Create New Firewall Policy
The section describes how to create a new Firewall Policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it’s processed, if it’s processed, and even whether or not it’s allowed to pass through the FortiGate.
The Firewall Policy is visible only if the NGFW Mode is selected as Profile-based in the policy package. |
To create a new Firewall Policy:
- Ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
- Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list, but above the implicit policy. The Create New Firewall Policy pane opens.
- Enter the following information:
Name
Enter a unique name for the policy. Each policy must have a unique name.
ZTNA
Select Full ZTNA or IP/MAC filtering to enable ZTNA.
ZTNA Tag
Select ZTNA Tags and/or Geographic IP Tags. See Zero Trust Network Access (ZTNA) objects.
This option is only available when the IP/MAC Filtering option in ZTNA is selected.
Incoming Interface
Click the field then select interfaces from the Object Selector frame, or drag and drop the address from the object pane.
Select the remove icon to remove values.
New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.
Outgoing Interface
Select outgoing interfaces.
Source Internet Service
Turn source internet service on or off, then select services.
This option is only available for IPv4 policies.
IPv4 Source Address
Select the IPv4 source addresses.
This option is only available when Source Internet Service is off.
IPv6 Source Address
Select the IPv6 source addresses.
This option is only available when Source Internet Service is off.
Source User
Select source users.
This option is only available when Source Internet Service is off.
Source User Group
Select source user groups.
This option is only available when Source Internet Service is off.
FSSO Groups
Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.
ZTNA Server
Select a ZTNA server. See Configuring a ZTNA Server.
This option is only available when the Full ZTNA option in ZTNA is selected.
Source Device
Select source devices, device groups, and device categories.
This option is only available when Source Internet Service is off.
Destination Internet Service
Turn destination internet service on or off, then select services.
This option is only available for IPv4 policies.
IPv4 Destination Address
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
This option is only available when Destination Internet Service is off.
IPv6 Destination Address
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
This option is only available when Destination Internet Service is off.
Service
Select services and service groups.
This option is only available when Destination Internet Service is off.
Firewall / Network Options
Central NAT is enabled by default so NAT settings from matching Central SNAT policies will be applied.
Security Profiles
Select one of the following options for SSL/SSH Inspection:
- certificate-inspection
- custom-deep-inspection
- deep-inspection
- no-inspection
New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
- Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number.
Advanced options
Option |
Description |
Default |
---|---|---|
auto-asic-offload |
Enable or disable policy traffic ASIC offloading. |
enable |
cifs-profile |
Enable or disable authentication-based routing (IPv4 only). |
disable |
diffserv-forward |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. |
disable |
diffserv-reverse |
Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure |
disable |
diffservcode-forward |
Type the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
diffservcode-rev |
Type the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
http-policy-redirect |
Select the custom log fields from the dropdown list. |
none |
inspection-mode |
Enable or disable TCP NPU session delay in order to guarantee packet order of 3-way handshake (IPv4 only). |
disable |
outbound |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. |
disable |
session-ttl |
Type a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation. |
0 |
ssh-filter-profile |
Select an SSH filter profile from the drop-down list. |
None |
ssh-policy-redirect |
Enable or disable SSH policy redirect. |
disable |
tcp-mss-receiver |
Type a value for the receiver’s TCP MSS. |
0 |
tcp-mss-sender |
Type a value for the sender’s TCP MSS. |
0 |
wanopt |
Enable or disable WAN optimization (IPv4 only). |
disable |
wanopt-detection |
Select the WAN optimization as active, passive, or off. |
active |
wanopt-passive-opt |
WAN optimization passive mode options. This option decides what IP address will be used to connect server (IPv4 only). |
default |
wanopt-peer |
WAN optimization peer (IPv4 only). |
none |
wanopt-profile |
WAN optimization profile (IPv4 only). |
none |
webcache |
Enable or disable web cache (IPv4 only). |
disable |
webcache-https |
Select the FSSO agent for NTLM from the drop-down list (IPv4 only). |
none |
webproxy-forward-server |
Name of identity-based routing rule (IPv4 only). |
none |
webproxy-profile |
When enabled, Internet services match against any Internet service except the selected Internet service (IPv4 only). |
disable |