config firewall security-policy
Configure NGFW IPv4/IPv6 application policies.
config firewall security-policy Description: Configure NGFW IPv4/IPv6 application policies. edit <policyid> set action [accept|deny] set app-category <id1>, <id2>, ... set app-group <name1>, <name2>, ... set application <id1>, <id2>, ... set application-list {string} set av-profile {string} set casb-profile {string} set cifs-profile {string} set comments {var-string} set diameter-filter-profile {string} set dlp-profile {string} set dnsfilter-profile {string} set dstaddr <name1>, <name2>, ... set dstaddr-negate [enable|disable] set dstaddr6 <name1>, <name2>, ... set dstaddr6-negate [enable|disable] set dstintf <name1>, <name2>, ... set emailfilter-profile {string} set enforce-default-app-port [enable|disable] set file-filter-profile {string} set fsso-groups <name1>, <name2>, ... set groups <name1>, <name2>, ... set icap-profile {string} set internet-service [enable|disable] set internet-service-custom <name1>, <name2>, ... set internet-service-custom-group <name1>, <name2>, ... set internet-service-group <name1>, <name2>, ... set internet-service-name <name1>, <name2>, ... set internet-service-negate [enable|disable] set internet-service-src [enable|disable] set internet-service-src-custom <name1>, <name2>, ... set internet-service-src-custom-group <name1>, <name2>, ... set internet-service-src-group <name1>, <name2>, ... set internet-service-src-name <name1>, <name2>, ... set internet-service-src-negate [enable|disable] set internet-service6 [enable|disable] set internet-service6-custom <name1>, <name2>, ... set internet-service6-custom-group <name1>, <name2>, ... set internet-service6-group <name1>, <name2>, ... set internet-service6-name <name1>, <name2>, ... set internet-service6-negate [enable|disable] set internet-service6-src [enable|disable] set internet-service6-src-custom <name1>, <name2>, ... set internet-service6-src-custom-group <name1>, <name2>, ... set internet-service6-src-group <name1>, <name2>, ... set internet-service6-src-name <name1>, <name2>, ... set internet-service6-src-negate [enable|disable] set ips-sensor {string} set ips-voip-filter {string} set learning-mode [enable|disable] set logtraffic [all|utm|...] set name {string} set nat46 [enable|disable] set nat64 [enable|disable] set profile-group {string} set profile-protocol-options {string} set profile-type [single|group] set schedule {string} set sctp-filter-profile {string} set send-deny-packet [disable|enable] set service <name1>, <name2>, ... set service-negate [enable|disable] set srcaddr <name1>, <name2>, ... set srcaddr-negate [enable|disable] set srcaddr6 <name1>, <name2>, ... set srcaddr6-negate [enable|disable] set srcintf <name1>, <name2>, ... set ssh-filter-profile {string} set ssl-ssh-profile {string} set status [enable|disable] set url-category {user} set users <name1>, <name2>, ... set uuid {uuid} set videofilter-profile {string} set virtual-patch-profile {string} set voip-profile {string} set webfilter-profile {string} next end
config firewall security-policy
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
action |
Policy action (accept/deny). |
option |
- |
deny |
||||||||
|
|
|||||||||||
app-category |
Application category ID list. Category IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||
app-group |
Application group names. Application group names. |
string |
Maximum length: 79 |
|
||||||||
application |
Application ID list. Application IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
|
||||||||
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
|
||||||||
casb-profile |
Name of an existing CASB profile. |
string |
Maximum length: 35 |
|
||||||||
cifs-profile |
Name of an existing CIFS profile. |
string |
Maximum length: 35 |
|
||||||||
comments |
Comment. |
var-string |
Maximum length: 1023 |
|
||||||||
diameter-filter-profile |
Name of an existing Diameter filter profile. |
string |
Maximum length: 35 |
|
||||||||
dlp-profile |
Name of an existing DLP profile. |
string |
Maximum length: 35 |
|
||||||||
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
|
||||||||
dstaddr |
Destination IPv4 address name and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
dstaddr-negate |
When enabled dstaddr specifies what the destination address must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
dstaddr6 |
Destination IPv6 address name and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
dstaddr6-negate |
When enabled dstaddr6 specifies what the destination address must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
dstintf |
Outgoing (egress) interface. Interface name. |
string |
Maximum length: 79 |
|
||||||||
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 35 |
|
||||||||
enforce-default-app-port |
Enable/disable default application port enforcement for allowed applications. |
option |
- |
enable |
||||||||
|
|
|||||||||||
file-filter-profile |
Name of an existing file-filter profile. |
string |
Maximum length: 35 |
|
||||||||
fsso-groups |
Names of FSSO groups. Names of FSSO groups. |
string |
Maximum length: 511 |
|
||||||||
groups |
Names of user groups that can authenticate with this policy. User group name. |
string |
Maximum length: 79 |
|
||||||||
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
|
||||||||
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address, service and default application port enforcement are not used. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service-custom |
Custom Internet Service name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-custom-group |
Custom Internet Service group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-name |
Internet Service name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-negate |
When enabled internet-service specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service-src |
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service-src-custom |
Custom Internet Service source name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-src-custom-group |
Custom Internet Service source group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-src-group |
Internet Service source group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-src-name |
Internet Service source name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service-src-negate |
When enabled internet-service-src specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service6 |
Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address, service and default application port enforcement are not used. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service6-custom |
Custom IPv6 Internet Service name. Custom IPv6 Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-custom-group |
Custom IPv6 Internet Service group name. Custom IPv6 Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-name |
IPv6 Internet Service name. IPv6 Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-negate |
When enabled internet-service6 specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service6-src |
Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. |
option |
- |
disable |
||||||||
|
|
|||||||||||
internet-service6-src-custom |
Custom IPv6 Internet Service source name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-src-custom-group |
Custom Internet Service6 source group name. Custom Internet Service6 group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-src-group |
Internet Service6 source group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-src-name |
IPv6 Internet Service source name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
internet-service6-src-negate |
When enabled internet-service6-src specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
|
||||||||
ips-voip-filter |
Name of an existing VoIP (ips) profile. |
string |
Maximum length: 35 |
|
||||||||
learning-mode |
Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. |
option |
- |
disable |
||||||||
|
|
|||||||||||
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
utm |
||||||||
|
|
|||||||||||
name |
Policy name. |
string |
Maximum length: 35 |
|
||||||||
nat46 |
Enable/disable NAT46. |
option |
- |
disable |
||||||||
|
|
|||||||||||
nat64 |
Enable/disable NAT64. |
option |
- |
disable |
||||||||
|
|
|||||||||||
policyid |
Policy ID. |
integer |
Minimum value: 0 Maximum value: 4294967294 |
0 |
||||||||
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
|
||||||||
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
default |
||||||||
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
single |
||||||||
|
|
|||||||||||
schedule |
Schedule name. |
string |
Maximum length: 35 |
|
||||||||
sctp-filter-profile |
Name of an existing SCTP filter profile. |
string |
Maximum length: 35 |
|
||||||||
send-deny-packet |
Enable to send a reply when a session is denied or blocked by a firewall policy. |
option |
- |
disable |
||||||||
|
|
|||||||||||
service |
Service and service group names. Service name. |
string |
Maximum length: 79 |
|
||||||||
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
srcaddr |
Source IPv4 address name and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
srcaddr-negate |
When enabled srcaddr specifies what the source address must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
srcaddr6 |
Source IPv6 address name and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
srcaddr6-negate |
When enabled srcaddr6 specifies what the source address must NOT be. |
option |
- |
disable |
||||||||
|
|
|||||||||||
srcintf |
Incoming (ingress) interface. Interface name. |
string |
Maximum length: 79 |
|
||||||||
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
|
||||||||
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
no-inspection |
||||||||
status |
Enable or disable this policy. |
option |
- |
enable |
||||||||
|
|
|||||||||||
url-category |
URL categories or groups. |
user |
Not Specified |
|
||||||||
users |
Names of individual users that can authenticate with this policy. User name. |
string |
Maximum length: 79 |
|
||||||||
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
00000000-0000-0000-0000-000000000000 |
||||||||
videofilter-profile |
Name of an existing VideoFilter profile. |
string |
Maximum length: 35 |
|
||||||||
virtual-patch-profile |
Name of an existing virtual-patch profile. |
string |
Maximum length: 35 |
|
||||||||
voip-profile |
Name of an existing VoIP (voipd) profile. |
string |
Maximum length: 35 |
|
||||||||
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
|