Fortinet black logo

Administration Guide

Create New Firewall Policy

Create New Firewall Policy

The section describes how to create a new Firewall Policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.

The Firewall Policy is visible only if the NGFW Mode is selected as Profile-based in the policy package.

To create a new Firewall Policy:
  1. Ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Firewall Policy pane opens.

  5. Enter the following information:

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    ZTNA

    Select Full ZTNA or IP/MAC filtering to enable ZTNA.

    ZTNA Tag

    Select ZTNA Tags and/or Geographic IP Tags. See Zero Trust Network Access (ZTNA) objects.

    This option is only available when the IP/MAC Filtering option in ZTNA is selected.

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Select the remove icon to remove values.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces.

    Source Internet Service

    Turn source internet service on or off, then select services.

    This option is only available for IPv4 policies.

    IPv4 Source Address

    Select the IPv4 source addresses.

    This option is only available when Source Internet Service is off.

    IPv6 Source Address

    Select the IPv6 source addresses.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

    ZTNA Server

    Select a ZTNA server. See Configuring a ZTNA Server.

    This option is only available when the Full ZTNA option in ZTNA is selected.

    Source Device

    Select source devices, device groups, and device categories.

    This option is only available when Source Internet Service is off.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    This option is only available for IPv4 policies.

    IPv4 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Destination Internet Service is off.

    IPv6 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Destination Internet Service is off.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    Firewall / Network Options

    Central NAT is enabled by default so NAT settings from matching Central SNAT policies will be applied.

    Security Profiles

    Select one of the following options for SSL/SSH Inspection:

    • certificate-inspection
    • custom-deep-inspection
    • deep-inspection
    • no-inspection

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options

Option

Description

Default

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

cifs-profile

Enable or disable authentication-based routing (IPv4 only).

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

http-policy-redirect

Select the custom log fields from the dropdown list.

none

inspection-mode

Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only).

disable

outbound

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

session-ttl

Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

tcp-mss-receiver

Type a value for the receiver’s TCP MSS.

0

tcp-mss-sender

Type a value for the sender’s TCP MSS.

0

wanopt

Enable or disable WAN optimization (IPv4 only).

disable

wanopt-detection

Select the WAN optimization as active, passive, or off.

active

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

default

wanopt-peer

WAN optimization peer (IPv4 only).

none

wanopt-profile

WAN optimization profile (IPv4 only).

none

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Select the FSSO agent for NTLM from the drop-down list (IPv4 only).

none

webproxy-forward-server

Name of identity-based routing rule (IPv4 only).

none

webproxy-profile

When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only).

disable

Create New Firewall Policy

The section describes how to create a new Firewall Policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.

The Firewall Policy is visible only if the NGFW Mode is selected as Profile-based in the policy package.

To create a new Firewall Policy:
  1. Ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
  4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Firewall Policy pane opens.

  5. Enter the following information:

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    ZTNA

    Select Full ZTNA or IP/MAC filtering to enable ZTNA.

    ZTNA Tag

    Select ZTNA Tags and/or Geographic IP Tags. See Zero Trust Network Access (ZTNA) objects.

    This option is only available when the IP/MAC Filtering option in ZTNA is selected.

    Incoming Interface

    Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.

    Select the remove icon to remove values.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Outgoing Interface

    Select outgoing interfaces.

    Source Internet Service

    Turn source internet service on or off, then select services.

    This option is only available for IPv4 policies.

    IPv4 Source Address

    Select the IPv4 source addresses.

    This option is only available when Source Internet Service is off.

    IPv6 Source Address

    Select the IPv6 source addresses.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

    ZTNA Server

    Select a ZTNA server. See Configuring a ZTNA Server.

    This option is only available when the Full ZTNA option in ZTNA is selected.

    Source Device

    Select source devices, device groups, and device categories.

    This option is only available when Source Internet Service is off.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    This option is only available for IPv4 policies.

    IPv4 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Destination Internet Service is off.

    IPv6 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Destination Internet Service is off.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    Firewall / Network Options

    Central NAT is enabled by default so NAT settings from matching Central SNAT policies will be applied.

    Security Profiles

    Select one of the following options for SSL/SSH Inspection:

    • certificate-inspection
    • custom-deep-inspection
    • deep-inspection
    • no-inspection

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced option, see the FortiOS CLI Reference.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options

Option

Description

Default

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

cifs-profile

Enable or disable authentication-based routing (IPv4 only).

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

http-policy-redirect

Select the custom log fields from the dropdown list.

none

inspection-mode

Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only).

disable

outbound

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

disable

session-ttl

Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

tcp-mss-receiver

Type a value for the receiver’s TCP MSS.

0

tcp-mss-sender

Type a value for the sender’s TCP MSS.

0

wanopt

Enable or disable WAN optimization (IPv4 only).

disable

wanopt-detection

Select the WAN optimization as active, passive, or off.

active

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only).

default

wanopt-peer

WAN optimization peer (IPv4 only).

none

wanopt-profile

WAN optimization profile (IPv4 only).

none

webcache

Enable or disable web cache (IPv4 only).

disable

webcache-https

Select the FSSO agent for NTLM from the drop-down list (IPv4 only).

none

webproxy-forward-server

Name of identity-based routing rule (IPv4 only).

none

webproxy-profile

When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only).

disable