natinbound [enable|disable]
          set natoutbound [enable|disable]
          set wccp [enable|disable]
          set ntlm [enable|disable]
          set ntlm-guest [enable|disable]
          set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
          set fsso-agent-for-ntlm {string}
          set groups <name1>, <name2>, ...
          set users <name1>, <name2>, ...
          set fsso-groups <name1>, <name2>, ...
          set auth-path [enable|disable]
          set disclaimer [enable|disable]
          set email-collect [enable|disable]
          set vpntunnel {string}
          set natip {ipv4-classnet}
          set match-vip [enable|disable]
          set match-vip-only [enable|disable]
          set diffserv-forward [enable|disable]
          set diffserv-reverse [enable|disable]
          set diffservcode-forward {user}
          set diffservcode-rev {user}
          set tcp-mss-sender {integer}
          set tcp-mss-receiver {integer}
          set comments {var-string}
          set auth-cert {string}
          set auth-redirect-addr {string}
          set redirect-url {string}
          set identity-based-route {string}
          set block-notification [enable|disable]
          set custom-log-fields <field-id1>, <field-id2>, ...
          set replacemsg-override-group {string}
          set srcaddr-negate [enable|disable]
          set dstaddr-negate [enable|disable]
          set service-negate [enable|disable]
          set internet-service-negate [enable|disable]
          set internet-service-src-negate [enable|disable]
          set timeout-send-rst [enable|disable]
          set captive-portal-exempt [enable|disable]
          set decrypted-traffic-mirror {string}
          set dsri [enable|disable]
          set radius-mac-auth-bypass [enable|disable]
          set delay-tcp-npu-session [enable|disable]
          set vlan-filter {user}
      next
  end

config firewall policy

Parameter Name	Description	Type	Size
status	Enable or disable this policy. enable: Enable setting. disable: Disable setting.	option	-
name	Policy name.	string	Maximum length: 35
uuid	Universally Unique Identifier (UUID; automatically assigned but can be manually reset).	uuid	Not Specified
srcintf `<name>`	Incoming (ingress) interface. Interface name.	string	Maximum length: 79
dstintf `<name>`	Outgoing (egress) interface. Interface name.	string	Maximum length: 79
srcaddr `<name>`	Source IPv4 address and address group names. Address name.	string	Maximum length: 79
dstaddr `<name>`	Destination IPv4 address and address group names. Address name.	string	Maximum length: 79
srcaddr6 `<name>`	Source IPv6 address name and address group names. Address name.	string	Maximum length: 79
dstaddr6 `<name>`	Destination IPv6 address name and address group names. Address name.	string	Maximum length: 79
internet-service	Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. enable: Enable use of Internet Services in policy. disable: Disable use of Internet Services in policy.	option	-
internet-service-name `<name>`	Internet Service name. Internet Service name.	string	Maximum length: 79
internet-service-group `<name>`	Internet Service group name. Internet Service group name.	string	Maximum length: 79
internet-service-custom `<name>`	Custom Internet Service name. Custom Internet Service name.	string	Maximum length: 79
internet-service-custom-group `<name>`	Custom Internet Service group name. Custom Internet Service group name.	string	Maximum length: 79
internet-service-src	Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. enable: Enable use of Internet Services source in policy. disable: Disable use of Internet Services source in policy.	option	-
internet-service-src-name `<name>`	Internet Service source name. Internet Service name.	string	Maximum length: 79
internet-service-src-group `<name>`	Internet Service source group name. Internet Service group name.	string	Maximum length: 79
internet-service-src-custom `<name>`	Custom Internet Service source name. Custom Internet Service name.	string	Maximum length: 79
internet-service-src-custom-group `<name>`	Custom Internet Service source group name. Custom Internet Service group name.	string	Maximum length: 79
reputation-minimum	Minimum Reputation to take action.	integer	Minimum value: 0 Maximum value: 4294967295
reputation-direction	Direction of the initial traffic for reputation to take effect. source: Check reputation for source address. destination: Check reputation for destination address.	option	-
src-vendor-mac `<id>`	Vendor MAC source ID. Vendor MAC ID.	integer	Minimum value: 0 Maximum value: 4294967295
rtp-nat	Enable Real Time Protocol (RTP) NAT. disable: Disable setting. enable: Enable setting.	option	-
rtp-addr `<name>`	Address names if this is an RTP NAT policy. Address name.	string	Maximum length: 79
action	Policy action (accept/deny/ipsec). accept: Allows session that match the firewall policy. deny: Blocks sessions that match the firewall policy. ipsec: Firewall policy becomes a policy-based IPsec VPN policy.	option	-
send-deny-packet	Enable to send a reply when a session is denied or blocked by a firewall policy. disable: Disable deny-packet sending. enable: Enable deny-packet sending.	option	-
firewall-session-dirty	How to handle sessions if the configuration of this firewall policy changes. check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies. check-new: Continue to allow sessions already accepted by this policy.	option	-
schedule	Schedule name.	string	Maximum length: 35
schedule-timeout	Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. enable: Enable schedule timeout. disable: Disable schedule timeout.	option	-
service `<name>`	Service and service group names. Service and service group names.	string	Maximum length: 79
tos	ToS (Type of Service) value used for comparison.	user	Not Specified
tos-mask	Non-zero bit positions are used for comparison while zero bit positions are ignored.	user	Not Specified
tos-negate	Enable negated TOS match. enable: Enable TOS match negate. disable: Disable TOS match negate.	option	-
anti-replay	Enable/disable anti-replay check. enable: Enable anti-replay check. disable: Disable anti-replay check.	option	-
tcp-session-without-syn	Enable/disable creation of TCP session without SYN flag. all: Enable TCP session without SYN. data-only: Enable TCP session data only. disable: Disable TCP session without SYN.	option	-
geoip-anycast	Enable/disable recognition of anycast IP addresses using the geography IP database. enable: Enable recognition of anycast IP addresses using the geography IP database. disable: Disable recognition of anycast IP addresses using the geography IP database.	option	-
geoip-match	Match geography address based either on its physical location or registered location. physical-location: Match geography address to its physical location using the geography IP database. registered-location: Match geography address to its registered location using the geography IP database.	option	-
utm-status	Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. enable: Enable setting. disable: Disable setting.	option	-
inspection-mode	Policy inspection mode (Flow/proxy). Default is Flow mode. proxy: Proxy based inspection. flow: Flow based inspection.	option	-
http-policy-redirect	Redirect HTTP(S) traffic to matching transparent web proxy policy. enable: Enable HTTP(S) policy redirect. disable: Disable HTTP(S) policy redirect.	option	-
ssh-policy-redirect	Redirect SSH traffic to matching transparent proxy policy. enable: Enable SSH policy redirect. disable: Disable SSH policy redirect.	option	-
webproxy-profile	Webproxy profile name.	string	Maximum length: 63
profile-type	Determine whether the firewall policy allows security profile groups or single profiles only. single: Do not allow security profile groups. group: Allow security profile groups.	option	-
profile-group	Name of profile group.	string	Maximum length: 35
profile-protocol-options	Name of an existing Protocol options profile.	string	Maximum length: 35
ssl-ssh-profile	Name of an existing SSL SSH profile.	string	Maximum length: 35
av-profile	Name of an existing Antivirus profile.	string	Maximum length: 35
webfilter-profile	Name of an existing Web filter profile.	string	Maximum length: 35
dnsfilter-profile	Name of an existing DNS filter profile.	string	Maximum length: 35
emailfilter-profile	Name of an existing email filter profile.	string	Maximum length: 35
dlp-sensor	Name of an existing DLP sensor.	string	Maximum length: 35
file-filter-profile	Name of an existing file-filter profile.	string	Maximum length: 35
ips-sensor	Name of an existing IPS sensor.	string	Maximum length: 35
application-list	Name of an existing Application list.	string	Maximum length: 35
voip-profile	Name of an existing VoIP profile.	string	Maximum length: 35
icap-profile	Name of an existing ICAP profile.	string	Maximum length: 35
cifs-profile	Name of an existing CIFS profile.	string	Maximum length: 35
waf-profile	Name of an existing Web application firewall profile.	string	Maximum length: 35
ssh-filter-profile	Name of an existing SSH filter profile.	string	Maximum length: 35
logtraffic	Enable or disable logging. Log all sessions or security profile sessions. all: Log all sessions accepted or denied by this policy. utm: Log traffic that has a security profile applied to it. disable: Disable all logging for this policy.	option	-
logtraffic-start	Record logs when a session starts. enable: Enable setting. disable: Disable setting.	option	-
capture-packet	Enable/disable capture packets. enable: Enable capture packets. disable: Disable capture packets.	option	-
auto-asic-offload	Enable/disable policy traffic ASIC offloading. enable: Enable auto ASIC offloading. disable: Disable ASIC offloading.	option	-
np-acceleration	Enable/disable UTM Network Processor acceleration. enable: Enable UTM Network Processor acceleration. disable: Disable UTM Network Processor acceleration.	option	-
wanopt	Enable/disable WAN optimization. enable: Enable setting. disable: Disable setting.	option	-
wanopt-detection	WAN optimization auto-detection mode. active: Active WAN optimization peer auto-detection. passive: Passive WAN optimization peer auto-detection. off: Turn off WAN optimization peer auto-detection.	option	-
wanopt-passive-opt	WAN optimization passive mode options. This option decides what IP address will be used to connect server. default: Allow client side WAN opt peer to decide. transparent: Use address of client to connect to server. non-transparent: Use local FortiGate address to connect to server.	option	-
wanopt-profile	WAN optimization profile.	string	Maximum length: 35
wanopt-peer	WAN optimization peer.	string	Maximum length: 35
webcache	Enable/disable web cache. enable: Enable setting. disable: Disable setting.	option	-
webcache-https	Enable/disable web cache for HTTPS. disable: Disable web cache for HTTPS. enable: Enable web cache for HTTPS.	option	-
webproxy-forward-server	Webproxy forward server name.	string	Maximum length: 63
traffic-shaper	Traffic shaper.	string	Maximum length: 35
traffic-shaper-reverse	Reverse traffic shaper.	string	Maximum length: 35
per-ip-shaper	Per-IP traffic shaper.	string	Maximum length: 35
nat	Enable/disable source NAT. enable: Enable setting. disable: Disable setting.	option	-
permit-any-host	Accept UDP packets from any host. enable: Enable setting. disable: Disable setting.	option	-
permit-stun-host	Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. enable: Enable setting. disable: Disable setting.	option	-
fixedport	Enable to prevent source NAT from changing a session's source port. enable: Enable setting. disable: Disable setting.	option	-
ippool	Enable to use IP Pools for source NAT. enable: Enable setting. disable: Disable setting.	option	-
poolname `<name>`	IP Pool names. IP pool name.	string	Maximum length: 79
poolname6 `<name>`	IPv6 pool names. IPv6 pool name.	string	Maximum length: 79
session-ttl	TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).	user	Not Specified
vlan-cos-fwd	VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.	integer	Minimum value: 0 Maximum value: 7
vlan-cos-rev	VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.	integer	Minimum value: 0 Maximum value: 7
inbound	Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. enable: Enable setting. disable: Disable setting.	option	-
outbound	Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. enable: Enable setting. disable: Disable setting.	option	-
natinbound	Policy-based IPsec VPN: apply destination NAT to inbound traffic. enable: Enable setting. disable: Disable setting.	option	-
natoutbound	Policy-based IPsec VPN: apply source NAT to outbound traffic. enable: Enable setting. disable: Disable setting.	option	-
wccp	Enable/disable forwarding traffic matching this policy to a configured WCCP server. enable: Enable WCCP setting. disable: Disable WCCP setting.	option	-
ntlm	Enable/disable NTLM authentication. enable: Enable setting. disable: Disable setting.	option	-
ntlm-guest	Enable/disable NTLM guest user access. enable: Enable setting. disable: Disable setting.	option	-
ntlm-enabled-browsers `<user-agent-string>`	HTTP-User-Agent value of supported browsers. User agent string.	string	Maximum length: 79
fsso-agent-for-ntlm	FSSO agent to use for NTLM authentication.	string	Maximum length: 35
groups `<name>`	Names of user groups that can authenticate with this policy. Group name.	string	Maximum length: 79
users `<name>`	Names of individual users that can authenticate with this policy. Names of individual users that can authenticate with this policy.	string	Maximum length: 79
fsso-groups `<name>`	Names of FSSO groups. Names of FSSO groups.	string	Maximum length: 511
auth-path	Enable/disable authentication-based routing. enable: Enable authentication-based routing. disable: Disable authentication-based routing.	option	-
disclaimer	Enable/disable user authentication disclaimer. enable: Enable user authentication disclaimer. disable: Disable user authentication disclaimer.	option	-
email-collect	Enable/disable email collection. enable: Enable email collection. disable: Disable email collection.	option	-
vpntunnel	Policy-based IPsec VPN: name of the IPsec VPN Phase 1.	string	Maximum length: 35
natip	Policy-based IPsec VPN: source NAT IP address for outgoing traffic.	ipv4-classnet	Not Specified
match-vip	Enable to match packets that have had their destination addresses changed by a VIP. enable: Match DNATed packet. disable: Do not match DNATed packet.	option	-
match-vip-only	Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. enable: Enable matching of only those packets that have had their destination addresses changed by a VIP. disable: Disable matching of only those packets that have had their destination addresses changed by a VIP.	option	-
diffserv-forward	Enable to change packet's DiffServ values to the specified diffservcode-forward value. enable: Enable setting forward (original) traffic Diffserv. disable: Disable setting forward (original) traffic Diffserv.	option	-
diffserv-reverse	Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. enable: Enable setting reverse (reply) traffic DiffServ. disable: Disable setting reverse (reply) traffic DiffServ.	option	-
diffservcode-forward	Change packet's DiffServ to this value.	user	Not Specified
diffservcode-rev	Change packet's reverse (reply) DiffServ to this value.	user	Not Specified
tcp-mss-sender	Sender TCP maximum segment size (MSS).	integer	Minimum value: 0 Maximum value: 65535
tcp-mss-receiver	Receiver TCP maximum segment size (MSS).	integer	Minimum value: 0 Maximum value: 65535
comments	Comment.	var-string	Maximum length: 1023
auth-cert	HTTPS server certificate for policy authentication.	string	Maximum length: 35
auth-redirect-addr	HTTP-to-HTTPS redirect address for firewall authentication.	string	Maximum length: 63
redirect-url	URL users are directed to after seeing and accepting the disclaimer or authenticating.	string	Maximum length: 255
identity-based-route	Name of identity-based routing rule.	string	Maximum length: 35
block-notification	Enable/disable block notification. enable: Enable setting. disable: Disable setting.	option	-
custom-log-fields `<field-id>`	Custom fields to append to log messages for this policy. Custom log field.	string	Maximum length: 35
replacemsg-override-group	Override the default replacement message group for this policy.	string	Maximum length: 35
srcaddr-negate	When enabled srcaddr/srcaddr6 specifies what the source address must NOT be. enable: Enable source address negate. disable: Disable source address negate.	option	-
dstaddr-negate	When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be. enable: Enable destination address negate. disable: Disable destination address negate.	option	-
service-negate	When enabled service specifies what the service must NOT be. enable: Enable negated service match. disable: Disable negated service match.	option	-
internet-service-negate	When enabled internet-service specifies what the service must NOT be. enable: Enable negated Internet Service match. disable: Disable negated Internet Service match.	option	-
internet-service-src-negate	When enabled internet-service-src specifies what the service must NOT be. enable: Enable negated Internet Service source match. disable: Disable negated Internet Service source match.	option	-
timeout-send-rst	Enable/disable sending RST packets when TCP sessions expire. enable: Enable sending of RST packet upon TCP session expiration. disable: Disable sending of RST packet upon TCP session expiration.	option	-
captive-portal-exempt	Enable to exempt some users from the captive portal. enable: Enable exemption of captive portal. disable: Disable exemption of captive portal.	option	-
decrypted-traffic-mirror	Decrypted traffic mirror.	string	Maximum length: 35
dsri	Enable DSRI to ignore HTTP server responses. enable: Enable DSRI. disable: Disable DSRI.	option	-
radius-mac-auth-bypass	Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. enable: Enable MAC authentication bypass. disable: Disable MAC authentication bypass.	option	-
delay-tcp-npu-session	Enable TCP NPU session delay to guarantee packet order of 3-way handshake. enable: Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake. disable: Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.	option	-
vlan-filter	Set VLAN filters.	user	Not Specified

Configure IPv4/IPv6 policies.

config firewall policy Description: Configure IPv4/IPv6 policies. edit <policyid> set status [enable|disable] set name {string} set uuid {uuid} set srcintf <name1>, <name2>, ... set dstintf <name1>, <name2>, ... set srcaddr <name1>, <name2>, ... set dstaddr <name1>, <name2>, ... set srcaddr6 <name1>, <name2>, ... set dstaddr6 <name1>, <name2>, ... set internet-service [enable|disable] set internet-service-name <name1>, <name2>, ... set internet-service-group <name1>, <name2>, ... set internet-service-custom <name1>, <name2>, ... set internet-service-custom-group <name1>, <name2>, ... set internet-service-src [enable|disable] set internet-service-src-name <name1>, <name2>, ... set internet-service-src-group <name1>, <name2>, ... set internet-service-src-custom <name1>, <name2>, ... set internet-service-src-custom-group <name1>, <name2>, ... set reputation-minimum {integer} set reputation-direction [source|destination] set src-vendor-mac <id1>, <id2>, ... set rtp-nat [disable|enable] set rtp-addr <name1>, <name2>, ... set action [accept|deny|...] set send-deny-packet [disable|enable] set firewall-session-dirty [check-all|check-new] set schedule {string} set schedule-timeout [enable|disable] set service <name1>, <name2>, ... set tos {user} set tos-mask {user} set tos-negate [enable|disable] set anti-replay [enable|disable] set tcp-session-without-syn [all|data-only|...] set geoip-anycast [enable|disable] set geoip-match [physical-location|registered-location] set utm-status [enable|disable] set inspection-mode [proxy|flow] set http-policy-redirect [enable|disable] set ssh-policy-redirect [enable|disable] set webproxy-profile {string} set profile-type [single|group] set profile-group {string} set profile-protocol-options {string} set ssl-ssh-profile {string} set av-profile {string} set webfilter-profile {string} set dnsfilter-profile {string} set emailfilter-profile {string} set dlp-sensor {string} set file-filter-profile {string} set ips-sensor {string} set application-list {string} set voip-profile {string} set icap-profile {string} set cifs-profile {string} set waf-profile {string} set ssh-filter-profile {string} set logtraffic [all|utm|...] set logtraffic-start [enable|disable] set capture-packet [enable|disable] set auto-asic-offload [enable|disable] set np-acceleration [enable|disable] set wanopt [enable|disable] set wanopt-detection [active|passive|...] set wanopt-passive-opt [default|transparent|...] set wanopt-profile {string} set wanopt-peer {string} set webcache [enable|disable] set webcache-https [disable|enable] set webproxy-forward-server {string} set traffic-shaper {string} set traffic-shaper-reverse {string} set per-ip-shaper {string} set nat [enable|disable] set permit-any-host [enable|disable] set permit-stun-host [enable|disable] set fixedport [enable|disable] set ippool [enable|disable] set poolname <name1>, <name2>, ... set poolname6 <name1>, <name2>, ... set session-ttl {user} set vlan-cos-fwd {integer} set vlan-cos-rev {integer} set inbound [enable|disable] set outbound [enable|disable] set natinbound [enable|disable] set natoutbound [enable|disable] set wccp [enable|disable] set ntlm [enable|disable] set ntlm-guest [enable|disable] set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ... set fsso-agent-for-ntlm {string} set groups <name1>, <name2>, ... set users <name1>, <name2>, ... set fsso-groups <name1>, <name2>, ... set auth-path [enable|disable] set disclaimer [enable|disable] set email-collect [enable|disable] set vpntunnel {string} set natip {ipv4-classnet} set match-vip [enable|disable] set match-vip-only [enable|disable] set diffserv-forward [enable|disable] set diffserv-reverse [enable|disable] set diffservcode-forward {user} set diffservcode-rev {user} set tcp-mss-sender {integer} set tcp-mss-receiver {integer} set comments {var-string} set auth-cert {string} set auth-redirect-addr {string} set redirect-url {string} set identity-based-route {string} set block-notification [enable|disable] set custom-log-fields <field-id1>, <field-id2>, ... set replacemsg-override-group {string} set srcaddr-negate [enable|disable] set dstaddr-negate [enable|disable] set service-negate [enable|disable] set internet-service-negate [enable|disable] set internet-service-src-negate [enable|disable] set timeout-send-rst [enable|disable] set captive-portal-exempt [enable|disable] set decrypted-traffic-mirror {string} set dsri [enable|disable] set radius-mac-auth-bypass [enable|disable] set delay-tcp-npu-session [enable|disable] set vlan-filter {user} next end

config firewall policy

Parameter Name

Description

Type

Size

status

Enable or disable this policy.
enable: Enable setting.
disable: Disable setting.

option

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

srcintf <name>

Incoming (ingress) interface.
Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.
Interface name.

string

Maximum length: 79

srcaddr <name>

Source IPv4 address and address group names.
Address name.

string

Maximum length: 79

dstaddr <name>

Destination IPv4 address and address group names.
Address name.

string

Maximum length: 79

srcaddr6 <name>

Source IPv6 address name and address group names.
Address name.

string

Maximum length: 79

dstaddr6 <name>

Destination IPv6 address name and address group names.
Address name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
enable: Enable use of Internet Services in policy.
disable: Disable use of Internet Services in policy.

option

internet-service-name <name>

Internet Service name.
Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.
Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.
Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.
Custom Internet Service group name.

string

Maximum length: 79

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
enable: Enable use of Internet Services source in policy.
disable: Disable use of Internet Services source in policy.

option

internet-service-src-name <name>

Internet Service source name.
Internet Service name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.
Internet Service group name.

string

Maximum length: 79

internet-service-src-custom <name>

Custom Internet Service source name.
Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.
Custom Internet Service group name.

string

Maximum length: 79

reputation-minimum

Minimum Reputation to take action.

integer

Minimum value: 0 Maximum value: 4294967295

reputation-direction

Direction of the initial traffic for reputation to take effect.
source: Check reputation for source address.
destination: Check reputation for destination address.

option

src-vendor-mac <id>

Vendor MAC source ID.
Vendor MAC ID.

integer

Minimum value: 0 Maximum value: 4294967295

rtp-nat

Enable Real Time Protocol (RTP) NAT.
disable: Disable setting.
enable: Enable setting.

option

rtp-addr <name>

Address names if this is an RTP NAT policy.
Address name.

string

Maximum length: 79

action

Policy action (accept/deny/ipsec).
accept: Allows session that match the firewall policy.
deny: Blocks sessions that match the firewall policy.
ipsec: Firewall policy becomes a policy-based IPsec VPN policy.

option

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.
disable: Disable deny-packet sending.
enable: Enable deny-packet sending.

option

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.
check-all: Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.
check-new: Continue to allow sessions already accepted by this policy.

option

schedule

Schedule name.

string

Maximum length: 35

schedule-timeout

Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
enable: Enable schedule timeout.
disable: Disable schedule timeout.

option

service <name>

Service and service group names.
Service and service group names.

string

Maximum length: 79

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.
enable: Enable TOS match negate.
disable: Disable TOS match negate.

option

anti-replay

Enable/disable anti-replay check.
enable: Enable anti-replay check.
disable: Disable anti-replay check.

option

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.
all: Enable TCP session without SYN.
data-only: Enable TCP session data only.
disable: Disable TCP session without SYN.

option

geoip-anycast

Enable/disable recognition of anycast IP addresses using the geography IP database.
enable: Enable recognition of anycast IP addresses using the geography IP database.
disable: Disable recognition of anycast IP addresses using the geography IP database.

option

geoip-match

Match geography address based either on its physical location or registered location.
physical-location: Match geography address to its physical location using the geography IP database.
registered-location: Match geography address to its registered location using the geography IP database.

option

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
enable: Enable setting.
disable: Disable setting.

option

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.
proxy: Proxy based inspection.
flow: Flow based inspection.

option

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.
enable: Enable HTTP(S) policy redirect.
disable: Disable HTTP(S) policy redirect.

option

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.
enable: Enable SSH policy redirect.
disable: Disable SSH policy redirect.

option

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.
single: Do not allow security profile groups.
group: Allow security profile groups.

option

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-sensor

Name of an existing DLP sensor.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.
all: Log all sessions accepted or denied by this policy.
utm: Log traffic that has a security profile applied to it.
disable: Disable all logging for this policy.

option

logtraffic-start

Record logs when a session starts.
enable: Enable setting.
disable: Disable setting.

option

capture-packet

Enable/disable capture packets.
enable: Enable capture packets.
disable: Disable capture packets.

option

auto-asic-offload

Enable/disable policy traffic ASIC offloading.
enable: Enable auto ASIC offloading.
disable: Disable ASIC offloading.

option

np-acceleration

Enable/disable UTM Network Processor acceleration.
enable: Enable UTM Network Processor acceleration.
disable: Disable UTM Network Processor acceleration.

option

wanopt

Enable/disable WAN optimization.
enable: Enable setting.
disable: Disable setting.

option

wanopt-detection

WAN optimization auto-detection mode.
active: Active WAN optimization peer auto-detection.
passive: Passive WAN optimization peer auto-detection.
off: Turn off WAN optimization peer auto-detection.

option

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.
default: Allow client side WAN opt peer to decide.
transparent: Use address of client to connect to server.
non-transparent: Use local FortiGate address to connect to server.

option

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.
enable: Enable setting.
disable: Disable setting.

option

webcache-https

Enable/disable web cache for HTTPS.
disable: Disable web cache for HTTPS.
enable: Enable web cache for HTTPS.

option

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

traffic-shaper

Traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

nat

Enable/disable source NAT.
enable: Enable setting.
disable: Disable setting.

option

permit-any-host

Accept UDP packets from any host.
enable: Enable setting.
disable: Disable setting.

option

permit-stun-host

Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
enable: Enable setting.
disable: Disable setting.

option

fixedport

Enable to prevent source NAT from changing a session's source port.
enable: Enable setting.
disable: Disable setting.

option

ippool

Enable to use IP Pools for source NAT.
enable: Enable setting.
disable: Disable setting.

option

poolname <name>

IP Pool names.
IP pool name.

string

Maximum length: 79

poolname6 <name>

IPv6 pool names.
IPv6 pool name.

string

Maximum length: 79

session-ttl

TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).

user

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.

option

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
enable: Enable setting.
disable: Disable setting.

option

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.
enable: Enable setting.
disable: Disable setting.

option

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.
enable: Enable setting.
disable: Disable setting.

option

wccp

Enable/disable forwarding traffic matching this policy to a configured WCCP server.
enable: Enable WCCP setting.
disable: Disable WCCP setting.

option

ntlm

Enable/disable NTLM authentication.
enable: Enable setting.
disable: Disable setting.

option

ntlm-guest

Enable/disable NTLM guest user access.
enable: Enable setting.
disable: Disable setting.

option

ntlm-enabled-browsers <user-agent-string>

HTTP-User-Agent value of supported browsers.
User agent string.

string

Maximum length: 79

fsso-agent-for-ntlm

FSSO agent to use for NTLM authentication.

string

Maximum length: 35

groups <name>

Names of user groups that can authenticate with this policy.
Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.
Names of individual users that can authenticate with this policy.

string

Maximum length: 79

fsso-groups <name>

Names of FSSO groups.
Names of FSSO groups.

string

Maximum length: 511

auth-path

Enable/disable authentication-based routing.
enable: Enable authentication-based routing.
disable: Disable authentication-based routing.

option

disclaimer

Enable/disable user authentication disclaimer.
enable: Enable user authentication disclaimer.
disable: Disable user authentication disclaimer.

option

email-collect

Enable/disable email collection.
enable: Enable email collection.
disable: Disable email collection.

option

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

natip

Policy-based IPsec VPN: source NAT IP address for outgoing traffic.

ipv4-classnet

Not Specified

match-vip

Enable to match packets that have had their destination addresses changed by a VIP.
enable: Match DNATed packet.
disable: Do not match DNATed packet.

option

match-vip-only

Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
enable: Enable matching of only those packets that have had their destination addresses changed by a VIP.
disable: Disable matching of only those packets that have had their destination addresses changed by a VIP.

option

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.
enable: Enable setting forward (original) traffic Diffserv.
disable: Disable setting forward (original) traffic Diffserv.

option

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
enable: Enable setting reverse (reply) traffic DiffServ.
disable: Disable setting reverse (reply) traffic DiffServ.

option

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

comments

Comment.

var-string

Maximum length: 1023

auth-cert

HTTPS server certificate for policy authentication.

string

Maximum length: 35

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication.

string

Maximum length: 63

redirect-url

URL users are directed to after seeing and accepting the disclaimer or authenticating.

string

Maximum length: 255

identity-based-route

Name of identity-based routing rule.

string

Maximum length: 35

block-notification

Enable/disable block notification.
enable: Enable setting.
disable: Disable setting.

option

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.
Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr/srcaddr6 specifies what the source address must NOT be.
enable: Enable source address negate.
disable: Disable source address negate.

option

dstaddr-negate

When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be.
enable: Enable destination address negate.
disable: Disable destination address negate.

option

service-negate

When enabled service specifies what the service must NOT be.
enable: Enable negated service match.
disable: Disable negated service match.

option

internet-service-negate

When enabled internet-service specifies what the service must NOT be.
enable: Enable negated Internet Service match.
disable: Disable negated Internet Service match.

option

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.
enable: Enable negated Internet Service source match.
disable: Disable negated Internet Service source match.

option

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.
enable: Enable sending of RST packet upon TCP session expiration.
disable: Disable sending of RST packet upon TCP session expiration.

option

captive-portal-exempt

Enable to exempt some users from the captive portal.
enable: Enable exemption of captive portal.
disable: Disable exemption of captive portal.

option

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.
enable: Enable DSRI.
disable: Disable DSRI.

option

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
enable: Enable MAC authentication bypass.
disable: Disable MAC authentication bypass.

option

delay-tcp-npu-session

Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
enable: Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.
disable: Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

option

vlan-filter

Set VLAN filters.

user

Not Specified

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

firewall policy

Configure IPv4/IPv6 policies.

config firewall policy

firewall policy

Configure IPv4/IPv6 policies.

config firewall policy