IP policies
The section describes how to create new IPv4 and IPv6 policies.
IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6, but must still have access to the Internet or must connect over an IPv4 network. IPv6 policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks.
|
On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the IPv6 Policy checkbox to display this option. |
To create a new IPv4 or IPv6 policy:
- Ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select IPv4 Policy or IPv6 Policy. If you are in the Global Database ADOM, select IPv4 Header Policy, IPv4 Footer Policy, IPv6 Header Policy, or IPv6 Footer Policy.
- Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Policy pane opens.
- Enter the following information:
Name
Enter a unique name for the policy. Each policy must have a unique name.
Incoming Interface
Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.
Select the remove icon to remove values.
New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.
Outgoing Interface
Select outgoing interfaces.
Source Internet Service
Turn source internet service on or off, then select services.
This option is only available for IPv4 policies.
Source Address
Select source addresses.
This option is only available when Source Internet Service is off.
Source User
Select source users.
This option is only available when Source Internet Service is off.
Source User Group
Select source user groups.
This option is only available when Source Internet Service is off.
Source Device
Select source devices, device groups, and device categories.
This option is only available when Source Internet Service is off.
Destination Internet Service
Turn destination internet service on or off, then select services.
This option is only available for IPv4 policies.
Destination Address
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
This option is only available when Destination Internet Service is off.
Service
Select services and service groups.
This option is only available when Destination Internet Service is off.
Schedule
Select schedules, one time or recurring, and schedule groups.
Application
Select applications.
This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages.
URL Category
Select URL categories.
This option is only available when NGFW Mode is Policy-based for the policy package; see Create new policy packages.
Action
Select an action for the policy to take: ACCEPT, DENY, or IPSEC.
IPSEC is not available for IPv6 policies.
Log Traffic
When the Action is DENY, select Log Violation Traffic to log violation traffic.
When the Action is ACCEPT or IPSEC, select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
Generate Logs when Session Starts
Select to generate logs when the session starts.
Capture Packets
Select to capture packets.
This option is available when the Action is ACCEPT or IPSEC, and Log Security Events or Log All Sessions is selected
NAT
Select to enable NAT.
If enabled, select Use Destination Interface Address or Dynamic IP Pool, and select Fixed Port if required. If Dynamic IP Pool is selected, select pools.
This option is available when the Action is ACCEPT, and when NGFW Mode is Profile-based; see Create new policy packages.
VPN Tunnel
Select a VPN tunnel dynamic object from the dropdown list. Select to allow traffic to be initiated from the remote site.
This option is available when the Action is IPSEC.
Security Profiles
Select to add security profiles or profile groups.
This option is available when the Action is ACCEPT or IPSEC.
The following profile types can be added:
- AntiVirus Profile
- Web Filter Profile
- Application Control
- IPS Profile
- Email Filter Profile
- DLP Sensor
- VoIP Profile
- ICAP Profile
- SSL/SSH Inspection
- Web Application Firewall
- DNS Filter
- Proxy Options
- Profile Group (available when Use Security Profile Group is selected)
Shared Shaper
Select traffic shapers.
This option is available if the Action is ACCEPT or IPSEC.
Reverse Shaper
Select traffic shapers.
This option is available if the Action is ACCEPT or IPSEC and at least one forward traffic shaper is selected.
Per-IP Shaper
Select per IP traffic shapers.
This option is available if the Action is ACCEPT or IPSEC.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
- Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options
|
Option |
Description |
Default |
|---|---|---|
|
auth-cert |
HTTPS server certificate for policy authentication (IPv4 only). |
none |
|
auth-path |
Enable or disable authentication-based routing (IPv4 only). |
disable |
|
auth-redirect-addr |
HTTP-to-HTTPS redirect address for firewall authentication (IPv4 only). |
none |
|
auto-asic-offload |
Enable or disable policy traffic ASIC offloading. |
enable |
|
block-notification |
Enable or disable block notification (IPv4 only). |
disable |
|
captive-portal-exempt |
Enable or disable exemption of captive portal (IPv4 only). |
disable |
|
custom-log-fields |
Select the custom log fields from the dropdown list. |
none |
|
delay-tcp-npu-session |
Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only). |
disable |
|
diffserv-forward |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. |
disable |
|
diffserv-reverse |
Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure |
disable |
|
diffservcode-forward |
Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
|
diffservcode-rev |
Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
|
disclaimer |
Enable or disable user authentication disclaimer (IPv4 only). |
disable |
|
dscp-match |
Enable or disable DSCP check. |
disable |
|
dscp-negate |
Enable or disable negate DSCP match. |
disable |
|
dscp-value |
Enter the DSCP value. |
000000 |
|
dsri |
Enable or disable DSRI (Disable Server Response Inspection) to ignore HTTP server responses. |
disable |
|
dstaddr-negate |
Enable or disable negated destination address match. |
disable |
|
firewall-session-dirty |
Packet session management, either check-all or check-new. |
check-all |
|
fsso-agent-for-ntlm |
Select the FSSO agent for NTLM from the dropdown list (IPv4 only). |
none |
|
identity-based-route |
Name of identity-based routing rule (IPv4 only). |
none |
|
internet-service-negate |
When enabled, Internet services match against any Internet service EXCEPT the selected Internet service (IPv4 only). |
disable |
|
internet-service-src-negate |
Enables or disables the use of Internet Services in source for this policy. If enabled, |
disable |
|
learning-mode |
Enable or disable learning mode for policy (IPv4 only). |
disable |
|
match-vip |
Enable or disable match DNATed packet (IPv4 only). |
disable |
|
natinbound |
Enable or disable policy NAT inbound. |
disable |
|
natip |
Type the NAT IP address in the text field (IPv4 only). |
0.0.0.0 |
|
natoutbound |
Enable or disable policy NAT outbound. |
disable |
|
np-acceleration |
Enable or disable UTM Network Processor acceleration. |
enable |
|
ntlm |
Enable or disable NTLM authentication (IPv4 only). |
disable |
|
ntlm-enabled-browsers |
Type a value in the text field (IPv4 only). |
none |
|
ntlm-guest |
Enable or disable NTLM guest (IPv4 only). |
disable |
|
outbound |
Enable or disable policy outbound. |
disable |
|
permit-any-host |
Enable to accept UDP packets from any host (IPv4 only). |
disable |
|
permit-stun-host |
Enable to accept UDP packets from any STUN host (IPv4 only). |
disable |
|
radius-mac-auth-bypass |
Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. |
disable |
|
redirect-url |
URL redirection after disclaimer/authentication (IPv4 only). |
none |
|
replacemsg-override-group |
Specify authentication replacement message override group. |
none |
|
rtp-addr |
Select the RTP address from the dropdown list (IPv4 only). |
none |
|
rtp-nat |
Enable to apply source NAT to RTP packets received by the firewall policy (IPv4 only). |
disable |
|
scan-botnet-connections |
Enable or disable scanning of connections to Botnet servers (IPv4 only). |
disable |
|
schedule-timeout |
Enable to force session to end when policy schedule end time is reached (IPv4 only). |
disable |
|
send-deny-packet |
Enable to send a packet in reply to denied TCP, UDP or ICMP traffic. |
disable |
|
service-negate |
Enable or disable negated service match. |
disable |
|
session-ttl |
Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation. |
0 |
|
srcaddr-negate |
Enable or disable negated source address match. |
disable |
|
ssh-filter-profile |
Select an SSH filter profile from the dropdown list. |
None |
|
ssl-mirror |
Enable or disable SSL mirror. |
disable |
|
ssl-mirror-intf |
Mirror interface name. |
none |
|
tcp-mss-receiver |
Type a value for the receiver’s TCP MSS. |
0 |
|
tcp-mss-sender |
Type a value for the sender’s TCP MSS. |
0 |
|
tcp-session-without-syn |
Enable or disable creation of TCP session without SYN flag.
|
disable |
|
timeout-send-rst |
Enable sending a TCP reset when an application session times out. |
disable |
|
vlan-cos-fwd |
Type the VLAN forward direction user priority. |
255 |
|
vlan-cos-rev |
Type the VLAN reverse direction user priority. |
255 |
|
vlan-filter |
Set VLAN filters. |
|
|
wanopt |
Enable or disable WAN optimization (IPv4 only). |
disable |
|
wanopt-detection |
WAN optimization auto-detection mode (IPv4 only). |
active |
|
wanopt-passive-opt |
WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only). |
default |
|
wanopt-peer |
WAN optimization peer (IPv4 only). |
none |
|
wanopt-profile |
WAN optimization profile (IPv4 only). |
none |
|
wccp |
Enable or disable Web Cache Communication Protocol (WCCP) (IPv4 only). |
disable |
|
webcache |
Enable or disable web cache (IPv4 only). |
disable |
|
webcache-https |
Enable or disable web cache for HTTPS (IPv4 only). |
disable |
|
wsso |
Enable or disable WiFi Single Sign-On (IPv4 only). |
enable |