config firewall policy
Configure firewall policies.
config firewall policy Description: Configure firewall policies. edit <policyid> set type [explicit-web|transparent|...] set status [enable|disable] set name {string} set uuid {uuid} set force-proxy [enable|disable] set implicit-proxy-detection [enable|disable] set dynamic-bypass [enable|disable] set srcintf <name1>, <name2>, ... set dstintf <name1>, <name2>, ... set ztna-device-ownership [enable|disable] set srcaddr <name1>, <name2>, ... set dstaddr <name1>, <name2>, ... set srcaddr6 <name1>, <name2>, ... set dstaddr6 <name1>, <name2>, ... set action [accept|deny|...] set schedule {string} set policy-expiry [enable|disable] set policy-expiry-date {datetime} set service <name1>, <name2>, ... set explicit-web-proxy {string} set transparent [enable|disable] set access-proxy <name1>, <name2>, ... set ztna-proxy <name1>, <name2>, ... set ztna-ems-tag <name1>, <name2>, ... set ztna-ems-tag-secondary <name1>, <name2>, ... set ztna-tags-match-logic [or|and] set device-ownership [enable|disable] set pass-through [enable|disable] set url-category <id1>, <id2>, ... set url-risk <name1>, <name2>, ... set internet-service [enable|disable] set internet-service-name <name1>, <name2>, ... set internet-service-group <name1>, <name2>, ... set internet-service-custom <name1>, <name2>, ... set internet-service6 [enable|disable] set internet-service6-name <name1>, <name2>, ... set internet-service6-group <name1>, <name2>, ... set internet-service6-custom <name1>, <name2>, ... set internet-service6-custom-group <name1>, <name2>, ... set internet-service-custom-group <name1>, <name2>, ... set utm-status [enable|disable] set ztna-policy-redirect [enable|disable] set webproxy-profile {string} set logtraffic [all|utm|...] set logtraffic-start [enable|disable] set log-http-transaction [disable|enable] set extended-log [enable|disable] set wanopt [enable|disable] set wanopt-detection [active|passive|...] set wanopt-passive-opt [default|transparent|...] set wanopt-profile {string} set wanopt-peer {string} set webcache [enable|disable] set webcache-https [disable|enable] set reverse-cache [disable|enable] set http-tunnel-auth [enable|disable] set ssh-policy-check [enable|disable] set webproxy-forward-server {string} set isolator-server {string} set poolname <name1>, <name2>, ... set groups <name1>, <name2>, ... set users <name1>, <name2>, ... set disclaimer [disable|domain|...] set comments {var-string} set redirect-url {var-string} set custom-log-fields <field-id1>, <field-id2>, ... set replacemsg-override-group {string} set srcaddr-negate [enable|disable] set dstaddr-negate [enable|disable] set service-negate [enable|disable] set internet-service-negate [enable|disable] set internet-service6-negate [enable|disable] set application <id1>, <id2>, ... set app-category <id1>, <id2>, ... set app-group <name1>, <name2>, ... set decrypted-traffic-mirror {string} set max-session-per-user {integer} set profile-type [single|group] set profile-group {string} set profile-protocol-options {string} set ssl-ssh-profile {string} set av-profile {string} set ia-profile {string} set webfilter-profile {string} set dnsfilter-profile {string} set emailfilter-profile {string} set dlp-profile {string} set file-filter-profile {string} set ips-sensor {string} set application-list {string} set icap-profile {string} set cifs-profile {string} set videofilter-profile {string} set isolator-profile {string} set redirect-profile {string} set ssh-filter-profile {string} set casb-profile {string} set detect-https-in-http-request [enable|disable] next end
config firewall policy
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
policyid |
Policy ID. |
integer |
Minimum value: 0 Maximum value: 4294967294 |
0 |
||||||||||||||||||
type |
Type of policy. |
option |
- |
transparent |
||||||||||||||||||
|
|
|||||||||||||||||||||
status |
Enable or disable this policy. |
option |
- |
enable |
||||||||||||||||||
|
|
|||||||||||||||||||||
name |
Policy name. |
string |
Maximum length: 35 |
|
||||||||||||||||||
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
00000000-0000-0000-0000-000000000000 |
||||||||||||||||||
force-proxy |
Force proxy. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
implicit-proxy-detection |
Implicit proxy detection. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
dynamic-bypass |
Dynamic bypass. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
srcintf |
Incoming (ingress) interface. Interface name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
dstintf |
Outgoing (egress) interface. Interface name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
ztna-device-ownership |
Enable/disable zero trust device ownership. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
srcaddr |
Source address and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
dstaddr |
Destination address and address group names. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
srcaddr6 |
IPv6 source address (web proxy and ftp proxy only). Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
dstaddr6 |
IPv6 destination address (web proxy and ftp proxy only). Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
action |
Policy action (allow/deny). |
option |
- |
deny |
||||||||||||||||||
|
|
|||||||||||||||||||||
schedule |
Schedule name. |
string |
Maximum length: 35 |
|
||||||||||||||||||
policy-expiry |
Enable/disable policy expiry. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
policy-expiry-date |
Policy expiry date (YYYY-MM-DD HH:MM:SS). |
datetime |
Not Specified |
0000-00-00 00:00:00 |
||||||||||||||||||
service |
Service and service group names. Service and service group names. |
string |
Maximum length: 79 |
|
||||||||||||||||||
explicit-web-proxy |
Explicit web proxy. |
string |
Maximum length: 35 |
|
||||||||||||||||||
transparent |
set webproxy to use original client address. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
access-proxy |
Access Proxy. Access Proxy name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
ztna-proxy |
ZTNA Traffic Forward Proxy. ZTNA Traffic Forward Proxy name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
ztna-ems-tag |
Source ztna-ems-tag names. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
ztna-ems-tag-secondary |
Source ztna-ems-tag-secondary names. Address name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
ztna-tags-match-logic |
ZTNA tag matching logic. |
option |
- |
or |
||||||||||||||||||
|
|
|||||||||||||||||||||
device-ownership |
When enabled, the ownership enforcement will be done at policy level. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
pass-through |
Enable/disable policy matching pass through |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
url-category |
URL category ID list. URL category ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||||||||
url-risk |
URL risk level name. Risk level name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service |
Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
internet-service-name |
Internet Service name. Internet Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service-custom |
Custom Internet Service Name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service6 |
Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
internet-service6-name |
IPv6 Internet Service name. IPv6 Internet Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service6-group |
Internet Service group name. Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service6-custom |
Custom IPv6 Internet Service name. Custom Internet Service name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service6-custom-group |
Custom Internet Service6 group name. Custom Internet Service6 group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
internet-service-custom-group |
Custom Internet Service group name. Custom Internet Service group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
utm-status |
Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
ztna-policy-redirect |
Redirect ZTNA traffic to matching Access-Proxy proxy-policy. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
webproxy-profile |
Web proxy profile using when none matched policy. |
string |
Maximum length: 63 |
|
||||||||||||||||||
logtraffic |
Enable or disable logging. Log all sessions or security profile sessions. |
option |
- |
utm |
||||||||||||||||||
|
|
|||||||||||||||||||||
logtraffic-start |
Record logs when a session starts and ends. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
log-http-transaction |
Enable/disable http transaction log. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
extended-log |
Enable/disable extended log for http transaction. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
wanopt |
Enable/disable WAN optimization. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
wanopt-detection |
WAN optimization auto-detection mode. |
option |
- |
active |
||||||||||||||||||
|
|
|||||||||||||||||||||
wanopt-passive-opt |
WAN optimization passive mode options. This option decides what IP address will be used to connect server. |
option |
- |
default |
||||||||||||||||||
|
|
|||||||||||||||||||||
wanopt-profile |
WAN optimization profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
wanopt-peer |
WAN optimization peer. |
string |
Maximum length: 35 |
|
||||||||||||||||||
webcache |
Enable/disable web cache. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
webcache-https |
Enable/disable web cache for HTTPS. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
reverse-cache |
Enable/disable reverse cache servers. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
http-tunnel-auth |
Enable/disable HTTP tunnel authentication. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
ssh-policy-check |
Enable/disable SSH policy check. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
webproxy-forward-server |
Webproxy forward server name. |
string |
Maximum length: 63 |
|
||||||||||||||||||
isolator-server |
isolator server name. |
string |
Maximum length: 63 |
|
||||||||||||||||||
poolname |
Name of IP pool object. IP pool name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
groups |
Names of user groups that can authenticate with this policy. Group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
users |
Names of individual users that can authenticate with this policy. Names of individual users that can authenticate with this policy. |
string |
Maximum length: 79 |
|
||||||||||||||||||
disclaimer |
Web proxy disclaimer setting: by domain, policy, or user. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
comments |
Comment. |
var-string |
Maximum length: 1023 |
|
||||||||||||||||||
redirect-url |
Redirect URL for further web proxy processing. |
var-string |
Maximum length: 1023 |
|
||||||||||||||||||
custom-log-fields |
Custom fields to append to log messages for this policy. Custom log field. |
string |
Maximum length: 35 |
|
||||||||||||||||||
replacemsg-override-group |
Override the default replacement message group for this policy. |
string |
Maximum length: 35 |
|
||||||||||||||||||
srcaddr-negate |
When enabled srcaddr specifies what the source address must NOT be. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
dstaddr-negate |
When enabled dstaddr specifies what the destination address must NOT be. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
service-negate |
When enabled service specifies what the service must NOT be. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
internet-service-negate |
When enabled internet-service specifies what the service must NOT be. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
internet-service6-negate |
When enabled internet-service6 specifies what the service must not be. |
option |
- |
disable |
||||||||||||||||||
|
|
|||||||||||||||||||||
application |
Application ID list. Application IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||||||||
app-category |
Application category ID list. Category IDs. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|
||||||||||||||||||
app-group |
One or more application group names. Application group name. |
string |
Maximum length: 79 |
|
||||||||||||||||||
decrypted-traffic-mirror |
Decrypted traffic mirror. |
string |
Maximum length: 35 |
|
||||||||||||||||||
max-session-per-user |
Max UTM sessions per user. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||||
profile-type |
Determine whether the firewall policy allows security profile groups or single profiles only. |
option |
- |
single |
||||||||||||||||||
|
|
|||||||||||||||||||||
profile-group |
Name of profile group. |
string |
Maximum length: 35 |
|
||||||||||||||||||
profile-protocol-options |
Name of an existing Protocol options profile. |
string |
Maximum length: 35 |
default |
||||||||||||||||||
ssl-ssh-profile |
Name of an existing SSL SSH profile. |
string |
Maximum length: 35 |
no-inspection |
||||||||||||||||||
av-profile |
Name of an existing Antivirus profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
ia-profile |
Image analyzer profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
webfilter-profile |
Name of an existing Web filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
dnsfilter-profile |
Name of an existing DNS filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
emailfilter-profile |
Name of an existing email filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
dlp-profile |
Name of an existing DLP profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
file-filter-profile |
Name of an existing file-filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
ips-sensor |
Name of an existing IPS sensor. |
string |
Maximum length: 35 |
|
||||||||||||||||||
application-list |
Name of an existing Application list. |
string |
Maximum length: 35 |
|
||||||||||||||||||
icap-profile |
Name of an existing ICAP profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
cifs-profile |
Name of an existing CIFS profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
videofilter-profile |
Name of an existing VideoFilter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
isolator-profile |
Name of an existing isolator profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
redirect-profile |
Name of an existing URL Redirect profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
ssh-filter-profile |
Name of an existing SSH filter profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
casb-profile |
Name of an existing CASB profile. |
string |
Maximum length: 35 |
|
||||||||||||||||||
detect-https-in-http-request |
Enable/disable detection of HTTPS in HTTP request. |
option |
- |
disable |
||||||||||||||||||
|
|