Create a new firewall virtual wire pair policy

This section describes how to create virtual wire pair policies. Before you can create a policy, you must create a virtual wire pair. See Configuring virtual wire pairs.

You can create a firewall virtual wire pair policy in a policy package that is set to Profile-based. If the policy package is set to Policy-based, see Create a new security virtual wire pair policy.

See Virtual wire pair in the FortiOS Administration Guide for more information about virtual wire pairs and virtual wire pair policies.

The securityvirtual wire pair policy is visible only if the NGFW Mode is selected as Policy-based in the policy package.

You must display the option before you can set it. On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the Firewall Virtual Wire Pair Policy checkbox to display the option.

To create a new Firewall Virtual Wire Pair policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package in which you will be creating the new policy, select Firewall Virtual Wire Pair Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    ID

    Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.

    Once a policy ID has been configured it cannot be changed.

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    IP/MAC Based Access Control

    Use ZTNA tags to allow access based on the IP/MAC address of a device.

    Virtual Wire Pair Interface

    Select one or more virtual wire pair interfaces. This field is required.

    New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.

    Virtual Wire Pair

    Select an arrow to indicate the flow of traffic between the ports in the selected Virtual Wire Pair Interface.

    Source Internet Service

    Enable or disable source internet service, then select services.

    IPv4 Source Address

    Select the IPv4 source addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Source Internet Service is off.

    IPv6 Source Address

    Select the IPv6 source addresses, address groups, virtual IPs, and virtual IP groups.

    This option is only available when Source Internet Service is off.

    Source User

    Select source users.

    This option is only available when Source Internet Service is off.

    Source User Group

    Select source user groups.

    This option is only available when Source Internet Service is off.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On. For more information about FSSO groups, see FSSO user groups.

    Destination Internet Service

    Turn destination internet service on or off, then select services.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is off.

    Schedule

    Select a one-time schedule, recurring schedule, or schedule group.

    Action

    Select an action for the policy to take: DENY or ACCEPT.

    Deny options

    Block Notification

    Turn block notification display on or off.

    Log Violation Traffic

    Turn violation logging on or off.

    Select whether to generate logs when the session starts.

    Accept options

    NAT

    Select to enable NAT.

    If enabled, select NAT, NAT46, or NAT64.

    IP Pool Configuration

    If NAT is selected, select Use Outgoing Interface Address or Use Dynamic IP Pool.

    Use Outgoing Interface Address is disabled in a firewall virtual pair policy.

    IPv4 Pool Name

    If NAT64 is selected or NAT and Use Dynamic IP Pool are selected, select or create an IPv4 pool.

    IPv6 Pool Name

    If NAT46 is selected or NAT and Use Dynamic IP Pool are selected, select or create an IPv6 pool.

    Preserve Source Port

    If NAT is on, select whether to preserve the source port.

    Protocol Options

    Select a protocol options profile.

    Display Disclaimer

    Turn the disclaimer display on or off.

    SSL/SSH Inspection

    Select one of the following options for SSL/SSH Inspection:certificate-inspectioncustom-deep-inspectiondeep-inspectionno-inspection

    Shared Shaper

    Select shared traffic shapers.

    Reverse Shaper

    Select reverse traffic shapers.

    Per-IP Shaper

    Select per IP traffic shapers.

    Log Allowed Traffic

    Select one of the following options:No LogLog Security EventsLog All SessionsIf logging is on, select whether to capture packets.Select whether to generate logs when the session starts.

    Advanced

    WCCP

    Turn Web Cache Communication Protocol (WCCP) web caching on or off.

    Exempt from Captive Portal

    Select whether this traffic is exempt from any captive portals.

    Comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it.

    Advanced Options

    Configure advanced options, see Advanced options below.

    For more information on advanced options, see the FortiOS CLI Reference.

    Revision

    Change Note

    Add a description of the changes being made to the policy. This field is required.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options

Option

Description

Default

anti-replay

Enable or disable anti-replay checking.

enable

auth-cert

Select the HTTPS server certificate for policy authentication.

none

auth-path

Enable or disable authentication-based routing.

disable

auth-redirect-addr

Select the HTTP-to-HTTPS redirect address for firewall authentication.

none

auto-asic-offload

Enable or disable policy traffic ASIC offloading.

enable

block-notification

Enable or disable block notification.

disable

cgn-eif

Enable or disable CGN endpoint independent filtering.

disable

cgn-eim

Enable or disable CGN endpoint independent mapping.

disable

cgn-log-server-grp

Select the NP log server group.

none

cgn-resource-quota

Set the allowed number of blocks assigned to a source IP address.

16

cgn-session-quota

Set the allowed concurrent sessions available for a source IP address.

16777215

custom-log-fields

Select custom fields to append to log messages for this policy.

none

delay-tcp-npu-session

Enable or disable TCP NPU session delay to guarantee packet order of 3-way handshake.

disable

diffserv-copy

Enable or disable copying of the DSCP values from the original direction to the reply direction.

disable

diffserv-forward

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure diffservcode-forward.

disable

diffserv-reverse

Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure diffservcode-rev.

disable

diffservcode-forward

Enter the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

diffservcode-rev

Enter the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111.

000000

dlp-profile

Select an existing data leak prevention (DLP) profile.

none

dsri

Enable to ignore HTTP server responses.

disable

dstaddr-negate

Enable to negate the destination IP address.

disable

dstaddr6-negate

Enable to negate the destination IPv6 address.

disable

dynamic-shaping

Enable or disable dynamic RADIUS-defined traffic shaping.

disable

email-collect

Enable or disable email collection.

disable

fec

Enable or disable forward error correction (FEC) on traffic matching this policy on a FEC device.

disable

firewall-session-dirty

Select how to handle sessions if the configuration of this firewall policy changes.

check-all

ffsso-agent-for-ntlm

Select the FSSO agent for NTLM authentication.

none

geoip-anycast

Enable or disable recognition of anycast IP addresses using the geography IP database.

disable

geoip-match

Select whether to match the address based on the physical or registered location.

physical-location

identity-based-route

Select the identity-based routing rule.

none

internet-service-negate

Enable to negate the internet service set in the policy.

disable

internet-service-src-negate

Enable to negate the source internet service set in this policy.

disable

internet-service6

Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used.

disable

internet-service6-custom

Select a custom IPv6 internet service.

none

internet-service6-custom-group

Select a custom IPv6 internet service group.

none

internet-service6-group

Select an IPv6 internet service group.

none

internet-service6-name

Select an IPv6 internet service.

none

internet-service6-negate

Enable to negate the source IPv6 internet service set in this policy.

disable

internet-service6-src

Enable or disable use of the IPv6 internet services in the source for this policy. If enabled, the source address is not used.

disable

internet-service6-src-custom

Select the custom IPv6 internet service source.

none

internet-service6-src-custom-group

Select the custom IPv6 source group.

none

internet-service6-src-group

Select the IPv6 source group.

none

internet-service6-src-name

Select the IPv6 source.

none

internet-service6-src-negate

Enable to negate the value set in internet-service6-src.

disable

match-vip

Enable or disable matching of packets that have had their destination address changed by a VIP.

disable

match-vip-only

Enable or disable matching only those packets that have had their destination addresses change by a VIP.

disable

natinbound

Enable or disable applying destination NAT to inbound traffic.

disable

natip

Set the source NAT IP address for inbound traffic.

0.0.0.0/0.0.0.0

natoutbound

Enable or disable applying destination NAT to outbound traffic.

disable

network-service-dynamic

Select a dynamic network service.

none

network-service-src-dynamic

Select a dynamic network service source.

none

np-acceleration

Enable or disable UTM network processor acceleration.

enable

ntlm

Enable or disable NTLM authentication.

disable

ntlm-enabled-browsers

Set the HTTP-User-Agent value of supported browsers.

none

ntlm-guest

Enable or disable NTLM guest user access.

disable

outbound

Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic.

enable

passive-wan-health-measurement

Enable or disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.

disable.

permit-any-host

Enable or disable accepting UDP packets from any host.

disable

permit-stun-host

Enable or disable accepting UDP packets from any session traversal utilities for NAT (STUN) host.

disable

policy-expiry

Enable or disable policy expiry.

disable

policy-expiry-date

If policy-expiry is enabled, set the policy expiry date.

0000-00-00,00:00:00

policy-offload

Enable or disable hardware session setup for CGNAT.

enable

radius-mac-auth-bypass

Enable or disable MAC authentication bypass. The bypassed MAC address must be received from the RADIUS server.

disable

redirect-url

Set the URL to which users are redirected after seeing and accepting the disclaimer or authenticating.

none

reputation-direction

Set the destination of the initial traffic for reputation to take effect.

destination

reputation-direction6

Set the destination of the initial traffic for IPv6 reputation to take effect.

destination

reputation-minimum

Set the minimum reputation to take action.

0

reputation-minimum6

Set the minimum IPv6 reputation to take action.

0

rtp-addr

If this is an RTP NAT policy, set the address names.

none

rtp-nat

Enable or disable real time protocol (RTP) NAT.

disable

schedule-timeout

Enable or disable ending current sessions when the schedule object times out. Disable allows sessions to end from inactivity.

disable

sctp-filter-profile

Select an existing SCTP filter profile.

none

send-deny-packet

Enable or disable sending a reply when a session is denied or blocked by a firewall policy.

disable

service-negate

Enable or disable negation of the service set in the policy.

disable

session-ttl

Enter a value for the session time-to-live (TTL) from 300 to 604800, or type 0 for no limitation.

0

sgt

Enter security group tags (SGT).

none

sgt-check

Enable or disable SGT check.

disable

src-vendor-mac

Select the vendor MAC source.

none

srcaddr-negate

Enable or disable negation of the source address.

disable

srcaddr6-negate

Enable or disable negation of the source IPv6 address.

disable

ssh-filter-profile

Select an SSH filter profile from the drop-down list.

None

ssh-policy-redirect

Enable or disable SSH policy redirect.

disable

tcp-mss-receiver

Enter the receiver’s TCP maximum segment size (MSS).

0

tcp-mss-sender

Enter the sender’s TCP MSS.

0

tcp-session-without-syn

Enable or disable creation of a TCP session without the SYN flag.

disable

tcp-timeout-pid

Select the TCP timeout profile.

none

timeout-send-rst

Enable or disable the sending of RST packets when TCP sessions expire

disable

tos

Enter the type of service (TOS) value used for comparison.

0

tos-mask

Enter the bit mask for TOS. No