Fortinet white logo
Fortinet white logo

User Guide

Configuring a firewall policy

Configuring a firewall policy

Firewall policies are sets of instructions that control the traffic flow going through a firewall device. These instructions control where the traffic goes, how it is processed, if it is processed, and even whether or not it is allowed to pass through the firewall.

To create or edit a firewall policy:
  1. Go to Policy.
  2. With the appropriate device selected, select Firewall Policy in the Policy type dropdown list.
  3. Click Create or select a policy and click Edit.
  4. In the form, enter the following information:

    Settings

    Guidelines

    Name

    Enter a name for the policy.

    Incoming Interface

    Select the incoming interfaces.

    Outgoing Interface

    Select the outgoing interfaces.

    Source Internet Service

    Enable or disable the source internet service, then select services.

    IPv4 Source Address

    Select the IPv4 source addresses.

    This option is only available when Source Internet Service is disabled.

    IPv6 Source Address

    Select the IPv6 source addresses.

    This option is only available when Source Internet Service is disabled.

    Source User

    Select source users.

    Source User Group

    Select source user groups.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On.

    Destination Internet Service

    Enable or disable the destination internet service, then select services.

    IPv4 Destination Address

    Select to add one or more address objects.

    This option is only available when Destination Internet Service is disabled.

    IPv6 Destination Address

    Select to add one or more address objects.

    This option is only available when Destination Internet Service is disabled.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is disabled.

    Schedule

    Select one entry from the dropdown.

    Action

    Select whether to Deny or Accept matching traffic.

    Accept Options

    Inspection Mode

    Select the appropriate traffic inspection mode.

    Firewall/Network Options

    Enable or disable NAT and select the appropriate protocol options.

    Security Profiles Options

    • Enable or disable security profiles and select the appropriate profiles.

    • Select the SSL/SSH inspection profile to use for this policy.

    Traffic Shaping Options

    Select traffic shaping options for Shared Shaper, Reverse Shaper, and Per-IP Shaper.

    Disclaimer Options

    Display Disclaimer

    Enable or disable disclaimer for this type of traffic.

    Customize Message

    From the dropdown, select a customized message.

    This option is only available if Display Disclaimer is enabled.

    Logging Options

    Log Violation Traffic

    Enable to create a log for each denied packet.

    Capture Packets

    Enable or disable packet capture in logs.

    Generate Logs when Session Starts

    Enable to generate logs when the session starts.

    Advanced

    WCCP

    Enable Web Cache Communication Protocol (WCCP).

    Exempt from Captive Portal

    Select to exempt from the captive portal.

    Comments

    Optionally, enter a comment for the policy.

  5. Click Save.

Configuring a firewall policy

Configuring a firewall policy

Firewall policies are sets of instructions that control the traffic flow going through a firewall device. These instructions control where the traffic goes, how it is processed, if it is processed, and even whether or not it is allowed to pass through the firewall.

To create or edit a firewall policy:
  1. Go to Policy.
  2. With the appropriate device selected, select Firewall Policy in the Policy type dropdown list.
  3. Click Create or select a policy and click Edit.
  4. In the form, enter the following information:

    Settings

    Guidelines

    Name

    Enter a name for the policy.

    Incoming Interface

    Select the incoming interfaces.

    Outgoing Interface

    Select the outgoing interfaces.

    Source Internet Service

    Enable or disable the source internet service, then select services.

    IPv4 Source Address

    Select the IPv4 source addresses.

    This option is only available when Source Internet Service is disabled.

    IPv6 Source Address

    Select the IPv6 source addresses.

    This option is only available when Source Internet Service is disabled.

    Source User

    Select source users.

    Source User Group

    Select source user groups.

    FSSO Groups

    Select the FSSO groups added via Fortinet Single Sign-On.

    Destination Internet Service

    Enable or disable the destination internet service, then select services.

    IPv4 Destination Address

    Select to add one or more address objects.

    This option is only available when Destination Internet Service is disabled.

    IPv6 Destination Address

    Select to add one or more address objects.

    This option is only available when Destination Internet Service is disabled.

    Service

    Select services and service groups.

    This option is only available when Destination Internet Service is disabled.

    Schedule

    Select one entry from the dropdown.

    Action

    Select whether to Deny or Accept matching traffic.

    Accept Options

    Inspection Mode

    Select the appropriate traffic inspection mode.

    Firewall/Network Options

    Enable or disable NAT and select the appropriate protocol options.

    Security Profiles Options

    • Enable or disable security profiles and select the appropriate profiles.

    • Select the SSL/SSH inspection profile to use for this policy.

    Traffic Shaping Options

    Select traffic shaping options for Shared Shaper, Reverse Shaper, and Per-IP Shaper.

    Disclaimer Options

    Display Disclaimer

    Enable or disable disclaimer for this type of traffic.

    Customize Message

    From the dropdown, select a customized message.

    This option is only available if Display Disclaimer is enabled.

    Logging Options

    Log Violation Traffic

    Enable to create a log for each denied packet.

    Capture Packets

    Enable or disable packet capture in logs.

    Generate Logs when Session Starts

    Enable to generate logs when the session starts.

    Advanced

    WCCP

    Enable Web Cache Communication Protocol (WCCP).

    Exempt from Captive Portal

    Select to exempt from the captive portal.

    Comments

    Optionally, enter a comment for the policy.

  5. Click Save.