Policy
The policy list displays firewall policies in their order of matching precedence. For details about arranging policies in the policy list, see Change how the policy list is displayed.
You can add firewall policies that match HTTP traffic to be cached according to source and destination addresses and the destination port of the traffic.
Various right-click menus are available throughout the policy list. The columns displayed in the policy list can be customized, and filters can be added in a variety of ways to filter the information that is displayed. See Change how the policy list is displayed.
To view the policy list, go to Policy & Objects > Policy.
Hover over the leftmost edge of the column heading to display the Configure Table icon, which you can use to select the columns to display or to reset all the columns to their default settings. You can also drag column headings to change their order.
The following options are available:
|
Create New |
Add a new policy. New policies are added to the bottom of the list. See Create or edit a policy. |
||||
|
Edit |
Edit the selected policy. See Create or edit a policy. |
||||
|
Delete |
Delete the selected policy. |
||||
|
Policy Lookup |
Use this button to find out which policy matches specific traffic from a number of policies. The matching policy is highlighted in the policy list after the lookup. The policy lookup is based on the
|
||||
|
Search |
Enter a search term to find in the policy list. |
||||
|
Export |
Export the current view to CSV and JSON formats. Click Export and select CSV or JSON to download the file. |
||||
|
Interface Pair View/By Sequence |
Select how to view the policy list:
|
||||
|
New layout/Use classic layout |
Select the layout of the policy list. See for more details. |
||||
|
Type |
The type of policy, such as Explicit Web, Transparent, or SSH Tunnel. See Policy types. |
||||
|
Name |
The name of the policy. |
||||
|
Incoming Interface |
The incoming interface or interfaces. |
||||
|
Outgoing Interface |
The outgoing interface or interfaces. |
||||
|
Source |
The source is the source address or source user of the initiating traffic. |
||||
|
Destination |
The destination address or address range that the policy matches. For more information, see Web cache policy address formats. |
||||
|
Forwarding Server |
The upstream forwarding server that the policy will forward traffic to. |
||||
|
Schedule |
The time frame that is applied to the policy. See Schedules. |
||||
|
Service |
The service or services chosen here represent the TCP/IP suite port numbers that will most commonly be used to transport the named protocols or group of protocols. See Services. |
||||
|
Action |
The action to be taken by the policy, such as ACCEPT, DENY, REDIRECT, or ISOLATE. |
||||
|
Security Profiles |
All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Profile, ICAP, SSL Inspection, and Content Analysis options. See Security Profiles. |
||||
|
Log |
The logging level of the policy. Options vary depending on the policy type. |
||||
|
Bytes |
The number of bytes. |
||||
|
Applications |
Application names, application categories, and application groups that use the policy. See Policy matching using applications for more details. |
||||
|
URL Category |
URL categories that use the policy. For HTTPS traffic, you can configure FortiProxy to use only the FQDN category or both the hostname and path to determine a subcategory when matching traffic based on URL categories: config firewall policy edit <id> set https-sub-category [enable | disable] next end
|
||||
|
Active Sessions |
The number of active sessions. |
||||
|
Application Control |
What action is taken when an application matches. |
||||
|
AV |
The antivirus profile used by the policy. See Antivirus. |
||||
|
Comments |
Comments about the policy (up to 1023 characters). |
||||
|
Destination Address |
The destination addresses that the policy matches. The destination address can be used as a traffic filter. |
||||
|
DNS Filter |
The DNS filter profile used by the policy. See DNS Filter. |
||||
|
Email Filter |
The email filter profile used by the policy. |
||||
|
Enforce ZTNA |
Whether Zero Trust Network Access (ZTNA) is enabled or disabled. See Zero Trust Network Access introduction. |
||||
|
File Filter |
The file filter profile used by the policy. See File Filter. |
||||
|
First Used |
When the policy was first used. |
||||
|
Groups |
Which groups the policy matches. |
||||
|
Hit Count |
Number of results found. |
||||
|
ICAP |
The ICAP profile used by the policy. See Create or edit an ICAP profile. |
||||
|
ID |
The policy identifier. Policies are numbered in the order they are added to the configuration. |
||||
|
IPS |
Which IPS signatures the policy uses. |
||||
|
Last Used |
When the policy was last used. |
||||
|
Packets |
The number of packets. |
||||
|
Protocol Options |
The proxy options profile used by the policy. See Proxy Options. |
||||
|
Source Address |
The addresses that a policy can receive traffic from. For more information, see Web cache policy address formats. |
||||
|
SSL Inspection |
The SSL/SSH inspection options used by the policy. See SSL/SSH Inspection. |
||||
|
Status |
Select to enable a policy or clear to disable a policy. A disabled policy is out of service. |
||||
|
Users |
Which users the policy matches. |
||||
|
Video Filter |
The video filter profile used by the policy. See Video Filter. |
||||
|
VPN Tunnel |
The VPN tunnel used by the policy. See VPN. |
||||
|
Web Application Firewall |
The web application firewall profile used by the policy. See . |
||||
|
Web Filter |
The web filter profile used by the policy. See Web Filter. |
||||
|
ZTNA Tag |
The ZTNA tags used in the ZTNA rule that is used by the policy. See Zero Trust Network Access introduction. |
Change how the policy list is displayed
Policies can be added, edited, copied and pasted, moved, and deleted. Policies can be inserted above or below existing policies and can also be disabled if needed. Note that firewall policy order affects policy matching. See Policy matching.
To move a policy by policy ID:
-
Go to Policy & Objects > Policy.
Make sure By Sequence or Sequence Grouping View is selected at the top-right corner.
-
Right-click the policy you want to move and select Move by ID.
The Move by ID pane is displayed.
-
Define the new location of the policy:
-
Select whether the policy should be moved Above or Below the policy ID you will define in the next step.
-
In the Destination policy ID field, enter the ID of the destination policy or select it from the dropdown menu.
-
-
If you do not want to automatically view the new location of the policy, disable Jump to policy after move. This feature is enabled by default.
-
Click OK.
The policy will be moved to the new location.
|
Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were created. |
The displayed policies can be filtered by either using the search field in the toolbar or by selecting the filter icon in a column heading. The available filter options vary depending on the type of data that the selected column contains.
To help organize your policies, you can also create sections to group policies together.
Copy and paste a policy
Policies can be copied and pasted to create clones. Right-click on the policy name and then select Copy from the pop-up menu. Right-click in the policy name that the new clone policy will be placed next to and select Paste Above or Paste Below to insert the new policy before or after the selected policy.
Policy rules and authentication rules
Policy rules control what a user or user group can do. Authentication rules define how to authenticate a user. If a policy without a user group matches the type of traffic, authentication is not used because the user group was not specified in the policy.
For example, if a policy rule involving an explicit proxy has the Source field specifying an LDAP-based user group, any other policy rule referencing the explicit proxy is only matched if its Source field also specifies an LDAP-based group.