Fortinet white logo
Fortinet white logo

CLI Reference

config firewall policy

config firewall policy

Configure firewall policies.

config firewall policy
    Description: Configure firewall policies.
    edit <policyid>
        set type [explicit-web|transparent|...]
        set status [enable|disable]
        set name {string}
        set uuid {uuid}
        set force-proxy [enable|disable]
        set implicit-proxy-detection [enable|disable]
        set dynamic-bypass [enable|disable]
        set srcintf <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set ztna-device-ownership [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set dstaddr <name1>, <name2>, ...
        set srcaddr6 <name1>, <name2>, ...
        set dstaddr6 <name1>, <name2>, ...
        set action [accept|deny|...]
        set schedule {string}
        set policy-expiry [enable|disable]
        set policy-expiry-date {datetime}
        set service <name1>, <name2>, ...
        set explicit-web-proxy {string}
        set transparent [enable|disable]
        set access-proxy <name1>, <name2>, ...
        set ztna-proxy <name1>, <name2>, ...
        set ztna-ems-tag <name1>, <name2>, ...
        set ztna-ems-tag-secondary <name1>, <name2>, ...
        set ztna-tags-match-logic [or|and]
        set device-ownership [enable|disable]
        set pass-through [enable|disable]
        set url-category <id1>, <id2>, ...
        set url-risk <name1>, <name2>, ...
        set internet-service [enable|disable]
        set internet-service-name <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-custom <name1>, <name2>, ...
        set internet-service6 [enable|disable]
        set internet-service6-name <name1>, <name2>, ...
        set internet-service6-group <name1>, <name2>, ...
        set internet-service6-custom <name1>, <name2>, ...
        set internet-service6-custom-group <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set utm-status [enable|disable]
        set ztna-policy-redirect [enable|disable]
        set webproxy-profile {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set log-http-transaction [disable|enable]
        set extended-log [enable|disable]
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-profile {string}
        set wanopt-peer {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set reverse-cache [disable|enable]
        set http-tunnel-auth [enable|disable]
        set ssh-policy-check [enable|disable]
        set webproxy-forward-server {string}
        set isolator-server {string}
        set poolname <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set users <name1>, <name2>, ...
        set disclaimer [disable|domain|...]
        set comments {var-string}
        set redirect-url {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set replacemsg-override-group {string}
        set srcaddr-negate [enable|disable]
        set dstaddr-negate [enable|disable]
        set service-negate [enable|disable]
        set internet-service-negate [enable|disable]
        set internet-service6-negate [enable|disable]
        set application <id1>, <id2>, ...
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set decrypted-traffic-mirror {string}
        set max-session-per-user {integer}
        set profile-type [single|group]
        set profile-group {string}
        set profile-protocol-options {string}
        set ssl-ssh-profile {string}
        set av-profile {string}
        set ia-profile {string}
        set webfilter-profile {string}
        set dnsfilter-profile {string}
        set emailfilter-profile {string}
        set dlp-profile {string}
        set file-filter-profile {string}
        set ips-sensor {string}
        set application-list {string}
        set icap-profile {string}
        set cifs-profile {string}
        set videofilter-profile {string}
        set isolator-profile {string}
        set redirect-profile {string}
        set ssh-filter-profile {string}
        set casb-profile {string}
        set detect-https-in-http-request [enable|disable]
    next
end

config firewall policy

Parameter

Description

Type

Size

Default

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

0

type

Type of policy.

option

-

transparent

Option

Description

explicit-web

Explicit Web Proxy policy

transparent

Transparent firewall policy

explicit-ftp

Explicit FTP Proxy policy

ssh-tunnel

SSH Tunnel policy

ssh

SSH policy

access-proxy

Access Proxy

ztna-proxy

ZTNA Proxy

wanopt

WANopt Tunnel

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

force-proxy

Force proxy.

option

-

disable

Option

Description

enable

Force all TCP transparent traffic to proxy.

disable

Do not force TCP transparent traffic to proxy.

implicit-proxy-detection

Implicit proxy detection.

option

-

disable

Option

Description

enable

Enable implicit proxy detection.

disable

Disable implicit proxy detection.

dynamic-bypass

Dynamic bypass.

option

-

disable

Option

Description

enable

Enable dynamic bypass to all HTTP traffic in this policy.

disable

Disable dynamic bypass to all HTTP traffic in this policy.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

ztna-device-ownership

Enable/disable zero trust device ownership.

option

-

disable

Option

Description

enable

Enable ZTNA device ownership check.

disable

Disable ZTNA device ownership check.

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

IPv6 source address (web proxy and ftp proxy only).

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address (web proxy and ftp proxy only).

Address name.

string

Maximum length: 79

action

Policy action (allow/deny).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

redirect

Redirect sessions that match the firewall policy to a url.

isolate

Isolate sessions that match the firewall policy with isolator.

schedule

Schedule name.

string

Maximum length: 35

policy-expiry

Enable/disable policy expiry.

option

-

disable

Option

Description

enable

Enable policy expiry.

disable

Disable polcy expiry.

policy-expiry-date

Policy expiry date (YYYY-MM-DD HH:MM:SS).

datetime

Not Specified

0000-00-00 00:00:00

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

explicit-web-proxy

Explicit web proxy.

string

Maximum length: 35

transparent

set webproxy to use original client address.

option

-

disable

Option

Description

enable

Enable using original client address for webproxy.

disable

Disable using original client address for webproxy.

access-proxy <name>

Access Proxy.

Access Proxy name.

string

Maximum length: 79

ztna-proxy <name>

ZTNA Traffic Forward Proxy.

ZTNA Traffic Forward Proxy name.

string

Maximum length: 79

ztna-ems-tag <name>

Source ztna-ems-tag names.

Address name.

string

Maximum length: 79

ztna-ems-tag-secondary <name>

Source ztna-ems-tag-secondary names.

Address name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

pass-through

Enable/disable policy matching pass through

option

-

disable

Option

Description

enable

Enable policy matching pass through.

disable

Disable policy matching pass through.

url-category <id>

URL category ID list.

URL category ID.

integer

Minimum value: 0 Maximum value: 4294967295

url-risk <name>

URL risk level name.

Risk level name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service Name.

Custom Internet Service name.

string

Maximum length: 79

internet-service6

Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of IPv6 Internet Services in policy.

disable

Disable use of IPv6 Internet Services in policy.

internet-service6-name <name>

IPv6 Internet Service name.

IPv6 Internet Service name.

string

Maximum length: 79

internet-service6-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service6-custom <name>

Custom IPv6 Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service6-custom-group <name>

Custom Internet Service6 group name.

Custom Internet Service6 group name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ztna-policy-redirect

Redirect ZTNA traffic to matching Access-Proxy proxy-policy.

option

-

disable

Option

Description

enable

Enable ZTNA proxy-policy redirect.

disable

Disable ZTNA proxy-policy redirect.

webproxy-profile

Web proxy profile using when none matched policy.

string

Maximum length: 63

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts and ends.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

log-http-transaction

Enable/disable http transaction log.

option

-

disable

Option

Description

disable

Disable HTTP transaction log.

enable

Enable HTTP transaction log.

extended-log

Enable/disable extended log for http transaction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt

Enable/disable WAN optimization.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

-

active

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

-

default

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiProxy address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

-

disable

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

reverse-cache

Enable/disable reverse cache servers.

option

-

disable

Option

Description

disable

Disable reverse cache.

enable

Enable reverse cache servers.

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-check

Enable/disable SSH policy check.

option

-

disable

Option

Description

enable

Enable SSH policy check.

disable

Disable SSH policy check.

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

isolator-server

isolator server name.

string

Maximum length: 63

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

comments

Comment.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further web proxy processing.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service6-negate

When enabled internet-service6 specifies what the service must not be.

option

-

disable

Option

Description

enable

Enable negated IPv6 Internet Service match.

disable

Disable negated IPv6 Internet Service match.

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

One or more application group names.

Application group name.

string

Maximum length: 79

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

0

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

ia-profile

Image analyzer profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

isolator-profile

Name of an existing isolator profile.

string

Maximum length: 35

redirect-profile

Name of an existing URL Redirect profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

casb-profile

Name of an existing CASB profile.

string

Maximum length: 35

detect-https-in-http-request

Enable/disable detection of HTTPS in HTTP request.

option

-

disable

Option

Description

enable

Enable detection of HTTPS in HTTP request.

disable

Disable detection of HTTPS in HTTP request.

config firewall policy

config firewall policy

Configure firewall policies.

config firewall policy
    Description: Configure firewall policies.
    edit <policyid>
        set type [explicit-web|transparent|...]
        set status [enable|disable]
        set name {string}
        set uuid {uuid}
        set force-proxy [enable|disable]
        set implicit-proxy-detection [enable|disable]
        set dynamic-bypass [enable|disable]
        set srcintf <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set ztna-device-ownership [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set dstaddr <name1>, <name2>, ...
        set srcaddr6 <name1>, <name2>, ...
        set dstaddr6 <name1>, <name2>, ...
        set action [accept|deny|...]
        set schedule {string}
        set policy-expiry [enable|disable]
        set policy-expiry-date {datetime}
        set service <name1>, <name2>, ...
        set explicit-web-proxy {string}
        set transparent [enable|disable]
        set access-proxy <name1>, <name2>, ...
        set ztna-proxy <name1>, <name2>, ...
        set ztna-ems-tag <name1>, <name2>, ...
        set ztna-ems-tag-secondary <name1>, <name2>, ...
        set ztna-tags-match-logic [or|and]
        set device-ownership [enable|disable]
        set pass-through [enable|disable]
        set url-category <id1>, <id2>, ...
        set url-risk <name1>, <name2>, ...
        set internet-service [enable|disable]
        set internet-service-name <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-custom <name1>, <name2>, ...
        set internet-service6 [enable|disable]
        set internet-service6-name <name1>, <name2>, ...
        set internet-service6-group <name1>, <name2>, ...
        set internet-service6-custom <name1>, <name2>, ...
        set internet-service6-custom-group <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set utm-status [enable|disable]
        set ztna-policy-redirect [enable|disable]
        set webproxy-profile {string}
        set logtraffic [all|utm|...]
        set logtraffic-start [enable|disable]
        set log-http-transaction [disable|enable]
        set extended-log [enable|disable]
        set wanopt [enable|disable]
        set wanopt-detection [active|passive|...]
        set wanopt-passive-opt [default|transparent|...]
        set wanopt-profile {string}
        set wanopt-peer {string}
        set webcache [enable|disable]
        set webcache-https [disable|enable]
        set reverse-cache [disable|enable]
        set http-tunnel-auth [enable|disable]
        set ssh-policy-check [enable|disable]
        set webproxy-forward-server {string}
        set isolator-server {string}
        set poolname <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set users <name1>, <name2>, ...
        set disclaimer [disable|domain|...]
        set comments {var-string}
        set redirect-url {var-string}
        set custom-log-fields <field-id1>, <field-id2>, ...
        set replacemsg-override-group {string}
        set srcaddr-negate [enable|disable]
        set dstaddr-negate [enable|disable]
        set service-negate [enable|disable]
        set internet-service-negate [enable|disable]
        set internet-service6-negate [enable|disable]
        set application <id1>, <id2>, ...
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set decrypted-traffic-mirror {string}
        set max-session-per-user {integer}
        set profile-type [single|group]
        set profile-group {string}
        set profile-protocol-options {string}
        set ssl-ssh-profile {string}
        set av-profile {string}
        set ia-profile {string}
        set webfilter-profile {string}
        set dnsfilter-profile {string}
        set emailfilter-profile {string}
        set dlp-profile {string}
        set file-filter-profile {string}
        set ips-sensor {string}
        set application-list {string}
        set icap-profile {string}
        set cifs-profile {string}
        set videofilter-profile {string}
        set isolator-profile {string}
        set redirect-profile {string}
        set ssh-filter-profile {string}
        set casb-profile {string}
        set detect-https-in-http-request [enable|disable]
    next
end

config firewall policy

Parameter

Description

Type

Size

Default

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

0

type

Type of policy.

option

-

transparent

Option

Description

explicit-web

Explicit Web Proxy policy

transparent

Transparent firewall policy

explicit-ftp

Explicit FTP Proxy policy

ssh-tunnel

SSH Tunnel policy

ssh

SSH policy

access-proxy

Access Proxy

ztna-proxy

ZTNA Proxy

wanopt

WANopt Tunnel

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

force-proxy

Force proxy.

option

-

disable

Option

Description

enable

Force all TCP transparent traffic to proxy.

disable

Do not force TCP transparent traffic to proxy.

implicit-proxy-detection

Implicit proxy detection.

option

-

disable

Option

Description

enable

Enable implicit proxy detection.

disable

Disable implicit proxy detection.

dynamic-bypass

Dynamic bypass.

option

-

disable

Option

Description

enable

Enable dynamic bypass to all HTTP traffic in this policy.

disable

Disable dynamic bypass to all HTTP traffic in this policy.

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

ztna-device-ownership

Enable/disable zero trust device ownership.

option

-

disable

Option

Description

enable

Enable ZTNA device ownership check.

disable

Disable ZTNA device ownership check.

srcaddr <name>

Source address and address group names.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination address and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

IPv6 source address (web proxy and ftp proxy only).

Address name.

string

Maximum length: 79

dstaddr6 <name>

IPv6 destination address (web proxy and ftp proxy only).

Address name.

string

Maximum length: 79

action

Policy action (allow/deny).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

redirect

Redirect sessions that match the firewall policy to a url.

isolate

Isolate sessions that match the firewall policy with isolator.

schedule

Schedule name.

string

Maximum length: 35

policy-expiry

Enable/disable policy expiry.

option

-

disable

Option

Description

enable

Enable policy expiry.

disable

Disable polcy expiry.

policy-expiry-date

Policy expiry date (YYYY-MM-DD HH:MM:SS).

datetime

Not Specified

0000-00-00 00:00:00

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

explicit-web-proxy

Explicit web proxy.

string

Maximum length: 35

transparent

set webproxy to use original client address.

option

-

disable

Option

Description

enable

Enable using original client address for webproxy.

disable

Disable using original client address for webproxy.

access-proxy <name>

Access Proxy.

Access Proxy name.

string

Maximum length: 79

ztna-proxy <name>

ZTNA Traffic Forward Proxy.

ZTNA Traffic Forward Proxy name.

string

Maximum length: 79

ztna-ems-tag <name>

Source ztna-ems-tag names.

Address name.

string

Maximum length: 79

ztna-ems-tag-secondary <name>

Source ztna-ems-tag-secondary names.

Address name.

string

Maximum length: 79

ztna-tags-match-logic

ZTNA tag matching logic.

option

-

or

Option

Description

or

Match ZTNA tags using a logical OR operator.

and

Match ZTNA tags using a logical AND operator.

device-ownership

When enabled, the ownership enforcement will be done at policy level.

option

-

disable

Option

Description

enable

Enable device ownership.

disable

Disable device ownership.

pass-through

Enable/disable policy matching pass through

option

-

disable

Option

Description

enable

Enable policy matching pass through.

disable

Disable policy matching pass through.

url-category <id>

URL category ID list.

URL category ID.

integer

Minimum value: 0 Maximum value: 4294967295

url-risk <name>

URL risk level name.

Risk level name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service Name.

Custom Internet Service name.

string

Maximum length: 79

internet-service6

Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of IPv6 Internet Services in policy.

disable

Disable use of IPv6 Internet Services in policy.

internet-service6-name <name>

IPv6 Internet Service name.

IPv6 Internet Service name.

string

Maximum length: 79

internet-service6-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service6-custom <name>

Custom IPv6 Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service6-custom-group <name>

Custom Internet Service6 group name.

Custom Internet Service6 group name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ztna-policy-redirect

Redirect ZTNA traffic to matching Access-Proxy proxy-policy.

option

-

disable

Option

Description

enable

Enable ZTNA proxy-policy redirect.

disable

Disable ZTNA proxy-policy redirect.

webproxy-profile

Web proxy profile using when none matched policy.

string

Maximum length: 63

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts and ends.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

log-http-transaction

Enable/disable http transaction log.

option

-

disable

Option

Description

disable

Disable HTTP transaction log.

enable

Enable HTTP transaction log.

extended-log

Enable/disable extended log for http transaction.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt

Enable/disable WAN optimization.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

wanopt-detection

WAN optimization auto-detection mode.

option

-

active

Option

Description

active

Active WAN optimization peer auto-detection.

passive

Passive WAN optimization peer auto-detection.

off

Turn off WAN optimization peer auto-detection.

wanopt-passive-opt

WAN optimization passive mode options. This option decides what IP address will be used to connect server.

option

-

default

Option

Description

default

Allow client side WAN opt peer to decide.

transparent

Use address of client to connect to server.

non-transparent

Use local FortiProxy address to connect to server.

wanopt-profile

WAN optimization profile.

string

Maximum length: 35

wanopt-peer

WAN optimization peer.

string

Maximum length: 35

webcache

Enable/disable web cache.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

webcache-https

Enable/disable web cache for HTTPS.

option

-

disable

Option

Description

disable

Disable web cache for HTTPS.

enable

Enable web cache for HTTPS.

reverse-cache

Enable/disable reverse cache servers.

option

-

disable

Option

Description

disable

Disable reverse cache.

enable

Enable reverse cache servers.

http-tunnel-auth

Enable/disable HTTP tunnel authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-policy-check

Enable/disable SSH policy check.

option

-

disable

Option

Description

enable

Enable SSH policy check.

disable

Disable SSH policy check.

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

isolator-server

isolator server name.

string

Maximum length: 63

poolname <name>

Name of IP pool object.

IP pool name.

string

Maximum length: 79

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

disclaimer

Web proxy disclaimer setting: by domain, policy, or user.

option

-

disable

Option

Description

disable

Disable disclaimer.

domain

Display disclaimer for domain

policy

Display disclaimer for policy

user

Display disclaimer for current user

comments

Comment.

var-string

Maximum length: 1023

redirect-url

Redirect URL for further web proxy processing.

var-string

Maximum length: 1023

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service6-negate

When enabled internet-service6 specifies what the service must not be.

option

-

disable

Option

Description

enable

Enable negated IPv6 Internet Service match.

disable

Disable negated IPv6 Internet Service match.

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

One or more application group names.

Application group name.

string

Maximum length: 79

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

max-session-per-user

Max UTM sessions per user.

integer

Minimum value: 0 Maximum value: 4294967295

0

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

ia-profile

Image analyzer profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

isolator-profile

Name of an existing isolator profile.

string

Maximum length: 35

redirect-profile

Name of an existing URL Redirect profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

casb-profile

Name of an existing CASB profile.

string

Maximum length: 35

detect-https-in-http-request

Enable/disable detection of HTTPS in HTTP request.

option

-

disable

Option

Description

enable

Enable detection of HTTPS in HTTP request.

disable

Disable detection of HTTPS in HTTP request.