Policy
The policy list displays firewall policies in their order of matching precedence. Firewall policy order affects policy matching. For details about arranging policies in the policy list, see Change how the policy list is displayed.
You can add firewall policies that match HTTP traffic to be cached according to source and destination addresses and the destination port of the traffic.
Various right-click menus are available throughout the policy list. The columns displayed in the policy list can be customized, and filters can be added in a variety of ways to filter the information that is displayed. See Change how the policy list is displayed.
To view the policy list, go to Policy & Objects > Policy.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
Create New | Add a new policy. New policies are added to the bottom of the list. See Create or edit a policy. |
Edit | Edit the selected policy. See Create or edit a policy. |
Delete | Delete the selected policy. |
Policy Lookup | Find a policy. |
Search | Enter a search term to find in the policy list. |
Export |
Export the current view to CSV and JSON formats. Click Export and select CSV or JSON to download the file. |
Interface Pair View/By Sequence |
Select how to view the policy list:
|
Type | The type of policy, such as Explicit Web, Transparent, or SSH Tunnel. See Policy types. |
Name | The name of the policy. |
Incoming Interface | The incoming interface or interfaces. |
Outgoing Interface | The outgoing interface or interfaces. |
Source | The source is the source address or source user of the initiating traffic. |
Destination | The destination address or address range that the policy matches. For more information, see Web cache policy address formats. |
Schedule | The time frame that is applied to the policy. See Schedules. |
Service | The service or services chosen here represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or group of protocols. See Services. |
Action | The action to be taken by the policy, such as ACCEPT, DENY, REDIRECT, or ISOLATE. |
Security Profiles | All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Sensor, ICAP, SSL Inspection, and Content Analysis options. See Security Profiles. |
Log | The logging level of the policy. Options vary depending on the policy type. |
Bytes | The number of bytes. |
Active Sessions | The number of active sessions. |
Application Control | What action is taken when an application matches. |
AV | The antivirus profile used by the policy. See AntiVirus. |
Comments | Comments about the policy (up to 1023 characters). |
Destination Address | The destination addresses that the policy matches. The destination address can be used as a traffic filter. |
DNS Filter | The DNS filter profile used by the policy. See DNS Filter. |
Email Filter | The email filter profile used by the policy. See . |
Enforce ZTNA | Whether Zero Trust Network Access (ZTNA) is enabled or disabled. See ZTNA. |
File Filter | The file filter profile used by the policy. See File Filter. |
First Used | When the policy was first used. |
Groups | Which groups the policy matches. |
Hit Count | Number of results found. |
ICAP | The ICAP profile used by the policy. See Create or edit an ICAP profile. |
ID | The policy identifier. Policies are numbered in the order they are added to the configuration. |
IPS | Which IPS signatures the policy uses. |
Last Used | When the policy was last used. |
Packets | The number of packets. |
Protocol Options | The proxy options profile used by the policy. See Proxy Options. |
Source Address | The addresses that a policy can receive traffic from. For more information, see Web cache policy address formats. |
SSL Inspection | The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection. |
Status | Select to enable a policy or clear to disable a policy. A disabled policy is out of service. |
Users | Which users the policy matches. |
Video Filter | The video filter profile used by the policy. See Video Filter. |
VPN Tunnel | The VPN tunnel used by the policy. See VPN. |
Web Application Firewall | The web application firewall profile used by the policy. See . |
Web Filter | The web filter profile used by the policy. See Web Filter. |
ZTNA Tag | The ZTNA tags used in the ZTNA rule that is used by the policy. See ZTNA. |
Change how the policy list is displayed
Policies can be added, edited, copied and pasted, moved, and deleted. To help organize your policies, you can also create sections to group policies together.
Policies can be inserted above or below existing policies and can also be disabled if needed.
The displayed policies can be filtered by either using the search field in the toolbar or by selecting the filter icon in a column heading. The available filter options vary depending on the type of data that the selected column contains.
How list order affects policy matching
The FortiProxy unit uses the first-matching technique to select which policy to apply to a communication session.
When policies have been added, each time the FortiProxy unit accepts a communication session, it then searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the session source and destination addresses and the destination port. The search begins at the top of the policy list and progresses in order towards the bottom. Each policy in the policy list is compared with the communication session until a match is found. When the FortiProxy unit finds the first matching policy, it applies that policy and disregards subsequent policies.
If no policy matches, the session is accepted.
As a general rule, you should order the policy list from most specific to most general because of the order in which policies are evaluated for a match and because only the first matching policy is applied to a session. Subsequent possible matches are not considered or applied.
NOTE: Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions.
Policy rules and authentication rules
Policy rules control what a user or user group can do. Authentication rules define how to authenticate a user. If a policy without a user group matches the type of traffic, authentication is not used because the user group was not specified in the policy.
For example, if a policy rule involving an explicit proxy has the Source field specifying an LDAP-based user group, any other policy rule referencing the explicit proxy is only matched if its Source field also specifies an LDAP-based group.
Move a policy
When more than one policy has been defined, the first matching policy is applied to the traffic session. You can arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See How list order affects policy matching for more information.
NOTE: Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were created.
To move a policy, click and drag the name to a new location. You can also move a policy by cutting and pasting it into a new location.
Copy and paste a policy
Policies can be copied and pasted to create clones. Right-click on the policy name and then select Copy from the pop-up menu. Right-click in the policy name that the new clone policy will be placed next to and select Paste Above or Paste Below to insert the new policy before or after the selected policy.
Policy lookup
Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address
that matches the source-port
and dst-port
of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.
The Policy Lookup tool has the following requirements:
- Transparent mode does not support Policy lookup function.
- When executing the policy lookup, you need to confirm whether the relevant route required for the policy work already exists.
To use the policy lookup:
- Go to Policy & Objects > Policy, click Policy Lookup.
- Select the incoming interface.
- Select IPv4 or IPv6 for the IP version.
- Enter the protocol number.
- Enter the source IP address.
- Enter the destination IP address or fully qualified domain name.
- Click Search to display the policy lookup results.
Web cache policy address formats
A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be any of the following:
- a single computer, for example,
192.45.46.45
- a subnetwork, for example,
192.168.1.*
for a class C subnet 0.0.0.0
matches any IP address
The netmask corresponds to the subnet class of the address being added and can be represented in either dotted decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:
- netmask for a single computer:
255.255.255.255
or/32
- netmask for a class A subnet:
255.0.0.0
or/8
- netmask for a class B subnet:
255.255.0.0
or/16
- netmask for a class C subnet:
255.255.255.0
or/24
- netmask including all IP addresses:
0.0.0.0
Valid IP address and netmask formats include:
- x.x.x.x/x.x.x.x, such as
192.168.1.0/255.255.255.0
- x.x.x.x/x, such as
192.168.1.0/24
An IP address 0.0.0.0 with the netmask 255.255.255.255 is not a valid source or destination address. |
When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10]
, or 192.168.1.*
, to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255]
or 192.168.1.0-192.168.1.255
. Valid IP range formats include:
- x.x.x.x-x.x.x.x, for example,
192.168.110.100-192.168.110.120
- x.x.x.[x-x], for example,
192.168.110.[100-120]
- x.x.x.*, for a complete subnet, for example:
192.168.110.*
- x.x.x.[0-255] for a complete subnet, such as
192.168.110.[0-255]
- x.x.x.0 -x.x.x.255 for a complete subnet, such as
192.168.110.0 - 192.168.110.255
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-192.168.10.100 for a range of addresses. |