Create a new firewall policy
This section describes how to create a new firewall policy. The firewall policy is the axis around which most features of the FortiGate firewall revolve. Many settings in the firewall end up relating to or being associated with the firewall policies and the traffic that they govern. Any traffic going through a FortiGate unit has to be associated with a policy. These policies are essentially discrete compartmentalized sets of instructions that control the traffic flow going through the firewall. These instructions control where the traffic goes, how it is processed, if it is processed, and even whether or not it is allowed to pass through the FortiGate.
See Firewall policy in the FortiOS Administration Guide for more information.
|
The firewall policy option is visible only if the NGFW Mode is selected as Profile-based in the policy package. |
To create a new Firewall policy:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package in which you will be creating the new policy, select Firewall Policy.
- Click Create New.
- Enter the following information:
Option
Description
ID
Enter a unique number as the policy ID, or use the default (0) to automatically assign a policy ID. Policy IDs can be up to a maximum of 9 digits in length.
Once a policy ID has been configured it cannot be changed.
Name
Enter a unique name for the policy. Each policy must have a unique name.
Incoming Interface
Click the field then select interfaces.
Click the remove icon to remove interfaces.
New objects can be created by clicking the Create New icon in the Object Selector frame. See Create a new object for more information.
Outgoing Interface
Select outgoing interfaces in the same manner as Incoming Interface.
Source
Select the source address, address groups, virtual IPs, virtual IP groups, user, user groups, and FSSO groups.
IP/MAC Based Access Control
Use ZTNA tags to allow access based on the IP/MAC address of a device.
Destination
Select the destination address, address groups, virtual IPs, virtual IP groups, and services.
Service
Select services and service groups.
This option is only available when Destination Internet Service is off.
Schedule
Select a one-time schedule, recurring schedule, or schedule group.
Action
Select an action for the policy to take: DENY, ACCEPT, or IPSEC.
Deny options
Block Notification
Turn block notification display on or off.
Customize Messages
Select or create a message to be displayed when traffic is blocked by this policy.
This option is only available when Block Notification is on.
Log Violation Traffic
Turn violation logging on or off.
Select whether to generate logs when the session starts.
Accept options
Inspection Mode
Select Flow-based or Proxy-based inspection.
Proxy HTTP(S) Traffic
Select whether to redirect HTTP(S) traffic to matching transparent web proxy policy.
This option is only available when the inspection mode is set to Proxy-based.
NAT
Select to enable NAT.
If enabled, select NAT, NAT46, or NAT64.
IP Pool Configuration
If NAT is selected, select Use Outgoing Interface Address or Use Dynamic IP Pool.
IPv4 Pool Name
If NAT64 is selected or NAT and Use Dynamic IP Pool are selected, select or create an IPv4 pool.
IPv6 Pool Name
If NAT46 is selected or NAT and Use Dynamic IP Pool are selected, select or create an IPv6 pool.
Preserve Source Port
If NAT is on, select whether to preserve the source port.
Protocol Options
Select a protocol options profile.
Display Disclaimer
Turn the disclaimer display on or off.
Customize Messages
Select or create a disclaimer message to be displayed when traffic is allowed by this policy.
This option is only available when Display Disclaimer is on.
Security Profiles
Select whether to apply security profiles to this policy, then select the security profiles.
SSL/SSH Inspection
Select one of the following options for SSL/SSH Inspection:
- certificate-inspection
- custom-deep-inspection
- deep-inspection
- no-inspection
Shared Shaper
Select shared traffic shapers.
Reverse Shaper
Select reverse traffic shapers.
Per-IP Shaper
Select per IP traffic shapers.
Log Allowed Traffic
Select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
If logging is on, select whether to capture packets.
Select whether to generate logs when the session starts.
IPSEC options
Protocol Options
Select a protocol options profile.
VPN Tunnel
Select or create a VPN tunnel dynamic object.
Select whether to allow traffic to be initiated from the remote site.
Security Profiles
Select whether to apply security profiles to this policy, then select the security profiles.
SSL/SSH Inspection
Select one of the following options for SSL/SSH Inspection:
- certificate-inspection
- custom-deep-inspection
- deep-inspection
- no-inspection
Shared Shaper
Select shared traffic shapers.
Reverse Shaper
Select reverse traffic shapers.
Per-IP Shaper
Select per IP traffic shapers.
Log Allowed Traffic
Select one of the following options:
- No Log
- Log Security Events
- Log All Sessions
If logging is on, select whether to capture packets.
Select whether to generate logs when the session starts.
Advanced
WCCP
Turn Web Cache Communication Protocol (WCCP) web caching on or off.
Exempt from Captive Portal
Select whether this traffic is exempt from any captive portals.
Comments
Add a description of the policy, such as its purpose, or the changes that have been made to it. Advanced Options
Configure advanced options, see Advanced options below.
For more information on advanced option, see the FortiOS CLI Reference.
Revisions
Change Note
Add a description of the changes being made to the policy. This field is required. - Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
Advanced options
|
Option |
Description |
Default |
|---|---|---|
|
anti-replay |
Enable or disable anti-replay checking. |
enable |
|
auth-cert |
Select the HTTPS server certificate for policy authentication. |
none |
|
auth-path |
Enable or disable authentication-based routing. |
disable |
|
auth-redirect-addr |
Select the HTTP-to-HTTPS redirect address for firewall authentication. |
none |
|
auto-asic-offload |
Enable or disable policy traffic ASIC offloading. |
enable |
|
block-notification |
Enable or disable block notification. |
disable |
|
cgn-eif |
Enable or disable CGN endpoint independent filtering. |
disable |
|
cgn-eim |
Enable or disable CGN endpoint independent mapping. |
disable |
|
cgn-log-server-grp |
Select the NP log server group. |
none |
|
cgn-resource-quota |
Set the allowed number of blocks assigned to a source IP address. |
16 |
|
cgn-session-quota |
Set the allowed concurrent sessions available for a source IP address. |
16777215 |
|
custom-log-fields |
Select custom fields to append to log messages for this policy. |
none |
|
delay-tcp-npu-session |
Enable or disable TCP NPU session delay to guarantee packet order of 3-way handshake. |
disable |
|
diffserv-copy |
Enable or disable copying of the DSCP values from the original direction to the reply direction. |
disable |
|
diffserv-forward |
Enable or disable application of the differentiated services code point (DSCP) value to the DSCP field of forward (original) traffic. If enabled, also configure |
disable |
|
diffserv-reverse |
Enable or disable application of the DSCP value to the DSCP field of reverse (reply) traffic. If enabled, also configure |
disable |
|
diffservcode-forward |
Enter the DSCP value that the FortiGate unit will apply to the field of originating (forward) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
|
diffservcode-rev |
Enter the DSCP value that the FortiGate unit will apply to the field of reply (reverse) packets. The value is 6 bits binary. The valid range is 000000-111111. |
000000 |
|
dlp-profile |
Select an existing data leak prevention (DLP) profile. |
none |
|
dsri |
Enable to ignore HTTP server responses. |
disable |
|
dstaddr-negate |
Enable to negate the destination IP address. |
disable |
|
dstaddr6-negate |
Enable to negate the destination IPv6 address. |
disable |
|
dynamic-shaping |
Enable or disable dynamic RADIUS-defined traffic shaping. |
disable |
|
email-collect |
Enable or disable email collection. |
disable |
|
fec |
Enable or disable forward error correction (FEC) on traffic matching this policy on a FEC device. |
disable |
|
firewall-session-dirty |
Select how to handle sessions if the configuration of this firewall policy changes. |
check-all |
|
ffsso-agent-for-ntlm |
Select the FSSO agent for NTLM authentication. |
none |
|
geoip-anycast |
Enable or disable recognition of anycast IP addresses using the geography IP database. |
disable |
|
geoip-match |
Select whether to match the address based on the physical or registered location. |
physical-location |
|
identity-based-route |
Select the identity-based routing rule. |
none |
|
internet-service-negate |
Enable to negate the internet service set in the policy. |
disable |
|
internet-service-src-negate |
Enable to negate the source internet service set in this policy. |
disable |
|
internet-service6 |
Enable or disable the use of IPv6 internet services for this policy. If enabled, the destination address and service set in the policy are not used. |
disable |
|
internet-service6-custom |
Select a custom IPv6 internet service. |
none |
|
internet-service6-custom-group |
Select a custom IPv6 internet service group. |
none |
|
internet-service6-group |
Select an IPv6 internet service group. |
none |
|
internet-service6-name |
Select an IPv6 internet service. |
none |
|
internet-service6-negate |
Enable to negate the source IPv6 internet service set in this policy. |
disable |