Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 6.4.7 Administration Guide
    6.4.7
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create New Firewall Policy

    Create New Firewall Policy

    The section describes how to create a new Firewall Policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.

    The Firewall Policy is visible only if the NGFW Mode is selected as Policy-based in the policy package.
    To create a new Firewall Policy:
    1. Ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
    4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Firewall Policy pane opens.

    5. Enter the following information:

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

      Select the remove icon to remove values.

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Outgoing Interface

      Select outgoing interfaces.

      Source Internet Service

      Turn source internet service on or off, then select services.

      This option is only available for IPv4 policies.

      FSSO Groups

      Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

      IPv4 Source Address

      Select the IPv4 source addresses.

      This option is only available when Source Internet Service is off.

      IPv6 Source Address

      Select the IPv6 source addresses.

      This option is only available when Source Internet Service is off.

      Source User

      Select source users.

      This option is only available when Source Internet Service is off.

      Source User Group

      Select source user groups.

      This option is only available when Source Internet Service is off.

      Source Device

      Select source devices, device groups, and device categories.

      This option is only available when Source Internet Service is off.

      Destination Internet Service

      Turn destination internet service on or off, then select services.

      This option is only available for IPv4 policies.

      IPv4 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      IPv6 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      Service

      Select services and service groups.

      This option is only available when Destination Internet Service is off.

      Firewall / Network Options

      Central NAT is enabled by default so NAT settings from matching Central SNAT policies will be applied.

      Security Profiles

      Select one of the following options for SSL/SSH Inspection:

      • certificate-inspection
      • custom-deep-inspection
      • deep-inspection
      • no-inspection

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.
    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
    Advanced options

    Option

    Description

    Default

    auto-asic-offload

    Enable or disable policy traffic ASIC offloading.

    enable

    cifs-profile

    Enable or disable authentication-based routing (IPv4 only).

    disable

    diffserv-forward

    Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

    disable

    diffserv-reverse

    Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

    disable

    diffservcode-forward

    Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

    000000

    diffservcode-rev

    Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

    000000

    http-policy-redirect

    Select the custom log fields from the dropdown list.

    none

    inspection-mode

    Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only).

    disable

    outbound

    Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

    disable

    session-ttl

    Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

    0

    ssh-filter-profile

    Select an SSH filter profile from the drop-down list.

    None

    ssh-policy-redirect

    Enable or disable SSH policy redirect.

    disable

    tcp-mss-receiver

    Type a value for the receiver’s TCP MSS.

    0

    tcp-mss-sender

    Type a value for the sender’s TCP MSS.

    0

    wanopt

    Enable or disable WAN optimization (IPv4 only).

    disable

    wanopt-detection

    Select the WAN optimization as active, passive, or off.

    active

    wanopt-passive-opt

    WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

    default

    wanopt-peer

    WAN optimization peer (IPv4 only).

    none

    wanopt-profile

    WAN optimization profile (IPv4 only).

    none

    webcache

    Enable or disable web cache (IPv4 only).

    disable

    webcache-https

    Select the FSSO agent for NTLM from the drop-down list (IPv4 only).

    none

    webproxy-forward-server

    Name of identity-based routing rule (IPv4 only).

    none

    webproxy-profile

    When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only).

    disable
    Previous
    Next

    Create New Firewall Policy

    Create New Firewall Policy

    The section describes how to create a new Firewall Policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.

    The Firewall Policy is visible only if the NGFW Mode is selected as Policy-based in the policy package.
    To create a new Firewall Policy:
    1. Ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
    4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Firewall Policy pane opens.

    5. Enter the following information:

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

      Select the remove icon to remove values.

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Outgoing Interface

      Select outgoing interfaces.

      Source Internet Service

      Turn source internet service on or off, then select services.

      This option is only available for IPv4 policies.

      FSSO Groups

      Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

      IPv4 Source Address

      Select the IPv4 source addresses.

      This option is only available when Source Internet Service is off.

      IPv6 Source Address

      Select the IPv6 source addresses.

      This option is only available when Source Internet Service is off.

      Source User

      Select source users.

      This option is only available when Source Internet Service is off.

      Source User Group

      Select source user groups.

      This option is only available when Source Internet Service is off.

      Source Device

      Select source devices, device groups, and device categories.

      This option is only available when Source Internet Service is off.

      Destination Internet Service

      Turn destination internet service on or off, then select services.

      This option is only available for IPv4 policies.

      IPv4 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      IPv6 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      Service

      Select services and service groups.

      This option is only available when Destination Internet Service is off.

      Firewall / Network Options

      Central NAT is enabled by default so NAT settings from matching Central SNAT policies will be applied.

      Security Profiles

      Select one of the following options for SSL/SSH Inspection:

      • certificate-inspection
      • custom-deep-inspection
      • deep-inspection
      • no-inspection

      New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced option, see the FortiOS CLI Reference.
    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
    Advanced options

    Option

    Description

    Default

    auto-asic-offload

    Enable or disable policy traffic ASIC offloading.

    enable

    cifs-profile

    Enable or disable authentication-based routing (IPv4 only).

    disable

    diffserv-forward

    Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

    disable

    diffserv-reverse

    Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

    disable

    diffservcode-forward

    Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

    000000

    diffservcode-rev

    Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

    000000

    http-policy-redirect

    Select the custom log fields from the dropdown list.

    none

    inspection-mode

    Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only).

    disable

    outbound

    Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

    disable

    session-ttl

    Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

    0

    ssh-filter-profile

    Select an SSH filter profile from the drop-down list.

    None

    ssh-policy-redirect

    Enable or disable SSH policy redirect.

    disable

    tcp-mss-receiver

    Type a value for the receiver’s TCP MSS.

    0

    tcp-mss-sender

    Type a value for the sender’s TCP MSS.

    0

    wanopt

    Enable or disable WAN optimization (IPv4 only).

    disable

    wanopt-detection

    Select the WAN optimization as active, passive, or off.

    active

    wanopt-passive-opt

    WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

    default

    wanopt-peer

    WAN optimization peer (IPv4 only).

    none

    wanopt-profile

    WAN optimization profile (IPv4 only).

    none

    webcache

    Enable or disable web cache (IPv4 only).

    disable

    webcache-https

    Select the FSSO agent for NTLM from the drop-down list (IPv4 only).

    none

    webproxy-forward-server

    Name of identity-based routing rule (IPv4 only).

    none

    webproxy-profile

    When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only).

    disable
    Previous
    Next