Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Create a new security virtual wire pair policy

This section describes how to create virtual wire pair policies. Before you can create a policy, you must create a virtual wire pair. See Configuring virtual wire pairs.

You can create a security virtual wire pair policy in a policy package that is set to Policy-based. If the policy package is set to Profile-based, see Create a new firewall virtual wire pair policy.

See Virtual wire pair in the FortiOS Administration Guide for more information about virtual wire pairs and virtual wire pair policies.

You must display the option before you can set it. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select either the Firewall Virtual Wire Pair Policy or the Security Virtual Wire Pair Policycheckbox to display the option.

To create a new Security Virtual Wire Pair policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Security Virtual Wire Pair Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    ID

    Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

    Once a policy ID has been configured it cannot be changed.

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Virtual Wire Pair Interface

    Select one or more virtual wire pair interfaces. This field is required..

    Virtual Wire Pair

    Select an arrow to indicate the flow of traffic between the ports in the selected Virtual Wire Pair Interface.

    Source Internet Service

    Enable or disable source internet service, then select services.

    IPv4 Source Address

    Select the IPv4 source addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Source Internet Service is off.

    IPv6 Source Address

    Select the IPv6 source addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    IPv4 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is available when Destination Internet Service is OFF.

    IPv6 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is available when Destination Internet Service is OFF.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Service

    Select the service. Select App Default or Specify. If Specify is selected, select the Service.

    Application

    Select applications.

    URL Category

    Select URL categories.

    Action

    Select an action for the policy to take: DENY or ACCEPT.

    Log Traffic

    When the Action is DENY, select Log Violation Traffic to log violation traffic.

    When the Action is ACCEPT, select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    Select whether to generate logs when the session starts.

    Protocol Options

    Select protocol options profiles for handling protocol-specific traffic.

    This option is available when the Action is ACCEPT.

    Security Profiles

    Select to add security profiles or profile groups.

    This option is available when the Action is ACCEPT.

    If Use Standard Security Profiles is selected, the following standard security profile types can be added:

    • AntiVirus Profile
    • Web Filter Profile
    • IPS Profile
    • Email Filter
    • File Filter Profile

    If Use Security Profile Group is selected, select the Profile Group.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

application-list

Select …an existing application list.

none

comments

Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

none

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dnsfilter-profile

Select an existing DNS filter profile.

none

dstaddr-negate

Enable to negate the values set in IPv4 Destination Address and IPv6 Destination Address.

disable

global-label

Set the label for the policy to be displayed when the GUI is in Global View mode.

none

icap-profile

Select an existing Internet Content Adaptation Protocol (ICAP) profile.

none

internet-service-negate

When enabled, Internet services match against any Internet service except the selected Internet service.

disable

internet-service-src-negate

Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be.

disable

internet-service6

Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service6-custom

Select a custom IPv6 internet service.

none

internet-service6-custom-group

Select a custom IPv6 internet service group.

none

internet-service6-group

Select an IPv6 internet service group.

none

internet-service6-name

Select an IPv6 internet service.

none

internet-service6-negate

Enable to negate the source IPv6 internet service set in this policy.

disable

internet-service6-src

Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

disable

internet-service6-src-custom

Select the custom IPv6 internet service source.

none

internet-service6-src-custom-group

Select the custom IPv6 source group.

none

internet-service6-src-group

Select the IPv6 source group.

none

internet-service6-src-name

Select the IPv6 source.

none

internet-service6-src-negate

Enable to negate the value set in internet-service6-src.

disable

nat46

Enable or disable NAT46.

disable

nat64

Enable or disable NAT64.

disable

sctp-filter-profile

Select an existing stream control transmission protocol (SCTP) filter profile.

none

send-deny-packet

Enable or disable sending a reply packet when a session is denied or blocked by this policy.

disable

service-negate

Enable or disable negation of the selected Service.

disable

srcaddr-negate

Enable or disable negation of the IPv4 Source Address or IPv6 Source Address address.

disable

ssh-filter-profile

Select an existing SSH filter profile.

none

ssl-ssh-profile

Select an existing SSL SSH profile.

no-inspection

utm-status

Enable or disable the Unified Threat Management status.

disable

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

voip-profile

Select an existing VOIP profile.

None

Create a new security virtual wire pair policy

This section describes how to create virtual wire pair policies. Before you can create a policy, you must create a virtual wire pair. See Configuring virtual wire pairs.

You can create a security virtual wire pair policy in a policy package that is set to Policy-based. If the policy package is set to Profile-based, see Create a new firewall virtual wire pair policy.

See Virtual wire pair in the FortiOS Administration Guide for more information about virtual wire pairs and virtual wire pair policies.

You must display the option before you can set it. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select either the Firewall Virtual Wire Pair Policy or the Security Virtual Wire Pair Policycheckbox to display the option.

To create a new Security Virtual Wire Pair policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Security Virtual Wire Pair Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    ID

    Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

    Once a policy ID has been configured it cannot be changed.

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Virtual Wire Pair Interface

    Select one or more virtual wire pair interfaces. This field is required..

    Virtual Wire Pair

    Select an arrow to indicate the flow of traffic between the ports in the selected Virtual Wire Pair Interface.

    Source Internet Service

    Enable or disable source internet service, then select services.

    IPv4 Source Address

    Select the IPv4 source addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Source Internet Service is off.

    IPv6 Source Address

    Select the IPv6 source addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    IPv4 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is available when Destination Internet Service is OFF.

    IPv6 Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    This option is available when Destination Internet Service is OFF.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Service

    Select the service. Select App Default or Specify. If Specify is selected, select the Service.

    Application

    Select applications.

    URL Category

    Select URL categories.

    Action

    Select an action for the policy to take: DENY or ACCEPT.

    Log Traffic

    When the Action is DENY, select Log Violation Traffic to log violation traffic.

    When the Action is ACCEPT, select one of the following options:

    • No Log
    • Log Security Events
    • Log All Sessions

    Select whether to generate logs when the session starts.

    Protocol Options

    Select protocol options profiles for handling protocol-specific traffic.

    This option is available when the Action is ACCEPT.

    Security Profiles

    Select to add security profiles or profile groups.

    This option is available when the Action is ACCEPT.

    If Use Standard Security Profiles is selected, the following standard security profile types can be added:

    • AntiVirus Profile
    • Web Filter Profile
    • IPS Profile
    • Email Filter
    • File Filter Profile

    If Use Security Profile Group is selected, select the Profile Group.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

application-list

Select …an existing application list.

none

comments

Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

none

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dnsfilter-profile

Select an existing DNS filter profile.

none

dstaddr-negate

Enable to negate the values set in IPv4 Destination Address and IPv6 Destination Address.

disable

global-label

Set the label for the policy to be displayed when the GUI is in Global View mode.

none

icap-profile

Select an existing Internet Content Adaptation Protocol (ICAP) profile.

none

internet-service-negate

When enabled, Internet services match against any Internet service except the selected Internet service.

disable

internet-service-src-negate

Enables or disables the use of Internet Services in source for this policy. If enabled, internet-service-src specifies what the service must NOT be.

disable

internet-service6

Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service6-custom

Select a custom IPv6 internet service.

none

internet-service6-custom-group

Select a custom IPv6 internet service group.

none

internet-service6-group

Select an IPv6 internet service group.

none

internet-service6-name

Select an IPv6 internet service.

none

internet-service6-negate

Enable to negate the source IPv6 internet service set in this policy.

disable

internet-service6-src

Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

disable

internet-service6-src-custom

Select the custom IPv6 internet service source.

none

internet-service6-src-custom-group

Select the custom IPv6 source group.

none

internet-service6-src-group

Select the IPv6 source group.

none

internet-service6-src-name

Select the IPv6 source.

none

internet-service6-src-negate

Enable to negate the value set in internet-service6-src.

disable

nat46

Enable or disable NAT46.

disable

nat64

Enable or disable NAT64.

disable

sctp-filter-profile

Select an existing stream control transmission protocol (SCTP) filter profile.

none

send-deny-packet

Enable or disable sending a reply packet when a session is denied or blocked by this policy.

disable

service-negate

Enable or disable negation of the selected Service.

disable

srcaddr-negate

Enable or disable negation of the IPv4 Source Address or IPv6 Source Address address.

disable

ssh-filter-profile

Select an existing SSH filter profile.

none

ssl-ssh-profile

Select an existing SSL SSH profile.

no-inspection

utm-status

Enable or disable the Unified Threat Management status.

disable

uuid

Enter the universally unique identifier (UUID). This value is automatically assigned but can be manually reset.

00000000-0000- 0000-0000- 000000000000

voip-profile

Select an existing VOIP profile.

None