Fortinet black logo

Administration Guide

Add/modify a rule

Copy Link
Copy Doc ID 825689eb-200d-11e9-b6f6-f8bc1258b856:167668
Download PDF

Add/modify a rule

  1. Select Policy > Policy Configuration.
  2. In the menu on the left select Security Rules.
  3. Click the Add button or select an existing security rule and click Modify.
  4. Click in the Name field and enter a name for this security rule.
  5. Use the table below to enter the security rule information.
  6. Click OK to save your security rule.
Settings

Field

Definition

Rule Enabled

Select this check box to activate the security rule.

Name

A unique name for this security rule.

Trigger

The trigger that will activate the rule. You can use the icons next to the Trigger field to add a new trigger or modify the trigger shown in the drop-down menu.

Note

When you modify this trigger, it is modified for all security rules that make use of the trigger.

User/Host Profile

Indicates whether the rule must match or not match the host profile selected from the drop-down menu. You can use the icons next to the Host Profile field to add a new host profile or modify the profile shown in the drop-down menu.

A host profile is not applied to the trigger when None is selected.

Action

The action assigned to the security rule. You can select whether the action should be manual or automatic. You can use the icons next to the Action field to add a new action or modify the action shown in the drop-down menu.

Note that by selecting None, an action is not assigned to the trigger.

Send Email when Rule is Matched

Select this check box to automatically send an email to the selected Admin Group when the security rule creates an alarm.

Admin Group drop-down menu

Select the Admin Group list that will receive the email when an alarm is created.

Send Email when Action is Taken

Select this check box to automatically send an email to the selected Admin Group when the action associated with the security rule is taken.

Admin Group drop-down menu

Select the Admin Group to be notified when the action associated with the security rule is taken.

Admin Group Email Content

When you select Send Email when Rule is Matched and/or Send Email when Action is Taken, the email message that is sent to the selected Admin group contains information such as the security rule that was matched, the date and time of the alarm, the host and MAC address information, severity, and location of the host.

The following is an example of the content included in the email:

Security Rule Matched = PA_test

Alarm Date/Time = 2015-09-28 17:04:36.0

User ID = testuser

No owner

Host Name = testuser-PC

Host OS = Windows 7 Professional 6.1 Service Pack 1

Host Hardware =

Host MAC Addresses = 5C:26:0A:44:53:1D,00:24:D7:A2:24:5C,00:50:56:C0:00:01,00:50:56:C0:00:08

Host IP Addresses = 192.168.10.139,192.168.4.169,192.168.204.1,192.168.74.1

Host Locations = Concord-3750 Fa3/0/6,Concord_Cisco_1131.bradfordnetworks.com VLAN 4

Date = 2015-09-28 17:04:35.0

Alert Type = THREAT

Severity = null

ThreatID = null

Description = HTTP OPTIONS Method(30520)

Source IP = 192.168.10.139

Source MAC = 5C:26:0A:44:53:1D

Destination IP = 23.96.61.106

Location = Concord-3750 Fa3/0/6

Vendor = PaloAlto

Add/modify a rule

  1. Select Policy > Policy Configuration.
  2. In the menu on the left select Security Rules.
  3. Click the Add button or select an existing security rule and click Modify.
  4. Click in the Name field and enter a name for this security rule.
  5. Use the table below to enter the security rule information.
  6. Click OK to save your security rule.
Settings

Field

Definition

Rule Enabled

Select this check box to activate the security rule.

Name

A unique name for this security rule.

Trigger

The trigger that will activate the rule. You can use the icons next to the Trigger field to add a new trigger or modify the trigger shown in the drop-down menu.

Note

When you modify this trigger, it is modified for all security rules that make use of the trigger.

User/Host Profile

Indicates whether the rule must match or not match the host profile selected from the drop-down menu. You can use the icons next to the Host Profile field to add a new host profile or modify the profile shown in the drop-down menu.

A host profile is not applied to the trigger when None is selected.

Action

The action assigned to the security rule. You can select whether the action should be manual or automatic. You can use the icons next to the Action field to add a new action or modify the action shown in the drop-down menu.

Note that by selecting None, an action is not assigned to the trigger.

Send Email when Rule is Matched

Select this check box to automatically send an email to the selected Admin Group when the security rule creates an alarm.

Admin Group drop-down menu

Select the Admin Group list that will receive the email when an alarm is created.

Send Email when Action is Taken

Select this check box to automatically send an email to the selected Admin Group when the action associated with the security rule is taken.

Admin Group drop-down menu

Select the Admin Group to be notified when the action associated with the security rule is taken.

Admin Group Email Content

When you select Send Email when Rule is Matched and/or Send Email when Action is Taken, the email message that is sent to the selected Admin group contains information such as the security rule that was matched, the date and time of the alarm, the host and MAC address information, severity, and location of the host.

The following is an example of the content included in the email:

Security Rule Matched = PA_test

Alarm Date/Time = 2015-09-28 17:04:36.0

User ID = testuser

No owner

Host Name = testuser-PC

Host OS = Windows 7 Professional 6.1 Service Pack 1

Host Hardware =

Host MAC Addresses = 5C:26:0A:44:53:1D,00:24:D7:A2:24:5C,00:50:56:C0:00:01,00:50:56:C0:00:08

Host IP Addresses = 192.168.10.139,192.168.4.169,192.168.204.1,192.168.74.1

Host Locations = Concord-3750 Fa3/0/6,Concord_Cisco_1131.bradfordnetworks.com VLAN 4

Date = 2015-09-28 17:04:35.0

Alert Type = THREAT

Severity = null

ThreatID = null

Description = HTTP OPTIONS Method(30520)

Source IP = 192.168.10.139

Source MAC = 5C:26:0A:44:53:1D

Destination IP = 23.96.61.106

Location = Concord-3750 Fa3/0/6

Vendor = PaloAlto