Create or edit a policy
New policies can be created by selecting Create New in the toolbar. By default, the new policy appears at the bottom of the policy list. New policies can also be created above or below an existing policy by right-clicking a policy name and selecting Insert Empty Policy Above or Insert Empty Policy Below or by copying or cutting an existing policy and then selecting Paste Above or Paste Below from the right-click menu.
Editing a policy
Policy information can be edited as required in four ways:
-
By double-clicking on the sequence number of a policy or the policy name in the policy list
-
By selecting a policy and then selecting Edit from the toolbar
-
By hovering over the policy name and then selecting Edit (the pencil icon)
-
By right-clicking on the sequence number of the policy or the policy name and selecting Edit from the right-click menu
The editing window for regular policies contains the same information as when creating new policies.
Policy types
There are six types of policies:
-
Explicit—for an explicit web proxy policy.
Use an explicit web proxy policy if you want to use the explicit web proxy.
You can use the FortiProxy explicit web proxy to enable explicit proxying of IPv4 and IPv6 HTTP, and HTTPS traffic on one or more FortiProxy interfaces. The explicit web proxy also supports proxying FTP sessions from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. From the CLI, you can also configure the explicit web proxy to support SOCKS sessions from a web browser.
The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.
The explicit web proxy receives web browser sessions to be proxied at FortiProxy interfaces with the explicit web proxy enabled. The explicit web proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. You can configure the explicit web proxy to keep the original client IP address.
-
Transparent—for a transparent firewall policy.
Use a transparent firewall policy if you want to use the transparent web proxy.
In addition to the explicit web proxy, the FortiProxy unit supports a transparent web proxy. While it does not have as many features as explicit web proxy, the transparent proxy has the advantage that nothing needs to be done on the userʼs system to forward supported web traffic over to the proxy. There is no need to reconfigure the browser or publish a PAC file. Everything is transparent to the end user, hence the name. This makes it easier to incorporate new users into a proxy deployment.
You can use the transparent proxy to apply web authentication to HTTP traffic accepted by a firewall policy.
On networks where authentication based on IP address will not work, you can use the transparent web proxy to apply web authentication that is based on the userʼs browser and not on their IP address. This authentication method allows you to identify individual users even if multiple users on your network are connecting to the FortiProxy unit from the same IP address.
-
FTP—for an explicit FTP proxy policy.
Use an explicit FTP proxy policy if you want to use the explicit FTP proxy.
You can use the FortiProxy explicit FTP proxy to enable explicit FTP proxying on one or more FortiProxy interfaces. The explicit web and FTP proxies can be operating at the same time on the same or on different FortiProxy interfaces.
The FTP proxy receives FTP sessions to be proxied at FortiProxy interfaces with the explicit FTP proxy enabled. The FTP proxy uses FortiProxy routing to route sessions through the FortiProxy unit to a destination interface. Before a session leaves the exiting interface, the explicit FTP proxy changes the source addresses of the session packets to the IP address of the exiting interface.
-
SSH Tunnel—to perform access control for TCP/IP port forwarding traffic that is tunneled through the SSH proxy.
-
SSH Proxy—to apply a proxy firewall policy with user authentication on SSH sessions.
-
Wanopt—for a WAN optimization tunnel.
All optimized traffic passes between the FortiProxy units or between a FortiClient peer and a FortiProxy unit over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain text or encrypted using AES-128bit-CBC SSL.
Both plain text and the encrypted tunnels use TCP destination port 7810.
Before a tunnel can be started, the peers must be configured to authenticate with each other. Then, the clientside peer attempts to start a WAN optimization tunnel with the server-side peer. Once the peers authenticate with each other, they bring up the tunnel and WAN optimization communication over the tunnel starts. After a tunnel has been established, multiple WAN optimization sessions can start and stop between peers without restarting the tunnel.
Configuring a policy
To configure an explicit policy:
|
Type |
Select Explicit. See Policy types. |
|
Name |
Enter a unique name for the new policy. Names can be changed later. |
|
Explicit Web Proxy |
If you selected Explicit for the policy type, select web-proxy or search for a policy. To create an explicit proxy policy, see Create or edit an explicit proxy. |
|
Outgoing Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Source |
Click +. A window slides out from the right where you can select from the available sources. You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses. When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source. |
|
Destination |
Click +. A window slides out from the right where you can select from the available destinations. You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses. |
|
Negate Destination |
Enable to use all destinations except the ones specified in the Destination field. |
|
Schedule |
Select a schedule from the drop-down list. Select Create to create a schedule. For more information, see Schedules. |
|
Service |
Select a service or service group that packets must match to trigger this policy. Select Create to create a service list. See Services. You can add multiple services or service groups. |
|
Action |
Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.
|
|
Web Cache |
Enable or disable web caching. |
|
Reverse Cache |
Enable to use reverse proxy web caching. This option is available only if the Action is Accept and Web Cache is enabled. |
|
Web Cache For HTTPS Traffic |
Enable or disable web caching for HTTPS traffic. |
|
Transparent |
Enable or disable transparent proxy. |
|
Poolname |
If you configured an IP pool, enable this option and then select the IP pool from the drop-down list. |
|
Webproxy Profile |
If you configured a web proxy profile, enable this option and then select the web proxy profile from the drop-down list. See Web Proxy Profile. |
|
Web Proxy Forwarding Server |
If you configured a web proxy forwarding server, enable this option and then select a server from the drop-down list. See Create or edit a forwarding server. |
|
Protocol Options |
Select the proxy options profilefor the policy to use. See Proxy Options. |
|
SSL/SSH Inspection |
The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection. |
|
Display Disclaimer |
If you want to display a disclaimer about Internet content that is not controlled by the network access provider, select By Domain, By Policy, or By User. This option is available only if Action is set to ACCEPT. |
|
Customize Messages |
Enable and then edit the existing message or create a message. This option is available only if Display Disclaimer is set to By Domain, By Policy, or By User. |
|
Security Profiles |
Select the security profiles to apply to the policy. These options are available only if Action is set to ACCEPT. |
|
AntiVirus |
Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus. |
|
Web Filter |
Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter. |
|
Application Control |
Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor. |
|
IPS |
Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor. |
|
DLP Sensor |
Enable DLP sensors and select or create a sensor from the drop-down list. See Data Loss Prevention. |
|
Content Analysis |
Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile. |
|
ICAP |
Enable the ICAP profile and select or create a profile from the drop-down list. See Create or edit an ICAP profile. |
|
Log Allowed Traffic |
Enable and then select Security Events or All Sessions. This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE. |
|
Generate Logs when Session Starts |
Enable or disable logging when the session starts. |
|
Log HTTP Transaction |
Configure whether to enable HTTP transaction log:
When enabled, you can find the HTTP transaction logs under Log & Report > HTTP Transaction. See Types of logs. |
|
Comments |
Enter a description up to 1,023 characters to describe the policy. |
|
Enable this policy |
Enable to use this policy. |
|
Enable Policy Matching Pass Through |
Enable to make the policy a pass-through policy. Disabled by default. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. |
|
Enable SSH policy check |
Enable or disable whether to redirect SSH traffic to the matching proxy policy. See SSH policy matching. |
|
Extended Log |
Enable or disable the recording of extended log for implicit policies. The extended log includes the useragent, referralurl, httpmethod, and statuscode fields. |
To configure a transparent policy:
|
Type |
Select Transparent. See Policy types. |
|
Name |
Enter a unique name for the new policy. Names can be changed later. |
|
ZTNA |
Enable or disable Zero Trust Network Access (ZTNA). If you enable ZTNA, select whether to use Full ZTNA or IP/MAC filtering.
|
|
ZTNA Server |
Select one or more ZTNA servers to use. |
|
ZTNA Tag |
Select one or more ZTNA tags to use. |
|
Incoming Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Outgoing Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Source |
Click +. A window slides out from the right where you can select from the available sources. You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses. When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source. |
|
Destination |
Click +. A window slides out from the right where you can select from the available destinations. You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses. |
|
Negate Destination |
Enable to use all destinations except the ones specified in the Destination field. |
|
Schedule |
Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules. |
|
Service |
Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services. You can add multiple services or service groups. |
|
Action |
Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.
|
|
Web Cache |
Enable or disable web caching. |
|
Reverse Cache |
Enable to use reverse proxy web caching. This option is available only if the Action is Accept and Web Cache is enabled. |
|
Web Cache For HTTPS Traffic |
Enable or disable web caching for HTTPS traffic. |
|
Status |
Enable or disable WAN optimization for traffic accepted by the policy. If Status is enabled, select Active, Passive, or Manual. |
|
Profiles |
If you enabled Status and selected Active or Manual WAN optimization, select a profile to use for WAN optimization. SeeCreate or edit a WAN optimization profile. |
|
Passive Option |
If you enabled Status and selected Passive WAN optimization, select Default, Non-transparent, or Transparent. |
|
Peers |
If you enabled Status and selected Manual WAN optimization, select a WAN peer. See Create or edit a WAN optimization peer. |
|
Scan Outgoing Connections to Botnet Sites |
Select Disable or Block to protect from botnet and command-and-control traffic. |
|
Webproxy Profile |
If you configured a web proxy profile, enable this option and then select the web proxy profile from the drop-down list. See Web Proxy Profile. |
|
Web Proxy Forwarding Server |
If you configured a web proxy forwarding server, enable this option and then select a server from the drop-down list. See Create or edit a forwarding server. |
|
Force Proxy |
Enable or disable whether proxying will be forced. |
|
Protocol Options |
Select the proxy options profilefor the policy to use. See Proxy Options. |
|
SSL/SSH Inspection |
The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection. |
|
Display Disclaimer |
If you want to display a disclaimer about Internet content that is not controlled by the network access provider, select By Domain, By Policy, or By User. This option is available only if Action is set to ACCEPT. |
|
Customize Messages |
Enable and then edit the existing message or create a message. This option is available only if Display Disclaimer is set to By Domain, By Policy, or By User. |
|
Security Profiles |
Select the security profiles to apply to the policy. These options are available only if Action is set to ACCEPT. |
|
AntiVirus |
Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus. |
|
Web Filter |
Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter. |
|
DNS Filter |
Enable the DNS filter profile and select or create a profile from the drop-down list. See DNS Filter. |
|
Application Control |
Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor. |
|
IPS |
Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor. |
|
DLP Sensor |
Enable DLP sensors and select or create a sensor from the drop-down list. See Data Loss Prevention. |
|
Content Analysis |
Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile. |
|
ICAP |
Enable the ICAP profile and select or create a profile from the drop-down list. See Create or edit an ICAP profile. |
|
Log Allowed Traffic |
Enable and then select Security Events or All Sessions. This option is available only if Action is set to ACCEPT, REDIRECT, or ISOLATE. |
|
Generate Logs when Session Starts |
Enable or disable logging when the session starts. |
|
Log HTTP Transaction |
Configure whether to enable HTTP transaction log:
When enabled, you can find the HTTP transaction logs under Log & Report > HTTP Transaction. See Types of logs. |
|
Comments |
Enter a description up to 1,023 characters to describe the policy. |
|
Enable this policy |
Enable to use this policy. |
|
Enable Policy Matching Pass Through |
Enable to make the policy a pass-through policy. Disabled by default. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. |
|
Enable SSH policy check |
Enable or disable whether to redirect SSH traffic to the matching proxy policy. See SSH policy matching. |
|
Extended Log |
Enable or disable the recording of extended log for implicit policies. The extended log includes the useragent, referralurl, httpmethod, and statuscode fields. |
To configure an FTP policy:
|
Type |
Select FTP. See Policy types. |
|
Name |
Enter a unique name for the new policy. Names can be changed later. |
|
Outgoing Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Source |
Click +. A window slides out from the right where you can select from the available sources. You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses. When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source. |
|
Destination |
Click +. A window slides out from the right where you can select from the available destinations. You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses. |
|
Negate Destination |
Enable to use all destinations except the ones specified in the Destination field. |
|
Schedule |
Select a schedule from the drop-down list. Select Create to create a schedule. For more information, see Schedules. |
|
Action |
Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.
|
|
Security Profiles |
Select the security profiles to apply to the policy. These options are available only if Action is set to ACCEPT. |
|
AntiVirus |
Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus. |
|
IPS |
Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor. |
|
DLP Sensor |
Enable DLP sensors and select or create a sensor from the drop-down list. See Data Loss Prevention. |
|
Log Allowed Traffic |
Enable and then select Security Events or All Sessions. This option is available only if Action is set to ACCEPT. |
|
Generate Logs when Session Starts |
Enable or disable logging when the session starts. |
|
Comments |
Enter a description up to 1,023 characters to describe the policy. |
|
Enable this policy |
Enable to use this policy. |
|
Enable Policy Matching Pass Through |
Enable to make the policy a pass-through policy. Disabled by default. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. |
To configure an SSH tunnel policy:
|
Type |
Select SSH Tunnel. See Policy types. |
|
Name |
Enter a unique name for the new policy. Names can be changed later. |
|
Incoming Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Outgoing Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Source |
Click +. A window slides out from the right where you can select from the available sources. You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses. When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source. |
|
Destination |
Click +. A window slides out from the right where you can select from the available destinations. You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses. |
|
Negate Destination |
Enable to use all destinations except the ones specified in the Destination field. |
|
Schedule |
Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules. |
|
Service |
Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services. You can add multiple services or service groups. |
|
Action |
Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.
|
|
Security Profiles |
Select the security profiles to apply to the policy. These options are available only if Action is set to ACCEPT. |
|
Application Control |
Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor. |
|
IPS |
Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor. |
|
Logging Options |
This section is available only if Action is set to ACCEPT. |
|
Log Allowed Traffic |
Enable and then select Security Events or All Sessions. This option is available only if Action is set to ACCEPT. |
|
Generate Logs when Session Starts |
Enable or disable logging when the session starts. |
|
Comments |
Enter a description up to 1,023 characters to describe the policy. |
|
Enable this policy |
Enable to use this policy. |
|
Enable Policy Matching Pass Through |
Enable to make the policy a pass-through policy. Disabled by default. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. |
To configure an SSH proxy policy:
|
Type |
Select SSH Proxy. See Policy types. |
|
Name |
Enter a unique name for the new policy. Names can be changed later. |
|
Outgoing Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Source |
Click +. A window slides out from the right where you can select from the available sources. You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses. When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source. |
|
Destination |
Click +. A window slides out from the right where you can select from the available destinations. You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses. |
|
Negate Destination |
Enable to use all destinations except the ones specified in the Destination field. |
|
Schedule |
Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules. |
|
Action |
Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.
|
|
Security Profiles |
Select the security profiles to apply to the policy. These options are available only if Action is set to ACCEPT. |
|
Application Control |
Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor. |
|
IPS |
Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor. |
|
Logging Options |
This section is available only if Action is set to ACCEPT. |
|
Log Allowed Traffic |
Enable and then select Security Events or All Sessions. This option is available only if Action is set to ACCEPT. |
|
Generate Logs when Session Starts |
Enable or disable logging when the session starts. |
|
Comments |
Enter a description up to 1,023 characters to describe the policy. |
|
Enable this policy |
Enable to use this policy. |
|
Enable Policy Matching Pass Through |
Enable to make the policy a pass-through policy. Disabled by default. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. |
To configure a WAN-optimization tunnel policy:
|
Type |
Select Wanopt. See Policy types. |
|
Name |
Enter a unique name for the new policy. Names can be changed later. |
|
Outgoing Interface |
Click +. A window slides out from the right where you can select from the available interfaces. You can select one or more specific interfaces, or you can select any. Selecting any removes the other interfaces. |
|
Source |
Click +. A window slides out from the right where you can select from the available sources. You can select source proxy addresses, source IPv4 addresses, source IPv6 addresses, source users, or source user groups. NOTE: You can mix IPv4 and IPv6 addresses. When the field is selected, a window slides out from the right. Address, IPv6 Address, and User tabs categorize the options. Click Create to create a source. |
|
Destination |
Click +. A window slides out from the right where you can select from the available destinations. You can select destination proxy addresses, destination IPv4 addresses, destination IPv6 addresses, and destination Internet services. NOTE: You can mix IPv4 and IPv6 addresses. |
|
Negate Destination |
Enable to use all destinations except the ones specified in the Destination field. |
|
Schedule |
Select a schedule from the drop-down list. Click Create to create a schedule. For more information, see Schedules. |
|
Service |
Select a service or service group that packets must match to trigger this policy. Click Create to create a service list. See Services. You can add multiple services or service groups. |
|
Action |
Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will change depending on this selection.
|
|
Web Cache |
Enable or disable web caching. |
|
Reverse Cache |
Enable to use reverse proxy web caching. This option is available only if the Action is Accept and Web Cache is enabled. |
|
Web Cache For HTTPS Traffic |
Enable or disable web caching for HTTPS traffic. |
|
Security Profiles |
Select the security profiles to apply to the policy. These options are available only if Action is set to ACCEPT. |
|
AntiVirus |
Enable the antivirus profile and select or create a profile from the drop-down list. See AntiVirus. |
|
Web Filter |
Enable the web filter profile and select or create a profile from the drop-down list. See Web Filter. |
|
Application Control |
Enable the application sensor and select or create a sensor from the drop-down list. See Create or edit an application sensor. |
|
IPS |
Enable the IPS sensor and select or create a sensor from the drop-down list. See Create or edit an IPS sensor. |
|
DLP Sensor |
Enable DLP sensors and select or create a sensor from the drop-down list. See Data Loss Prevention. |
|
Content Analysis |
Enable the Content Analysis profile and select or create a profile from the drop-down list. See Create or edit an Image Analysis profile. |
|
Log Allowed Traffic |
Enable and then select Security Events or All Sessions. This option is available only if Action is set to ACCEPT. |
|
Generate Logs when Session Starts |
Enable or disable logging when the session starts. |
|
Comments |
Enter a description up to 1,023 characters to describe the policy. |
|
Enable this policy |
Enable to use this policy. |
|
Enable Policy Matching Pass Through |
Enable to make the policy a pass-through policy. Disabled by default. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. |
Web cache policy address formats
A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be any of the following:
- a single computer, for example,
192.45.46.45 - a subnetwork, for example,
192.168.1.*for a class C subnet 0.0.0.0matches any IP address
The netmask corresponds to the subnet class of the address being added and can be represented in either dotted decimal or CIDR format. The FortiProxy unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:
- netmask for a single computer:
255.255.255.255or/32 - netmask for a class A subnet:
255.0.0.0or/8 - netmask for a class B subnet:
255.255.0.0or/16 - netmask for a class C subnet:
255.255.255.0or/24 - netmask including all IP addresses:
0.0.0.0
Valid IP address and netmask formats include:
- x.x.x.x/x.x.x.x, such as
192.168.1.0/255.255.255.0 - x.x.x.x/x, such as
192.168.1.0/24
|
An IP address |
When representing hosts by an IP address range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.*, to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0-192.168.1.255. Valid IP range formats include:
- x.x.x.x-x.x.x.x, for example,
192.168.110.100-192.168.110.120 - x.x.x.[x-x], for example,
192.168.110.[100-120] - x.x.x.*, for a complete subnet, for example:
192.168.110.* - x.x.x.[0-255] for a complete subnet, such as
192.168.110.[0-255] - x.x.x.0 -x.x.x.255 for a complete subnet, such as
192.168.110.0 - 192.168.110.255
|
|
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, |
Device ownership
When device ownership is enabled, ownership enforcement is done at policy level. It is disabled by default.
To enable device ownership:
config firewall policy
edit 2
set ztna-status enable
set ztna-ems-tag "FCTEMS_ALL_FORTICLOUD_SERVERS"
set device-ownership enable
...
next
end