Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 6.2.9 Administration Guide
    6.2.9
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create New Security Policy

    Create New Security Policy

    The section describes how to create a new Security Policy. A Security Policy consists of rules related to proxy, antivirus, IPS, Email, and DLP sensor.

    The Security Policy is visible only if the NGFW Mode is selected as Policy-based in the policy package.

    On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the Security Policy check box to display this option.
    To create a new Security Policy:
    1. Ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select Security Policy.
    4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Security Policy pane opens.

    5. Enter the following information:

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

      Select the remove icon to remove values.

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Outgoing Interface

      Select outgoing interfaces.

      Source

      Select source addresses.

      Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      Service

      Select the service. Select App Default or Specify. Select the Service from the Objector Selector if Specify is selected.

      Schedule

      Select schedules, one time or recurring, and schedule groups.

      Application

      Select applications.

      URL Category

      Select URL categories.

      Action

      Select an action for the policy to take: ACCEPT or DENY.

      Log Traffic

      When the Action is DENY, select Log Violation Traffic to log violation traffic.

      When the Action is ACCEPT or IPSEC, select one of the following options:

      • No Log
      • Log Security Events
      • Log All Sessions

      Generate Logs when Session Starts

      Select to generate logs when the session starts.

      Security Profiles

      Select to add security profiles or profile groups.

      This option is available when the Action is ACCEPT.

      The following profile types can be added:

      • Proxy Options
      • AntiVirus Profile
      • IPS Profile
      • Email Filter Profile
      • DLP Sensor

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.

    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
    Advanced options

    Option

    Description

    Default

    application-list

    Select from the drop-down list.

    None

    cifs-profile

    Enable or disable authentication-based routing (IPv4 only).

    None

    dnsfilter-profile

    Select from the drop-down list.

    None

    icap-profile

    Select from the drop-down list.

    None

    custom-log-fields

    Select the custom log fields from the drop-down list.

    none

    internet-service-negate

    When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only).

    disable

    internet-service-src-negate

    Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be (IPv4 only).

    disable

    service-negate

    Enable or disable negated service match.

    disable

    ssh-filter-profile

    Select an SSH filter profile from the drop-down list.

    None
    ssl-ssh-profile

    Select an SSL SSH profile from the drop-down list.

    no-inspection

    utm-status

    Enable or disable the Unified Threat Management status.

    disable

    voip-profile

    Select the VOIP profile.

    None

    webfilter-profile

    Select the web filter profile.

    None
    Previous
    Next

    Create New Security Policy

    Create New Security Policy

    The section describes how to create a new Security Policy. A Security Policy consists of rules related to proxy, antivirus, IPS, Email, and DLP sensor.

    The Security Policy is visible only if the NGFW Mode is selected as Policy-based in the policy package.

    On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the Security Policy check box to display this option.
    To create a new Security Policy:
    1. Ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select Security Policy.
    4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Security Policy pane opens.

    5. Enter the following information:

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

      Select the remove icon to remove values.

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Outgoing Interface

      Select outgoing interfaces.

      Source

      Select source addresses.

      Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      Service

      Select the service. Select App Default or Specify. Select the Service from the Objector Selector if Specify is selected.

      Schedule

      Select schedules, one time or recurring, and schedule groups.

      Application

      Select applications.

      URL Category

      Select URL categories.

      Action

      Select an action for the policy to take: ACCEPT or DENY.

      Log Traffic

      When the Action is DENY, select Log Violation Traffic to log violation traffic.

      When the Action is ACCEPT or IPSEC, select one of the following options:

      • No Log
      • Log Security Events
      • Log All Sessions

      Generate Logs when Session Starts

      Select to generate logs when the session starts.

      Security Profiles

      Select to add security profiles or profile groups.

      This option is available when the Action is ACCEPT.

      The following profile types can be added:

      • Proxy Options
      • AntiVirus Profile
      • IPS Profile
      • Email Filter Profile
      • DLP Sensor

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.

    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
    Advanced options

    Option

    Description

    Default

    application-list

    Select from the drop-down list.

    None

    cifs-profile

    Enable or disable authentication-based routing (IPv4 only).

    None

    dnsfilter-profile

    Select from the drop-down list.

    None

    icap-profile

    Select from the drop-down list.

    None

    custom-log-fields

    Select the custom log fields from the drop-down list.

    none

    internet-service-negate

    When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only).

    disable

    internet-service-src-negate

    Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be (IPv4 only).

    disable

    service-negate

    Enable or disable negated service match.

    disable

    ssh-filter-profile

    Select an SSH filter profile from the drop-down list.

    None
    ssl-ssh-profile

    Select an SSL SSH profile from the drop-down list.

    no-inspection

    utm-status

    Enable or disable the Unified Threat Management status.

    disable

    voip-profile

    Select the VOIP profile.

    None

    webfilter-profile

    Select the web filter profile.

    None
    Previous
    Next