config firewall policy
Configure IPv4/IPv6 policies.
config firewall policy
Description: Configure IPv4/IPv6 policies.
edit <policyid>
set action [accept|deny|...]
set anti-replay [enable|disable]
set app-monitor [enable|disable]
set application-list {string}
set auth-cert {string}
set auth-path [enable|disable]
set auth-redirect-addr {string}
set auto-asic-offload [enable|disable]
set av-profile {string}
set block-notification [enable|disable]
set captive-portal-exempt [enable|disable]
set capture-packet [enable|disable]
set casb-profile {string}
set comments {var-string}
set custom-log-fields <field-id1>, <field-id2>, ...
set decrypted-traffic-mirror {string}
set delay-tcp-npu-session [enable|disable]
set diameter-filter-profile {string}
set diffserv-copy [enable|disable]
set diffserv-forward [enable|disable]
set diffserv-reverse [enable|disable]
set diffservcode-forward {user}
set diffservcode-rev {user}
set disclaimer [enable|disable]
set dlp-profile {string}
set dnsfilter-profile {string}
set dsri [enable|disable]
set dstaddr <name1>, <name2>, ...
set dstaddr-negate [enable|disable]
set dstaddr6 <name1>, <name2>, ...
set dstaddr6-negate [enable|disable]
set dstintf <name1>, <name2>, ...
set dynamic-shaping [enable|disable]
set email-collect [enable|disable]
set emailfilter-profile {string}
set fec [enable|disable]
set file-filter-profile {string}
set firewall-session-dirty [check-all|check-new]
set fixedport [enable|disable]
set fsso-agent-for-ntlm {string}
set fsso-groups <name1>, <name2>, ...
set geoip-anycast [enable|disable]
set geoip-match [physical-location|registered-location]
set groups <name1>, <name2>, ...
set http-policy-redirect [enable|disable|...]
set icap-profile {string}
set identity-based-route {string}
set inbound [enable|disable]
set inspection-mode [proxy|flow]
set internet-service [enable|disable]
set internet-service-custom <name1>, <name2>, ...
set internet-service-custom-group <name1>, <name2>, ...
set internet-service-group <name1>, <name2>, ...
set internet-service-name <name1>, <name2>, ...
set internet-service-negate [enable|disable]
set internet-service-src [enable|disable]
set internet-service-src-custom <name1>, <name2>, ...
set internet-service-src-custom-group <name1>, <name2>, ...
set internet-service-src-group <name1>, <name2>, ...
set internet-service-src-name <name1>, <name2>, ...
set internet-service-src-negate [enable|disable]
set internet-service6 [enable|disable]
set internet-service6-custom <name1>, <name2>, ...
set internet-service6-custom-group <name1>, <name2>, ...
set internet-service6-group <name1>, <name2>, ...
set internet-service6-name <name1>, <name2>, ...
set internet-service6-negate [enable|disable]
set internet-service6-src [enable|disable]
set internet-service6-src-custom <name1>, <name2>, ...
set internet-service6-src-custom-group <name1>, <name2>, ...
set internet-service6-src-group <name1>, <name2>, ...
set internet-service6-src-name <name1>, <name2>, ...
set internet-service6-src-negate [enable|disable]
set ippool [enable|disable]
set ips-sensor {string}
set ips-voip-filter {string}
set log-http-transaction [enable|disable]
set logtraffic [all|utm|...]
set logtraffic-start [enable|disable]
set match-vip [enable|disable]
set match-vip-only [enable|disable]
set name {string}
set nat [enable|disable]
set nat46 [enable|disable]
set nat64 [enable|disable]
set natinbound [enable|disable]
set natip {ipv4-classnet}
set natoutbound [enable|disable]
set network-service-dynamic <name1>, <name2>, ...
set network-service-src-dynamic <name1>, <name2>, ...
set np-acceleration [enable|disable]
set ntlm [enable|disable]
set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...
set ntlm-guest [enable|disable]
set outbound [enable|disable]
set passive-wan-health-measurement [enable|disable]
set pcp-inbound [enable|disable]
set pcp-outbound [enable|disable]
set pcp-poolname <name1>, <name2>, ...
set per-ip-shaper {string}
set permit-any-host [enable|disable]
set permit-stun-host [enable|disable]
set policy-expiry [enable|disable]
set policy-expiry-date {datetime}
set policy-expiry-date-utc {user}
set poolname <name1>, <name2>, ...
set poolname6 <name1>, <name2>, ...
set port-preserve [enable|disable]
set port-random [enable|disable]
set profile-group {string}
set profile-protocol-options {string}
set profile-type [single|group]
set radius-ip-auth-bypass [enable|disable]
set radius-mac-auth-bypass [enable|disable]
set redirect-url {var-string}
set replacemsg-override-group {string}
set reputation-direction [source|destination]
set reputation-direction6 [source|destination]
set reputation-minimum {integer}
set reputation-minimum6 {integer}
set rtp-addr <name1>, <name2>, ...
set rtp-nat [disable|enable]
set schedule {string}
set schedule-timeout [enable|disable]
set sctp-filter-profile {string}
set send-deny-packet [disable|enable]
set service <name1>, <name2>, ...
set service-negate [enable|disable]
set session-ttl {user}
set sgt <id1>, <id2>, ...
set sgt-check [enable|disable]
set src-vendor-mac <id1>, <id2>, ...
set srcaddr <name1>, <name2>, ...
set srcaddr-negate [enable|disable]
set srcaddr6 <name1>, <name2>, ...
set srcaddr6-negate [enable|disable]
set srcintf <name1>, <name2>, ...
set ssh-filter-profile {string}
set ssh-policy-redirect [enable|disable]
set ssl-ssh-profile {string}
set status [enable|disable]
set tcp-mss-receiver {integer}
set tcp-mss-sender {integer}
set tcp-session-without-syn [all|data-only|...]
set telemetry-profile {string}
set timeout-send-rst [enable|disable]
set tos {user}
set tos-mask {user}
set tos-negate [enable|disable]
set traffic-shaper {string}
set traffic-shaper-reverse {string}
set users <name1>, <name2>, ...
set utm-status [enable|disable]
set uuid {uuid}
set videofilter-profile {string}
set virtual-patch-profile {string}
set vlan-cos-fwd {integer}
set vlan-cos-rev {integer}
set vlan-filter {user}
set voip-profile {string}
set vpntunnel {string}
set waf-profile {string}
set wanopt [enable|disable]
set wanopt-detection [active|passive|...]
set wanopt-passive-opt [default|transparent|...]
set wanopt-peer {string}
set wanopt-profile {string}
set wccp [enable|disable]
set webcache [enable|disable]
set webcache-https [disable|enable]
set webfilter-profile {string}
set webproxy-forward-server {string}
set webproxy-profile {string}
set ztna-device-ownership [enable|disable]
set ztna-ems-tag <name1>, <name2>, ...
set ztna-ems-tag-negate [enable|disable]
set ztna-ems-tag-secondary <name1>, <name2>, ...
set ztna-geo-tag <name1>, <name2>, ...
set ztna-policy-redirect [enable|disable]
set ztna-status [enable|disable]
set ztna-tags-match-logic [or|and]
next
end
config firewall policy
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
action |
Policy action (accept/deny/ipsec). |
option |
- |
deny |
||||||||
|
|
|
|||||||||||
|
anti-replay |
Enable/disable anti-replay check. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
app-monitor |
Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
application-list |
Name of an existing Application list. |
string |
Maximum length: 47 |
|
||||||||
|
auth-cert |
HTTPS server certificate for policy authentication. |
string |
Maximum length: 35 |
|
||||||||
|
auth-path |
Enable/disable authentication-based routing. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
auth-redirect-addr |
HTTP-to-HTTPS redirect address for firewall authentication. |
string |
Maximum length: 63 |
|
||||||||
|
auto-asic-offload |
Enable/disable policy traffic ASIC offloading. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 47 |
|
||||||||
|
block-notification |
Enable/disable block notification. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
captive-portal-exempt |
Enable to exempt some users from the captive portal. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
capture-packet * |
Enable/disable capture packets. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
casb-profile |
Name of an existing CASB profile. |
string |
Maximum length: 47 |
|
||||||||
|
comments |
Comment. |
var-string |
Maximum length: 1023 |
|
||||||||
|
custom-log-fields |
Custom fields to append to log messages for this policy. Custom log field. |
string |
Maximum length: 35 |
|
||||||||
|
decrypted-traffic-mirror |
Decrypted traffic mirror. |
string |
Maximum length: 35 |
|
||||||||
|
delay-tcp-npu-session |
Enable TCP NPU session delay to guarantee packet order of 3-way handshake. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
diameter-filter-profile |
Name of an existing Diameter filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
diffserv-copy |
Enable to copy packet's DiffServ values from session's original direction to its reply direction. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
diffserv-forward |
Enable to change packet's DiffServ values to the specified diffservcode-forward value. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
diffserv-reverse |
Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
diffservcode-forward |
Change packet's DiffServ to this value. |
user |
Not Specified |
|
||||||||
|
diffservcode-rev |
Change packet's reverse (reply) DiffServ to this value. |
user |
Not Specified |
|
||||||||
|
disclaimer |
Enable/disable user authentication disclaimer. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
dlp-profile |
Name of an existing DLP profile. |
string |
Maximum length: 47 |
|
||||||||
|
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
dsri |
Enable DSRI to ignore HTTP server responses. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
dstaddr |
Destination IPv4 address and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
dstaddr-negate |
When enabled dstaddr specifies what the destination address must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
dstaddr6 |
Destination IPv6 address name and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
dstaddr6-negate |
When enabled dstaddr6 specifies what the destination address must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
dstintf |
Outgoing (egress) interface. Interface name. |
string |
Maximum length: 79 |
|
||||||||
|
dynamic-shaping |
Enable/disable dynamic RADIUS defined traffic shaping. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
email-collect |
Enable/disable email collection. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
fec |
Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
file-filter-profile |
Name of an existing file-filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
firewall-session-dirty |
How to handle sessions if the configuration of this firewall policy changes. |
option |
- |
check-all |
||||||||
|
|
|
|||||||||||
|
fixedport |
Enable to prevent source NAT from changing a session's source port. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
fsso-agent-for-ntlm |
FSSO agent to use for NTLM authentication. |
string |
Maximum length: 35 |
|
||||||||
|
fsso-groups |
Names of FSSO groups. Names of FSSO groups. |
string |
Maximum length: 511 |
|
||||||||
|
geoip-anycast |
Enable/disable recognition of anycast IP addresses using the geography IP database. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
geoip-match |
Match geography address based either on its physical location or registered location. |
option |
- |
physical-location |
||||||||
|
|
|
|||||||||||
|
groups |
Names of user groups that can authenticate with this policy. Group name. |
string |
Maximum length: 79 |
|
||||||||
|
http-policy-redirect |
Redirect HTTP(S) traffic to matching transparent web proxy policy. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 47 |
|
||||||||
|
identity-based-route |
Name of identity-based routing rule. |
string |
Maximum length: 35 |
|
||||||||
|
inbound |
Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
inspection-mode |
Policy inspection mode (Flow/proxy). Default is Flow mode. |
option |
- |
flow |
||||||||
|
|
|
|||||||||||
|
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service-custom |
Custom Internet Service name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-custom-group |
Custom Internet Service group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-name |
Internet Service name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-negate |
When enabled internet-service specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service-src |
Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service-src-custom |
Custom Internet Service source name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-src-custom-group |
Custom Internet Service source group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-src-group |
Internet Service source group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-src-name |
Internet Service source name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service-src-negate |
When enabled internet-service-src specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service6 |
Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service6-custom |
Custom IPv6 Internet Service name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-custom-group |
Custom Internet Service6 group name. Custom Internet Service6 group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-name |
IPv6 Internet Service name. IPv6 Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-negate |
When enabled internet-service6 specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service6-src |
Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
internet-service6-src-custom |
Custom IPv6 Internet Service source name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-src-custom-group |
Custom Internet Service6 source group name. Custom Internet Service6 group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-src-group |
Internet Service6 source group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-src-name |
IPv6 Internet Service source name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||
|
internet-service6-src-negate |
When enabled internet-service6-src specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ippool |
Enable to use IP Pools for source NAT. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 47 |
|
||||||||
|
ips-voip-filter |
Name of an existing VoIP (ips) profile. |
string |
Maximum length: 47 |
|
||||||||
|
log-http-transaction |
Enable/disable HTTP transaction log. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
utm |
||||||||
|
|
|
|||||||||||
|
logtraffic-start |
Record logs when a session starts. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
match-vip |
Enable to match packets that have had their destination addresses changed by a VIP. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
match-vip-only |
Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
name |
Policy name. |
string |
Maximum length: 35 |
|
||||||||
|
nat |
Enable/disable source NAT. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
nat46 |
Enable/disable NAT46. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
nat64 |
Enable/disable NAT64. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
natinbound |
Policy-based IPsec VPN: apply destination NAT to inbound traffic. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
natip |
Policy-based IPsec VPN: source NAT IP address for outgoing traffic. |
ipv4-classnet |
Not Specified |
0.0.0.0 0.0.0.0 |
||||||||
|
natoutbound |
Policy-based IPsec VPN: apply source NAT to outbound traffic. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
network-service-dynamic |
Dynamic Network Service name. Dynamic Network Service name. |
string |
Maximum length: 79 |
|
||||||||
|
network-service-src-dynamic |
Dynamic Network Service source name. Dynamic Network Service name. |
string |
Maximum length: 79 |
|
||||||||
|
np-acceleration * |
Enable/disable UTM Network Processor acceleration. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
ntlm |
Enable/disable NTLM authentication. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ntlm-enabled-browsers |
HTTP-User-Agent value of supported browsers. User agent string. |
string |
Maximum length: 79 |
|
||||||||
|
ntlm-guest |
Enable/disable NTLM guest user access. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
outbound |
Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
passive-wan-health-measurement |
Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
pcp-inbound |
Enable/disable PCP inbound DNAT. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
pcp-outbound |
Enable/disable PCP outbound SNAT. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
pcp-poolname |
PCP pool names. PCP pool name. |
string |
Maximum length: 79 |
|
||||||||
|
per-ip-shaper |
Per-IP traffic shaper. |
string |
Maximum length: 35 |
|
||||||||
|
permit-any-host |
Accept UDP packets from any host. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
permit-stun-host |
Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
policy-expiry |
Enable/disable policy expiry. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
policy-expiry-date |
Policy expiry date (YYYY-MM-DD HH:MM:SS). |
datetime |
Not Specified |
0000-00-00 00:00:00 |
||||||||
|
policy-expiry-date-utc |
Policy expiry date and time, in epoch format. |
user |
Not Specified |
|
||||||||
|
policyid |
Policy ID (0 - 4294967294). |
integer |
Minimum value: 0 Maximum value: 4294967294 |
0 |
||||||||
|
poolname |
IP Pool names. IP pool name. |
string |
Maximum length: 79 |
|
||||||||
|
poolname6 |
IPv6 pool names. IPv6 pool name. |
string |
Maximum length: 79 |
|
||||||||
|
port-preserve |
Enable/disable preservation of the original source port from source NAT if it has not been used. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
port-random |
Enable/disable random source port selection for source NAT. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
profile-group |
Name of profile group. |
string |
Maximum length: 47 |
|
||||||||
|
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 47 |
default |
||||||||
|
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
single |
||||||||
|
|
|
|||||||||||
|
radius-ip-auth-bypass |
Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
radius-mac-auth-bypass |
Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
redirect-url |
URL users are directed to after seeing and accepting the disclaimer or authenticating. |
var-string |
Maximum length: 1023 |
|
||||||||
|
replacemsg-override-group |
Override the default replacement message group for this policy. |
string |
Maximum length: 35 |
|
||||||||
|
reputation-direction |
Direction of the initial traffic for reputation to take effect. |
option |
- |
destination |
||||||||
|
|
|
|||||||||||
|
reputation-direction6 |
Direction of the initial traffic for IPv6 reputation to take effect. |
option |
- |
destination |
||||||||
|
|
|
|||||||||||
|
reputation-minimum |
Minimum Reputation to take action. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||
|
reputation-minimum6 |
IPv6 Minimum Reputation to take action. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||
|
rtp-addr |
Address names if this is an RTP NAT policy. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
rtp-nat |
Enable Real Time Protocol (RTP) NAT. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
schedule |
Schedule name. |
string |
Maximum length: 35 |
|
||||||||
|
schedule-timeout |
Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
sctp-filter-profile |
Name of an existing SCTP filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
send-deny-packet |
Enable to send a reply when a session is denied or blocked by a firewall policy. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
service |
Service and service group names. Service and service group names. |
string |
Maximum length: 79 |
|
||||||||
|
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
session-ttl |
TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL). |
user |
Not Specified |
|
||||||||
|
sgt |
Security group tags. Security group tag (1 - 65535). |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
|
sgt-check |
Enable/disable security group tags (SGT) check. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
src-vendor-mac |
Vendor MAC source ID. Vendor MAC ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||
|
srcaddr |
Source IPv4 address and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
srcaddr-negate |
When enabled srcaddr specifies what the source address must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
srcaddr6 |
Source IPv6 address name and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
srcaddr6-negate |
When enabled srcaddr6 specifies what the source address must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
srcintf |
Incoming (ingress) interface. Interface name. |
string |
Maximum length: 79 |
|
||||||||
|
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
ssh-policy-redirect |
Redirect SSH traffic to matching transparent proxy policy. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 47 |
no-inspection |
||||||||
|
status |
Enable or disable this policy. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
tcp-mss-receiver |
Receiver TCP maximum segment size (MSS). |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||
|
tcp-mss-sender |
Sender TCP maximum segment size (MSS). |
integer |
Minimum value: 0 Maximum value: 65535 |
0 |
||||||||
|
tcp-session-without-syn |
Enable/disable creation of TCP session without SYN flag. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
telemetry-profile * |
Name of an existing telemetry profile. |
string |
Maximum length: 47 |
|
||||||||
|
timeout-send-rst |
Enable/disable sending RST packets when TCP sessions expire. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
tos |
ToS (Type of Service) value used for comparison. |
user |
Not Specified |
|
||||||||
|
tos-mask |
Non-zero bit positions are used for comparison while zero bit positions are ignored. |
user |
Not Specified |
|
||||||||
|
tos-negate |
Enable negated TOS match. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
traffic-shaper |
Traffic shaper. |
string |
Maximum length: 35 |
|
||||||||
|
traffic-shaper-reverse |
Reverse traffic shaper. |
string |
Maximum length: 35 |
|
||||||||
|
users |
Names of individual users that can authenticate with this policy. Names of individual users that can authenticate with this policy. |
string |
Maximum length: 79 |
|
||||||||
|
utm-status |
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
00000000-0000-0000-0000-000000000000 |
||||||||
|
videofilter-profile |
Name of an existing VideoFilter profile. |
string |
Maximum length: 47 |
|
||||||||
|
virtual-patch-profile |
Name of an existing virtual-patch profile. |
string |
Maximum length: 47 |
|
||||||||
|
vlan-cos-fwd |
VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest. |
integer |
Minimum value: 0 Maximum value: 7 |
255 |
||||||||
|
vlan-cos-rev |
VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest. |
integer |
Minimum value: 0 Maximum value: 7 |
255 |
||||||||
|
vlan-filter |
VLAN ranges to allow |
user |
Not Specified |
|
||||||||
|
voip-profile |
Name of an existing VoIP (voipd) profile. |
string |
Maximum length: 47 |
|
||||||||
|
vpntunnel |
Policy-based IPsec VPN: name of the IPsec VPN Phase 1. |
string |
Maximum length: 35 |
|
||||||||
|
waf-profile |
Name of an existing Web application firewall profile. |
string |
Maximum length: 47 |
|
||||||||
|
wanopt * |
Enable/disable WAN optimization. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
wanopt-detection * |
WAN optimization auto-detection mode. |
option |
- |
active |
||||||||
|
|
|
|||||||||||
|
wanopt-passive-opt * |
WAN optimization passive mode options. This option decides what IP address will be used to connect server. |
option |
- |
default |
||||||||
|
|
|
|||||||||||
|
wanopt-peer * |
WAN optimization peer. |
string |
Maximum length: 35 |
|
||||||||
|
wanopt-profile * |
WAN optimization profile. |
string |
Maximum length: 35 |
|
||||||||
|
wccp |
Enable/disable forwarding traffic matching this policy to a configured WCCP server. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
webcache * |
Enable/disable web cache. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
webcache-https * |
Enable/disable web cache for HTTPS. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 47 |
|
||||||||
|
webproxy-forward-server |
Webproxy forward server name. |
string |
Maximum length: 63 |
|
||||||||
|
webproxy-profile |
Webproxy profile name. |
string |
Maximum length: 63 |
|
||||||||
|
ztna-device-ownership |
Enable/disable zero trust device ownership. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ztna-ems-tag |
Source ztna-ems-tag names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
ztna-ems-tag-negate |
When enabled ztna-ems-tag specifies what the tags must NOT be. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ztna-ems-tag-secondary |
Source ztna-ems-tag-secondary names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
ztna-geo-tag |
Source ztna-geo-tag names. Address name. |
string |
Maximum length: 79 |
|
||||||||
|
ztna-policy-redirect |
Redirect ZTNA traffic to matching Access-Proxy proxy-policy. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ztna-status |
Enable/disable zero trust access. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
ztna-tags-match-logic |
ZTNA tag matching logic. |
option |
- |
or |
||||||||
|
|
|
|||||||||||
* This parameter may not exist in some models.