Fortinet black logo

Administration Guide

Configuring policy details

Configuring policy details

Various policy details can be configured directly from the policy tables, such as the policy schedule, service, action, security profiles, and logging.

To edit a policy schedule with dual pane disabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the Schedule column, click the cell in the policy that you want to edit. The Object Selector frame is displayed.
  5. In the Object Selector frame, locate the schedule object, then drag and drop the object onto the cell in the Schedule column for the policy that you want to change.
  6. Click OK to close the Object Selector frame.
To edit a policy schedule with dual pane enabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the object pane, go to Firewall Objects > Schedules.
  5. Locate the schedule object, then drag and drop the object onto the cell in the Schedule column for the policy that you want to change.
To edit a policy service with dual pane disabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the Service column, click the cell in the policy that you want to edit. The Object Selector frame opens.
  5. In the Object Selector frame, locate the service object, and then drag and drop the object onto the cell in the Service column for the policy that you want to change.
  6. Click OK to close the Object Selector frame.
To edit a policy service with dual pane enabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the object pane, go to Firewall Objects > Services. The services objects are displayed in the content pane.
  5. Locate the service object, then drag and drop the object onto the cell in the Service column for the policy that you want to change.
To edit a services object:
  1. Go to Policy & Objects > Object Configuration.
  2. In the tree menu, go to Firewall Objects > Services. The services objects are displayed in the content pane.
  3. Select a services object, and click Edit. The Edit Service dialog box is displayed.
  4. Configure the following settings, then click OK to save the service. The custom service will be added to the available services.

    Name

    Edit the service name as required.

    Comments

    Type an optional comment.

    Service Type

    Select Firewall or Explicit Proxy.

    Show in service list

    Select to display the object in the services list.

    Category

    Select a category for the service.

    Protocol Type

    Select the protocol from the dropdown list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP.

    IP/FQDN

    Type the IP address or FQDN.

    This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port, and destination port in the table.

    Type

    Type the service type in the text field.

    This menu item is available when Protocol is set to ICMP or ICMP6.

    Code

    Type the code in the text field.

    This menu item is available when Protocol is set to ICMP or ICMP6.

    Protocol Number

    Type the protocol number in the text field.

    This menu item is available when Protocol Type is set to IP.

    Advanced Options

    For more information on advanced option, see the FortiOS CLI Reference.

    check-reset-range

    Configure ICMP error message verification.

    • disable: The FortiGate unit does not validate ICMP error messages.
    • strict: If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiManager can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If it is enabled, the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
    • default: Use the global setting defined in system global.

    This field is available when Protocol is TCP/UDP/SCTP.

    This field is not available if explicit-proxy is enabled.

    Color

    Click the icon to select a custom, colored icon to display next to the service name.

    session-ttl

    Type the default session timeout in seconds.

    The valid range is from 300 - 604 800 seconds. Type 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable.

    This is available when Protocol is TCP/UDP/SCTP.

    tcp-halfclose-timer

    Type how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

    tcp-halfopen-timer

    Type how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.

    The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

    tcp-timewait-timer

    Set the length of the TCP TIME-WAIT state in seconds.As described in RFC 793, the “...TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.”

    Reducing the length of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster, which means that more new sessions can be opened before the session limit is reached.

    The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

    udp-idle-timer

    Type the number of seconds before an idle UDP connection times out.The valid range is from 1 to 86400 seconds.

    Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

To edit a policy action:
  1. Select desired policy type in the tree menu.
  2. Select the policy, and from the Edit menu, select Edit.
  3. Set the Action option, and click OK.
To edit policy logging:
  1. Select desired policy type in the tree menu.
  2. Right-click the Log column, and select options from the menu.
To edit policy security profiles with dual pane disabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the Security Profiles column, click the cell in the policy that you want to edit. The Object Selector frame is displayed.
  5. In the Object Selector frame, locate the profiles, then drag and drop the object onto the cell in the Security Profiles column for the policy that you want to change.
  6. Click OK to close the Object Selector frame.
To edit policy security profiles with dual pane enabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the object pane, go to Security Profiles.
  5. Locate the profile object, then drag and drop the object onto the cell in the Security Profiles column for the policy that you want to change.

The policy action must be Accept to add security profiles to the policy.

Configuring policy details

Various policy details can be configured directly from the policy tables, such as the policy schedule, service, action, security profiles, and logging.

To edit a policy schedule with dual pane disabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the Schedule column, click the cell in the policy that you want to edit. The Object Selector frame is displayed.
  5. In the Object Selector frame, locate the schedule object, then drag and drop the object onto the cell in the Schedule column for the policy that you want to change.
  6. Click OK to close the Object Selector frame.
To edit a policy schedule with dual pane enabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the object pane, go to Firewall Objects > Schedules.
  5. Locate the schedule object, then drag and drop the object onto the cell in the Schedule column for the policy that you want to change.
To edit a policy service with dual pane disabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the Service column, click the cell in the policy that you want to edit. The Object Selector frame opens.
  5. In the Object Selector frame, locate the service object, and then drag and drop the object onto the cell in the Service column for the policy that you want to change.
  6. Click OK to close the Object Selector frame.
To edit a policy service with dual pane enabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the object pane, go to Firewall Objects > Services. The services objects are displayed in the content pane.
  5. Locate the service object, then drag and drop the object onto the cell in the Service column for the policy that you want to change.
To edit a services object:
  1. Go to Policy & Objects > Object Configuration.
  2. In the tree menu, go to Firewall Objects > Services. The services objects are displayed in the content pane.
  3. Select a services object, and click Edit. The Edit Service dialog box is displayed.
  4. Configure the following settings, then click OK to save the service. The custom service will be added to the available services.

    Name

    Edit the service name as required.

    Comments

    Type an optional comment.

    Service Type

    Select Firewall or Explicit Proxy.

    Show in service list

    Select to display the object in the services list.

    Category

    Select a category for the service.

    Protocol Type

    Select the protocol from the dropdown list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP.

    IP/FQDN

    Type the IP address or FQDN.

    This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port, and destination port in the table.

    Type

    Type the service type in the text field.

    This menu item is available when Protocol is set to ICMP or ICMP6.

    Code

    Type the code in the text field.

    This menu item is available when Protocol is set to ICMP or ICMP6.

    Protocol Number

    Type the protocol number in the text field.

    This menu item is available when Protocol Type is set to IP.

    Advanced Options

    For more information on advanced option, see the FortiOS CLI Reference.

    check-reset-range

    Configure ICMP error message verification.

    • disable: The FortiGate unit does not validate ICMP error messages.
    • strict: If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiManager can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If it is enabled, the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
    • default: Use the global setting defined in system global.

    This field is available when Protocol is TCP/UDP/SCTP.

    This field is not available if explicit-proxy is enabled.

    Color

    Click the icon to select a custom, colored icon to display next to the service name.

    session-ttl

    Type the default session timeout in seconds.

    The valid range is from 300 - 604 800 seconds. Type 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable.

    This is available when Protocol is TCP/UDP/SCTP.

    tcp-halfclose-timer

    Type how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

    tcp-halfopen-timer

    Type how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded.

    The valid range is from 1 to 86400 seconds. Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

    tcp-timewait-timer

    Set the length of the TCP TIME-WAIT state in seconds.As described in RFC 793, the “...TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.”

    Reducing the length of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster, which means that more new sessions can be opened before the session limit is reached.

    The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds. Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

    udp-idle-timer

    Type the number of seconds before an idle UDP connection times out.The valid range is from 1 to 86400 seconds.

    Type 0 to use the global setting defined in system global.

    This is available when Protocol is TCP/UDP/SCTP.

To edit a policy action:
  1. Select desired policy type in the tree menu.
  2. Select the policy, and from the Edit menu, select Edit.
  3. Set the Action option, and click OK.
To edit policy logging:
  1. Select desired policy type in the tree menu.
  2. Right-click the Log column, and select options from the menu.
To edit policy security profiles with dual pane disabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the Security Profiles column, click the cell in the policy that you want to edit. The Object Selector frame is displayed.
  5. In the Object Selector frame, locate the profiles, then drag and drop the object onto the cell in the Security Profiles column for the policy that you want to change.
  6. Click OK to close the Object Selector frame.
To edit policy security profiles with dual pane enabled:
  1. Ensure you are in the correct ADOM.
  2. Go to Policy & Objects.
  3. In the tree menu for a policy package, select a policy type. The policies are displayed in the content pane.
  4. In the object pane, go to Security Profiles.
  5. Locate the profile object, then drag and drop the object onto the cell in the Security Profiles column for the policy that you want to change.

The policy action must be Accept to add security profiles to the policy.