Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.2.1 Administration Guide
    7.2.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create a new security policy

    Create a new security policy

    This section describes how to create a new security policy. A security policy consists of rules related to proxy, antivirus, IPS, email, and DLP sensor.

    See NGFW policy in the FortiOS Administration Guide for more information.

    The security policy option is visible only if the NGFW Mode is selected as Policy-based in the policy package.

    On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the Security Policy check box to display this option.
    To create a new Security policy:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select Security Policy.
    4. Click Create New.
    5. Enter the following information:

      ID

      Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

      Once a policy ID has been configured it cannot be changed.

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Policy Mode

      Select the mode for this policy: Standard or Learn Mode. Learn mode allows and logs all traffic between the specified interfaces. Use learn mode with FortiAnalyzer to understand traffic patterns and design policy changes.

      See Learn mode in security policies in NGFW mode in the FortiOS Administration Guide for more information.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      New interfaces can be created by clicking the Create New icon in the Interfaces frame. See Create a new object for more information.

      Outgoing Interface

      Select outgoing interfaces in the same manner as the incoming interfaces.

      Source Internet Service

      Turn source internet service on or off, then select services.

      IPv4 Source Address

      Select the IPv4 source addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Source Internet Service is off.

      IPv6 Source Address

      Select the IPv6 source addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Source Internet Service is off.

      Source User

      Select source users.

      Source User Group

      Select source user groups.

      FSSO Groups

      Select Fortinet single sign-on groups.

      Destination Internet Service

      Turn destination internet service on or off, then select services.

      IPv4 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      IPv6 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      Schedule

      Select a one-time schedule, recurring schedule, or schedule group.

      Service

      Select the service. Select App Default or Specify. If Specify is selected, select the Service.

      Application

      Select applications.

      URL Category

      Select URL categories.

      Action

      Select an action for the policy to take: DENY or ACCEPT.

      Log Traffic

      When the Action is DENY, select Log Violation Traffic to log violation traffic.

      When the Action is ACCEPT, select one of the following options:

      • No Log
      • Log Security Events
      • Log All Sessions

      Select whether to generate logs when the session starts.

      Protocol Options

      Select protocol options profiles for handling protocol-specific traffic.

      This option is available when the Action is ACCEPT.

      Security Profiles

      Select to add security profiles or profile groups.

      This option is available when the Action is ACCEPT.

      If Use Standard Security Profiles is selected, the following standard security profile types can be added:

      • AntiVirus Profile
      • Web Filter Profile
      • IPS Profile
      • Email Filter
      • File Filter Profile

      If Use Security Profile Group is selected, select the Profile Group.

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced options, see the FortiOS CLI Reference.

      Change Note

      Add a description of the changes being made to the policy. This field is required.

    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Advanced options

    Option

    Description

    Default

    application-list

    Select …an existing application list.

    none

    comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

    none

    dlp-profile

    Select an existing data leak prevention (DLP) profile.

    none

    dnsfilter-profile

    Select an existing DNS filter profile.

    none

    dstaddr-negate

    Enable to negate the values set in IPv4 Destination Address and IPv6 Destination Address.

    disable

    global-label

    Set the label for the policy to be displayed when the GUI is in Global View mode.

    none

    icap-profile

    Select an existing Internet Content Adaptation Protocol (ICAP) profile.

    none

    internet-service-negate

    When enabled, Internet services match against any Internet service except the selected Internet service.

    disable

    internet-service-src-negate

    Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be.

    disable

    internet-service6

    Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

    		 disable

    internet-service6-custom

    Select a custom IPv6 internet service.

    none

    internet-service6-custom-group

    Select a custom IPv6 internet service group.

    		 none

    internet-service6-group

    Select an IPv6 internet service group.

    		 none

    internet-service6-name

    Select an IPv6 internet service.

    		 none

    internet-service6-negate

    Enable to negate the source IPv6 internet service set in this policy.

    		 disable

    internet-service6-src

    Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

    disable

    internet-service6-src-custom

    Select the custom IPv6 internet service source.

    none

    internet-service6-src-custom-group

    Select the custom IPv6 source group.

    none

    internet-service6-src-group

    Select the IPv6 source group.

    none

    internet-service6-src-name

    Select the IPv6 source.

    none

    internet-service6-src-negate

    Enable to negate the value set in internet-service6-src.

    disable

    nat46

    Enable or disable NAT46.

    disable

    nat64

    Enable or disable NAT64.

    disable

    sctp-filter-profile

    Select an existing stream control transmission protocol (SCTP) filter profile.

    none

    send-deny-packet

    Enable or disable sending a reply packet when a session is denied or blocked by this policy.

    disable

    service-negate

    Enable or disable negation of the selected Service.

    disable

    srcaddr-negate

    Enable or disable negation of the IPv4 Source Address or IPv6 Source Address address.

    disable

    ssh-filter-profile

    Select an existing SSH filter profile.

    none
    ssl-ssh-profile

    Select an existing SSL SSH profile.

    no-inspection

    utm-status

    Enable or disable the Unified Threat Management status.

    disable

    uuid

    Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

    00000000-0000- 0000-0000- 000000000000

    voip-profile

    Select an existing VOIP profile.

    None
    Previous
    Next

    Create a new security policy

    Create a new security policy

    This section describes how to create a new security policy. A security policy consists of rules related to proxy, antivirus, IPS, email, and DLP sensor.

    See NGFW policy in the FortiOS Administration Guide for more information.

    The security policy option is visible only if the NGFW Mode is selected as Policy-based in the policy package.

    On the Policy & Objects tab, from the Tools menu, select Display Options. In the Policy section, select the Security Policy check box to display this option.
    To create a new Security policy:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package in which you will be creating the new policy, select Security Policy.
    4. Click Create New.
    5. Enter the following information:

      ID

      Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

      Once a policy ID has been configured it cannot be changed.

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Policy Mode

      Select the mode for this policy: Standard or Learn Mode. Learn mode allows and logs all traffic between the specified interfaces. Use learn mode with FortiAnalyzer to understand traffic patterns and design policy changes.

      See Learn mode in security policies in NGFW mode in the FortiOS Administration Guide for more information.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      New interfaces can be created by clicking the Create New icon in the Interfaces frame. See Create a new object for more information.

      Outgoing Interface

      Select outgoing interfaces in the same manner as the incoming interfaces.

      Source Internet Service

      Turn source internet service on or off, then select services.

      IPv4 Source Address

      Select the IPv4 source addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Source Internet Service is off.

      IPv6 Source Address

      Select the IPv6 source addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Source Internet Service is off.

      Source User

      Select source users.

      Source User Group

      Select source user groups.

      FSSO Groups

      Select Fortinet single sign-on groups.

      Destination Internet Service

      Turn destination internet service on or off, then select services.

      IPv4 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      IPv6 Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      This option is only available when Destination Internet Service is off.

      Schedule

      Select a one-time schedule, recurring schedule, or schedule group.

      Service

      Select the service. Select App Default or Specify. If Specify is selected, select the Service.

      Application

      Select applications.

      URL Category

      Select URL categories.

      Action

      Select an action for the policy to take: DENY or ACCEPT.

      Log Traffic

      When the Action is DENY, select Log Violation Traffic to log violation traffic.

      When the Action is ACCEPT, select one of the following options:

      • No Log
      • Log Security Events
      • Log All Sessions

      Select whether to generate logs when the session starts.

      Protocol Options

      Select protocol options profiles for handling protocol-specific traffic.

      This option is available when the Action is ACCEPT.

      Security Profiles

      Select to add security profiles or profile groups.

      This option is available when the Action is ACCEPT.

      If Use Standard Security Profiles is selected, the following standard security profile types can be added:

      • AntiVirus Profile
      • Web Filter Profile
      • IPS Profile
      • Email Filter
      • File Filter Profile

      If Use Security Profile Group is selected, select the Profile Group.

      Comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it.

      Advanced Options

      Configure advanced options, see Advanced options below.

      For more information on advanced options, see the FortiOS CLI Reference.

      Change Note

      Add a description of the changes being made to the policy. This field is required.

    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Advanced options

    Option

    Description

    Default

    application-list

    Select …an existing application list.

    none

    comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

    none

    dlp-profile

    Select an existing data leak prevention (DLP) profile.

    none

    dnsfilter-profile

    Select an existing DNS filter profile.

    none

    dstaddr-negate

    Enable to negate the values set in IPv4 Destination Address and IPv6 Destination Address.

    disable

    global-label

    Set the label for the policy to be displayed when the GUI is in Global View mode.

    none

    icap-profile

    Select an existing Internet Content Adaptation Protocol (ICAP) profile.

    none

    internet-service-negate

    When enabled, Internet services match against any Internet service except the selected Internet service.

    disable

    internet-service-src-negate

    Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be.

    disable

    internet-service6

    Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

    		 disable

    internet-service6-custom

    Select a custom IPv6 internet service.

    none

    internet-service6-custom-group

    Select a custom IPv6 internet service group.

    		 none

    internet-service6-group

    Select an IPv6 internet service group.

    		 none

    internet-service6-name

    Select an IPv6 internet service.

    		 none

    internet-service6-negate

    Enable to negate the source IPv6 internet service set in this policy.

    		 disable

    internet-service6-src

    Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

    disable

    internet-service6-src-custom

    Select the custom IPv6 internet service source.

    none

    internet-service6-src-custom-group

    Select the custom IPv6 source group.

    none

    internet-service6-src-group

    Select the IPv6 source group.

    none

    internet-service6-src-name

    Select the IPv6 source.

    none

    internet-service6-src-negate

    Enable to negate the value set in internet-service6-src.

    disable

    nat46

    Enable or disable NAT46.

    disable

    nat64

    Enable or disable NAT64.

    disable

    sctp-filter-profile

    Select an existing stream control transmission protocol (SCTP) filter profile.

    none

    send-deny-packet

    Enable or disable sending a reply packet when a session is denied or blocked by this policy.

    disable

    service-negate

    Enable or disable negation of the selected Service.

    disable

    srcaddr-negate

    Enable or disable negation of the IPv4 Source Address or IPv6 Source Address address.

    disable

    ssh-filter-profile

    Select an existing SSH filter profile.

    none
    ssl-ssh-profile

    Select an existing SSL SSH profile.

    no-inspection

    utm-status

    Enable or disable the Unified Threat Management status.

    disable

    uuid

    Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

    00000000-0000- 0000-0000- 000000000000

    voip-profile

    Select an existing VOIP profile.

    None
    Previous
    Next