Create a new security policy
This section describes how to create a new security policy. A security policy consists of rules related to proxy, antivirus, IPS, email, and DLP sensor.
See NGFW policy in the FortiOS Administration Guide for more information.
The security policy option is visible only if the NGFW Mode is selected as Policy-based in the policy package. |
You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature. |
To create a new Security policy:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Security Policy.
- Click Create New.
- Enter the following information:
ID
Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.
Once a policy ID has been configured it cannot be changed.
Name
Enter a unique name for the policy. Each policy must have a unique name.
Policy Mode
Select the mode for this policy: Standard or Learn Mode. Learn mode allows and logs all traffic between the specified interfaces. Use learn mode with FortiAnalyzer to understand traffic patterns and design policy changes.
See Learn mode in security policies in NGFW mode in the FortiOS Administration Guide for more information.
Incoming Interface
Click the field then select interfaces.
Click the remove icon to remove interfaces.
New interfaces can be created by clicking the Create New icon in the Interfaces frame. See Create a new object for more information.
Outgoing Interface
Select outgoing interfaces in the same manner as the incoming interfaces.
Source
Select the source address, address groups, virtual IPs, virtual IP groups, user, user groups, and FSSO groups.
Destination
Select the destination address, address groups, virtual IPs, virtual IP groups, and services.
Schedule
Select a one-time schedule, recurring schedule, or schedule group.
Service
Select the service. Select App Default or Specify. If Specify is selected, select the Service.
Application
Select applications.
URL Category
Select URL categories.
Action
Select an action for the policy to take: DENY or ACCEPT.
Log Traffic
When the Action is DENY, select Log Violation Traffic to log violation traffic.
When the Action is ACCEPT, select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
Select whether to generate logs when the session starts.
Protocol Options
Select protocol options profiles for handling protocol-specific traffic.
This option is available when the Action is ACCEPT.
Security Profiles
Select to add security profiles or profile groups.
This option is available when the Action is ACCEPT.
If Use Standard Security Profiles is selected, the following standard security profile types can be added:
- AntiVirus Profile
- Web Filter Profile
- IPS Profile
- Email Filter
- File Filter Profile
If Use Security Profile Group is selected, select the Profile Group.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it.
Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Change Note
Add a description of the changes being made to the policy. This field is required.
- Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options
Option |
Description |
Default |
---|---|---|
application-list |
Select …an existing application list. |
none |
comments |
Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field. |
none |
dlp-profile |
Select an existing data leak prevention (DLP) profile. |
none |
dnsfilter-profile |
Select an existing DNS filter profile. |
none |
dstaddr-negate |
Enable to negate the values set in IPv4 Destination Address and IPv6 Destination Address. |
disable |
global-label |
Set the label for the policy to be displayed when the GUI is in Global View mode. |
none |
icap-profile |
Select an existing Internet Content Adaptation Protocol (ICAP) profile. |
none |
internet-service-negate |
When enabled, Internet services match against any Internet service except the selected Internet service. |
disable |
internet-service-src-negate |
Enables or disables the use of Internet Services in source for this policy. If enabled, |
disable |
internet-service6 |
Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used. |
disable |
internet-service6-custom |
Select a custom IPv6 internet service. |
none |
internet-service6-custom-group |
Select a custom IPv6 internet service group. |
none |
internet-service6-group |
Select an IPv6 internet service group. |
none |
internet-service6-name |
Select an IPv6 internet service. |
none |
internet-service6-negate |
Enable to negate the source IPv6 internet service set in this policy. |
disable |
internet-service6-src |
Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used. |
disable |
internet-service6-src-custom |
Select the custom IPv6 internet service source. |
none |
internet-service6-src-custom-group |
Select the custom IPv6 source group. |
none |
internet-service6-src-group |
Select the IPv6 source group. |
none |
internet-service6-src-name |
Select the IPv6 source. |
none |
internet-service6-src-negate |
Enable to negate the value set in |
disable |
nat46 |
Enable or disable NAT46. |
disable |
nat64 |
Enable or disable NAT64. |
disable |
sctp-filter-profile |
Select an existing stream control transmission protocol (SCTP) filter profile. |
none |
send-deny-packet |
Enable or disable sending a reply packet when a session is denied or blocked by this policy. |
disable |
service-negate |
Enable or disable negation of the selected Service. |
disable |
srcaddr-negate |
Enable or disable negation of the IPv4 Source Address or IPv6 Source Address address. |
disable |
ssh-filter-profile |
Select an existing SSH filter profile. |
none |
ssl-ssh-profile |
Select an existing SSL SSH profile. |
no-inspection |
utm-status |
Enable or disable the Unified Threat Management status. |
disable |
uuid |
Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset. |
00000000-0000- 0000-0000- 000000000000 |
voip-profile |
Select an existing VOIP profile. |
None |