Fortinet white logo
Fortinet white logo

Administration Guide

Policy

Policy

The policy list displays firewall policies in their order of matching precedence. Firewall policy order affects policy matching. For details about arranging policies in the policy list, see Change how the policy list is displayed.

You can add firewall policies that match HTTP traffic to be cached according to source and destination addresses and the destination port of the traffic.

Various right-click menus are available throughout the policy list. The columns displayed in the policy list can be customized, and filters can be added in a variety of ways to filter the information that is displayed. See Change how the policy list is displayed.

To view the policy list, go to Policy & Objects > Policy.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Add a new policy. New policies are added to the bottom of the list. See Create or edit a policy.
Edit Edit the selected policy. See Create or edit a policy.
Delete Delete the selected policy.
Policy Lookup Find a policy.
Search Enter a search term to find in the policy list.

Export

Export the current view to CSV and JSON formats. Click Export and select CSV or JSON to download the file.

Interface Pair View/By Sequence Select how to view the policy list:
  • Interface Pair View—Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in.
  • By Sequence—Displays the policies in the order that they are checked for matching traffic without any grouping. The FortiProxy unit automatically changes the view on the policy list page to By Sequence whenever there is a policy containing the any interface. If the Interface Pair View is grayed out, one or more of the policies is using the any interface.
Type The type of policy, such as Explicit Web, Transparent, or SSH Tunnel. See Policy types.
Name The name of the policy.
Incoming Interface The incoming interface or interfaces.
Outgoing Interface The outgoing interface or interfaces.
Source The source is the source address or source user of the initiating traffic.
Destination The destination address or address range that the policy matches. For more information, see Web cache policy address formats.
Schedule The time frame that is applied to the policy. See Schedules.
Service The service or services chosen here represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or group of protocols. See Services.
Action The action to be taken by the policy, such as ACCEPT, DENY, REDIRECT, or ISOLATE.
Security Profiles All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Sensor, ICAP, SSL Inspection, and Content Analysis options. See Security Profiles.
Log The logging level of the policy. Options vary depending on the policy type.
Bytes The number of bytes.
Active Sessions The number of active sessions.
Application Control What action is taken when an application matches.
AV The antivirus profile used by the policy. See AntiVirus.
Comments Comments about the policy (up to 1023 characters).
Destination Address The destination addresses that the policy matches. The destination address can be used as a traffic filter.
DNS Filter The DNS filter profile used by the policy. See DNS Filter.
Email Filter The email filter profile used by the policy. See .
Enforce ZTNA Whether Zero Trust Network Access (ZTNA) is enabled or disabled. See ZTNA.
File Filter The file filter profile used by the policy. See File Filter.
First Used When the policy was first used.
Groups Which groups the policy matches.
Hit Count Number of results found.
ICAP The ICAP profile used by the policy. See Create or edit an ICAP profile.
ID The policy identifier. Policies are numbered in the order they are added to the configuration.
IPS Which IPS signatures the policy uses.
Last Used When the policy was last used.
Packets The number of packets.
Protocol Options The proxy options profile used by the policy. See Proxy Options.
Source Address The addresses that a policy can receive traffic from. For more information, see Web cache policy address formats.
SSL Inspection The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection.
Status Select to enable a policy or clear to disable a policy. A disabled policy is out of service.
Users Which users the policy matches.
Video Filter The video filter profile used by the policy. See Video Filter.
VPN Tunnel The VPN tunnel used by the policy. See VPN.
Web Application Firewall The web application firewall profile used by the policy. See .
Web Filter The web filter profile used by the policy. See Web Filter.
ZTNA Tag The ZTNA tags used in the ZTNA rule that is used by the policy. See ZTNA.

Change how the policy list is displayed

Policies can be added, edited, copied and pasted, moved, and deleted. To help organize your policies, you can also create sections to group policies together.

Policies can be inserted above or below existing policies and can also be disabled if needed.

The displayed policies can be filtered by either using the search field in the toolbar or by selecting the filter icon in a column heading. The available filter options vary depending on the type of data that the selected column contains.

How list order affects policy matching

The FortiProxy unit uses the first-matching technique to select which policy to apply to a communication session.

When policies have been added, each time the FortiProxy unit accepts a communication session, it then searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the session source and destination addresses and the destination port. The search begins at the top of the policy list and progresses in order towards the bottom. Each policy in the policy list is compared with the communication session until a match is found. When the FortiProxy unit finds the first matching policy, it applies that policy and disregards subsequent policies.

If no policy matches, the session is accepted.

As a general rule, you should order the policy list from most specific to most general because of the order in which policies are evaluated for a match and because only the first matching policy is applied to a session. Subsequent possible matches are not considered or applied.

NOTE: Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions.

Policy rules and authentication rules

Policy rules control what a user or user group can do. Authentication rules define how to authenticate a user. If a policy without a user group matches the type of traffic, authentication is not used because the user group was not specified in the policy.

For example, if a policy rule involving an explicit proxy has the Source field specifying an LDAP-based user group, any other policy rule referencing the explicit proxy is only matched if its Source field also specifies an LDAP-based group.

Move a policy

When more than one policy has been defined, the first matching policy is applied to the traffic session. You can arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See How list order affects policy matching for more information.

NOTE: Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were created.

To move a policy, click and drag the name to a new location. You can also move a policy by cutting and pasting it into a new location.

Copy and paste a policy

Policies can be copied and pasted to create clones. Right-click on the policy name and then select Copy from the pop-up menu. Right-click in the policy name that the new clone policy will be placed next to and select Paste Above or Paste Below to insert the new policy before or after the selected policy.

Policy lookup

Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.

The Policy Lookup tool has the following requirements:

  • Transparent mode does not support Policy lookup function.
  • When executing the policy lookup, you need to confirm whether the relevant route required for the policy work already exists.
To use the policy lookup:
  1. Go to Policy & Objects > Policy, click Policy Lookup.
  2. Select the incoming interface.
  3. Select IPv4 or IPv6 for the IP version.
  4. Enter the protocol number.
  5. Enter the source IP address.
  6. Enter the destination IP address or fully qualified domain name.
  7. Click Search to display the policy lookup results.

Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be any of the following:

  • a single computer, for example, 192.45.46.45
  • a subnetwork, for example, 192.168.1.* for a class C subnet
  • 0.0.0.0 matches any IP address

The netmask corresponds to the subnet class of the address being added and can be represented in either dotted decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:

  • netmask for a single computer: 255.255.255.255 or /32
  • netmask for a class A subnet: 255.0.0.0 or /8
  • netmask for a class B subnet: 255.255.0.0 or /16
  • netmask for a class C subnet: 255.255.255.0 or /24
  • netmask including all IP addresses: 0.0.0.0

Valid IP address and netmask formats include:

  • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
  • x.x.x.x/x, such as 192.168.1.0/24
An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or destination address.

When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-192.168.1.255. Valid IP range formats include:

  • x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
  • x.x.x.[x-x], for example, 192.168.110.[100-120]
  • x.x.x.*, for a complete subnet, for example: 192.168.110.*
  • x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
  • x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-192.168.10.100 for a range of addresses.

Policy

Policy

The policy list displays firewall policies in their order of matching precedence. Firewall policy order affects policy matching. For details about arranging policies in the policy list, see Change how the policy list is displayed.

You can add firewall policies that match HTTP traffic to be cached according to source and destination addresses and the destination port of the traffic.

Various right-click menus are available throughout the policy list. The columns displayed in the policy list can be customized, and filters can be added in a variety of ways to filter the information that is displayed. See Change how the policy list is displayed.

To view the policy list, go to Policy & Objects > Policy.

Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.

The following options are available:

Create New Add a new policy. New policies are added to the bottom of the list. See Create or edit a policy.
Edit Edit the selected policy. See Create or edit a policy.
Delete Delete the selected policy.
Policy Lookup Find a policy.
Search Enter a search term to find in the policy list.

Export

Export the current view to CSV and JSON formats. Click Export and select CSV or JSON to download the file.

Interface Pair View/By Sequence Select how to view the policy list:
  • Interface Pair View—Displays the policies in the order that they are checked for matching traffic, grouped by the pairs of Incoming and Outgoing interfaces. For instance, all of the policies referencing traffic from WAN1 to DMZ will be in one section. The policies referencing traffic from DMZ to WAN1 will be in another section. The sections are collapsible so that you only need to look at the sections with policies you are interested in.
  • By Sequence—Displays the policies in the order that they are checked for matching traffic without any grouping. The FortiProxy unit automatically changes the view on the policy list page to By Sequence whenever there is a policy containing the any interface. If the Interface Pair View is grayed out, one or more of the policies is using the any interface.
Type The type of policy, such as Explicit Web, Transparent, or SSH Tunnel. See Policy types.
Name The name of the policy.
Incoming Interface The incoming interface or interfaces.
Outgoing Interface The outgoing interface or interfaces.
Source The source is the source address or source user of the initiating traffic.
Destination The destination address or address range that the policy matches. For more information, see Web cache policy address formats.
Schedule The time frame that is applied to the policy. See Schedules.
Service The service or services chosen here represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or group of protocols. See Services.
Action The action to be taken by the policy, such as ACCEPT, DENY, REDIRECT, or ISOLATE.
Security Profiles All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Sensor, ICAP, SSL Inspection, and Content Analysis options. See Security Profiles.
Log The logging level of the policy. Options vary depending on the policy type.
Bytes The number of bytes.
Active Sessions The number of active sessions.
Application Control What action is taken when an application matches.
AV The antivirus profile used by the policy. See AntiVirus.
Comments Comments about the policy (up to 1023 characters).
Destination Address The destination addresses that the policy matches. The destination address can be used as a traffic filter.
DNS Filter The DNS filter profile used by the policy. See DNS Filter.
Email Filter The email filter profile used by the policy. See .
Enforce ZTNA Whether Zero Trust Network Access (ZTNA) is enabled or disabled. See ZTNA.
File Filter The file filter profile used by the policy. See File Filter.
First Used When the policy was first used.
Groups Which groups the policy matches.
Hit Count Number of results found.
ICAP The ICAP profile used by the policy. See Create or edit an ICAP profile.
ID The policy identifier. Policies are numbered in the order they are added to the configuration.
IPS Which IPS signatures the policy uses.
Last Used When the policy was last used.
Packets The number of packets.
Protocol Options The proxy options profile used by the policy. See Proxy Options.
Source Address The addresses that a policy can receive traffic from. For more information, see Web cache policy address formats.
SSL Inspection The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection.
Status Select to enable a policy or clear to disable a policy. A disabled policy is out of service.
Users Which users the policy matches.
Video Filter The video filter profile used by the policy. See Video Filter.
VPN Tunnel The VPN tunnel used by the policy. See VPN.
Web Application Firewall The web application firewall profile used by the policy. See .
Web Filter The web filter profile used by the policy. See Web Filter.
ZTNA Tag The ZTNA tags used in the ZTNA rule that is used by the policy. See ZTNA.

Change how the policy list is displayed

Policies can be added, edited, copied and pasted, moved, and deleted. To help organize your policies, you can also create sections to group policies together.

Policies can be inserted above or below existing policies and can also be disabled if needed.

The displayed policies can be filtered by either using the search field in the toolbar or by selecting the filter icon in a column heading. The available filter options vary depending on the type of data that the selected column contains.

How list order affects policy matching

The FortiProxy unit uses the first-matching technique to select which policy to apply to a communication session.

When policies have been added, each time the FortiProxy unit accepts a communication session, it then searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the session source and destination addresses and the destination port. The search begins at the top of the policy list and progresses in order towards the bottom. Each policy in the policy list is compared with the communication session until a match is found. When the FortiProxy unit finds the first matching policy, it applies that policy and disregards subsequent policies.

If no policy matches, the session is accepted.

As a general rule, you should order the policy list from most specific to most general because of the order in which policies are evaluated for a match and because only the first matching policy is applied to a session. Subsequent possible matches are not considered or applied.

NOTE: Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions.

Policy rules and authentication rules

Policy rules control what a user or user group can do. Authentication rules define how to authenticate a user. If a policy without a user group matches the type of traffic, authentication is not used because the user group was not specified in the policy.

For example, if a policy rule involving an explicit proxy has the Source field specifying an LDAP-based user group, any other policy rule referencing the explicit proxy is only matched if its Source field also specifies an LDAP-based group.

Move a policy

When more than one policy has been defined, the first matching policy is applied to the traffic session. You can arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See How list order affects policy matching for more information.

NOTE: Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were created.

To move a policy, click and drag the name to a new location. You can also move a policy by cutting and pasting it into a new location.

Copy and paste a policy

Policies can be copied and pasted to create clones. Right-click on the policy name and then select Copy from the pop-up menu. Right-click in the policy name that the new clone policy will be placed next to and select Paste Above or Paste Below to insert the new policy before or after the selected policy.

Policy lookup

Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.

The Policy Lookup tool has the following requirements:

  • Transparent mode does not support Policy lookup function.
  • When executing the policy lookup, you need to confirm whether the relevant route required for the policy work already exists.
To use the policy lookup:
  1. Go to Policy & Objects > Policy, click Policy Lookup.
  2. Select the incoming interface.
  3. Select IPv4 or IPv6 for the IP version.
  4. Enter the protocol number.
  5. Enter the source IP address.
  6. Enter the destination IP address or fully qualified domain name.
  7. Click Search to display the policy lookup results.

Web cache policy address formats

A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be any of the following:

  • a single computer, for example, 192.45.46.45
  • a subnetwork, for example, 192.168.1.* for a class C subnet
  • 0.0.0.0 matches any IP address

The netmask corresponds to the subnet class of the address being added and can be represented in either dotted decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:

  • netmask for a single computer: 255.255.255.255 or /32
  • netmask for a class A subnet: 255.0.0.0 or /8
  • netmask for a class B subnet: 255.255.0.0 or /16
  • netmask for a class C subnet: 255.255.255.0 or /24
  • netmask including all IP addresses: 0.0.0.0

Valid IP address and netmask formats include:

  • x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
  • x.x.x.x/x, such as 192.168.1.0/24
An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or destination address.

When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-192.168.1.255. Valid IP range formats include:

  • x.x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120
  • x.x.x.[x-x], for example, 192.168.110.[100-120]
  • x.x.x.*, for a complete subnet, for example: 192.168.110.*
  • x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
  • x.x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 - 192.168.110.255
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-192.168.10.100 for a range of addresses.