config firewall security-policy
Configure NGFW IPv4/IPv6 application policies.
config firewall security-policy
Description: Configure NGFW IPv4/IPv6 application policies.
edit <policyid>
set uuid {uuid}
set name {string}
set comments {var-string}
set srcintf <name1>, <name2>, ...
set dstintf <name1>, <name2>, ...
set srcaddr <name1>, <name2>, ...
set dstaddr <name1>, <name2>, ...
set srcaddr6 <name1>, <name2>, ...
set dstaddr6 <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set dstaddr-negate [enable|disable]
set internet-service [enable|disable]
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-group <name1>, <name2>, ...
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-src [enable|disable]
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set enforce-default-app-port [enable|disable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set action [accept|deny]
set send-deny-packet [disable|enable]
set schedule {string}
set status [enable|disable]
set logtraffic [all|utm|...]
set profile-type [single|group]
set profile-group {string}
set profile-protocol-options {string}
set ssl-ssh-profile {string}
set av-profile {string}
set webfilter-profile {string}
set dnsfilter-profile {string}
set emailfilter-profile {string}
set dlp-sensor {string}
set file-filter-profile {string}
set ips-sensor {string}
set application-list {string}
set voip-profile {string}
set icap-profile {string}
set cifs-profile {string}
set ssh-filter-profile {string}
set application <id1>, <id2>, ...
set app-category <id1>, <id2>, ...
set url-category <id1>, <id2>, ...
set app-group <name1>, <name2>, ...
set groups <name1>, <name2>, ...
set users <name1>, <name2>, ...
set fsso-groups <name1>, <name2>, ...
next
end
config firewall security-policy
Parameter name |
Description |
Type |
Size |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
||||||||
name |
Policy name. |
string |
Maximum length: 35 |
||||||||
comments |
Comment. |
var-string |
Maximum length: 1023 |
||||||||
srcintf `<name>` |
Incoming (ingress) interface.<br>Interface name. |
string |
Maximum length: 79 |
||||||||
dstintf `<name>` |
Outgoing (egress) interface.<br>Interface name. |
string |
Maximum length: 79 |
||||||||
srcaddr `<name>` |
Source IPv4 address name and address group names.<br>Address name. |
string |
Maximum length: 79 |
||||||||
dstaddr `<name>` |
Destination IPv4 address name and address group names.<br>Address name. |
string |
Maximum length: 79 |
||||||||
srcaddr6 `<name>` |
Source IPv6 address name and address group names.<br>Address name. |
string |
Maximum length: 79 |
||||||||
dstaddr6 `<name>` |
Destination IPv6 address name and address group names.<br>Address name. |
string |
Maximum length: 79 |
||||||||
srcaddr-negate |
When enabled srcaddr/srcaddr6 specifies what the source address must NOT be. |
option |
- |
||||||||
|
|
||||||||||
dstaddr-negate |
When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be. |
option |
- |
||||||||
|
|
||||||||||
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
||||||||
|
|
||||||||||
internet-service-name `<name>` |
Internet Service name.<br>Internet Service name. |
string |
Maximum length: 79 |
||||||||
internet-service-negate |
When enabled internet-service specifies what the service must NOT be. |
option |
- |
||||||||
|
|
||||||||||
internet-service-group `<name>` |
Internet Service group name.<br>Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-custom `<name>` |
Custom Internet Service name.<br>Custom Internet Service name. |
string |
Maximum length: 79 |
||||||||
internet-service-custom-group `<name>` |
Custom Internet Service group name.<br>Custom Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-src |
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. |
option |
- |
||||||||
|
|
||||||||||
internet-service-src-name `<name>` |
Internet Service source name.<br>Internet Service name. |
string |
Maximum length: 79 |
||||||||
internet-service-src-negate |
When enabled internet-service-src specifies what the service must NOT be. |
option |
- |
||||||||
|
|
||||||||||
internet-service-src-group `<name>` |
Internet Service source group name.<br>Internet Service group name. |
string |
Maximum length: 79 |
||||||||
internet-service-src-custom `<name>` |
Custom Internet Service source name.<br>Custom Internet Service name. |
string |
Maximum length: 79 |
||||||||
internet-service-src-custom-group `<name>` |
Custom Internet Service source group name.<br>Custom Internet Service group name. |
string |
Maximum length: 79 |
||||||||
enforce-default-app-port |
Enable/disable default application port enforcement for allowed applications. |
option |
- |
||||||||
|
|
||||||||||
service `<name>` |
Service and service group names.<br>Service name. |
string |
Maximum length: 79 |
||||||||
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
||||||||
|
|
||||||||||
action |
Policy action (accept/deny). |
option |
- |
||||||||
|
|
||||||||||
send-deny-packet |
Enable to send a reply when a session is denied or blocked by a firewall policy. |
option |
- |
||||||||
|
|
||||||||||
schedule |
Schedule name. |
string |
Maximum length: 35 |
||||||||
status |
Enable or disable this policy. |
option |
- |
||||||||
|
|
||||||||||
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
||||||||
|
|
||||||||||
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
||||||||
|
|
||||||||||
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
||||||||
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
||||||||
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
||||||||
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
||||||||
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
||||||||
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
||||||||
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 35 |
||||||||
dlp-sensor |
Name of an existing DLP sensor. |
string |
Maximum length: 35 |
||||||||
file-filter-profile |
Name of an existing file-filter profile. |
string |
Maximum length: 35 |
||||||||
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
||||||||
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
||||||||
voip-profile |
Name of an existing VoIP profile. |
string |
Maximum length: 35 |
||||||||
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
||||||||
cifs-profile |
Name of an existing CIFS profile. |
string |
Maximum length: 35 |
||||||||
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
||||||||
application `<id>` |
Application ID list.<br>Application IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
||||||||
app-category `<id>` |
Application category ID list.<br>Category IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
||||||||
url-category `<id>` |
URL category ID list.<br>URL category ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
||||||||
app-group `<name>` |
Application group names.<br>Application group names. |
string |
Maximum length: 79 |
||||||||
groups `<name>` |
Names of user groups that can authenticate with this policy.<br>User group name. |
string |
Maximum length: 79 |
||||||||
users `<name>` |
Names of individual users that can authenticate with this policy.<br>User name. |
string |
Maximum length: 79 |
||||||||
fsso-groups `<name>` |
Names of FSSO groups.<br>Names of FSSO groups. |
string |
Maximum length: 511 |