Fortinet white logo
Fortinet white logo

CLI Reference

config firewall policy

config firewall policy

Configure IPv4/IPv6 policies.

config firewall policy

Description: Configure IPv4/IPv6 policies.

edit <policyid>

set status [enable|disable]

set name {string}

set uuid {uuid}

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set action [accept|deny|...]

set nat64 [enable|disable]

set nat46 [enable|disable]

set ztna-status [enable|disable]

set srcaddr <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set ztna-ems-tag <name1>, <name2>, ...

set ztna-geo-tag <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-src [enable|disable]

set internet-service-src-name <name1>, <name2>, ...

set internet-service-src-group <name1>, <name2>, ...

set internet-service-src-custom <name1>, <name2>, ...

set internet-service-src-custom-group <name1>, <name2>, ...

set reputation-minimum {integer}

set reputation-direction [source|destination]

set src-vendor-mac <id1>, <id2>, ...

set rtp-nat [disable|enable]

set rtp-addr <name1>, <name2>, ...

set send-deny-packet [disable|enable]

set firewall-session-dirty [check-all|check-new]

set schedule {string}

set schedule-timeout [enable|disable]

set policy-expiry [enable|disable]

set policy-expiry-date {datetime}

set service <name1>, <name2>, ...

set tos {user}

set tos-mask {user}

set tos-negate [enable|disable]

set anti-replay [enable|disable]

set tcp-session-without-syn [all|data-only|...]

set geoip-anycast [enable|disable]

set geoip-match [physical-location|registered-location]

set dynamic-shaping [enable|disable]

set passive-wan-health-measurement [enable|disable]

set utm-status [enable|disable]

set inspection-mode [proxy|flow]

set http-policy-redirect [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-profile {string}

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set dnsfilter-profile {string}

set emailfilter-profile {string}

set dlp-profile {string}

set file-filter-profile {string}

set ips-sensor {string}

set application-list {string}

set voip-profile {string}

set sctp-filter-profile {string}

set icap-profile {string}

set cifs-profile {string}

set videofilter-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set logtraffic [all|utm|...]

set logtraffic-start [enable|disable]

set auto-asic-offload [enable|disable]

set np-acceleration [enable|disable]

set webproxy-forward-server {string}

set traffic-shaper {string}

set traffic-shaper-reverse {string}

set per-ip-shaper {string}

set nat [enable|disable]

set permit-any-host [enable|disable]

set permit-stun-host [enable|disable]

set fixedport [enable|disable]

set ippool [enable|disable]

set poolname <name1>, <name2>, ...

set poolname6 <name1>, <name2>, ...

set session-ttl {user}

set vlan-cos-fwd {integer}

set vlan-cos-rev {integer}

set inbound [enable|disable]

set outbound [enable|disable]

set natinbound [enable|disable]

set natoutbound [enable|disable]

set fec [enable|disable]

set wccp [enable|disable]

set ntlm [enable|disable]

set ntlm-guest [enable|disable]

set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...

set fsso-agent-for-ntlm {string}

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set fsso-groups <name1>, <name2>, ...

set auth-path [enable|disable]

set disclaimer [enable|disable]

set email-collect [enable|disable]

set vpntunnel {string}

set natip {ipv4-classnet}

set match-vip [enable|disable]

set match-vip-only [enable|disable]

set diffserv-forward [enable|disable]

set diffserv-reverse [enable|disable]

set diffservcode-forward {user}

set diffservcode-rev {user}

set tcp-mss-sender {integer}

set tcp-mss-receiver {integer}

set comments {var-string}

set auth-cert {string}

set auth-redirect-addr {string}

set redirect-url {var-string}

set identity-based-route {string}

set block-notification [enable|disable]

set custom-log-fields <field-id1>, <field-id2>, ...

set replacemsg-override-group {string}

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set internet-service-negate [enable|disable]

set internet-service-src-negate [enable|disable]

set timeout-send-rst [enable|disable]

set captive-portal-exempt [enable|disable]

set decrypted-traffic-mirror {string}

set dsri [enable|disable]

set radius-mac-auth-bypass [enable|disable]

set delay-tcp-npu-session [enable|disable]

set vlan-filter {user}

set sgt-check [enable|disable]

set sgt <id1>, <id2>, ...

next

end

config firewall policy

Parameter

Description

Type

Size

Default

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

action

Policy action (accept/deny/ipsec).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

nat64

Enable/disable NAT64.

option

-

disable

Option

Description

enable

Enable NAT64.

disable

Disable NAT64.

nat46

Enable/disable NAT46.

option

-

disable

Option

Description

enable

Enable NAT46.

disable

Disable NAT46.

ztna-status

Enable/disable zero trust access.

option

-

disable

Option

Description

enable

Enable zero trust network access.

disable

Disable zero trust network access.

srcaddr <name>

Source IPv4 address and address group names.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination IPv4 address and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source IPv6 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr6 <name>

Destination IPv6 address name and address group names.

Address name.

string

Maximum length: 79

ztna-ems-tag <name>

Source ztna-ems-tag names.

Address name.

string

Maximum length: 79

ztna-geo-tag <name>

Source ztna-geo-tag names.

Address name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-name <name>

Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

reputation-minimum

Minimum Reputation to take action.

integer

Minimum value: 0 Maximum value: 4294967295

0

reputation-direction

Direction of the initial traffic for reputation to take effect.

option

-

destination

Option

Description

source

Check reputation for source address.

destination

Check reputation for destination address.

src-vendor-mac <id>

Vendor MAC source ID.

Vendor MAC ID.

integer

Minimum value: 0 Maximum value: 4294967295

rtp-nat

Enable Real Time Protocol (RTP) NAT.

option

-

disable

Option

Description

disable

Disable setting.

enable

Enable setting.

rtp-addr <name>

Address names if this is an RTP NAT policy.

Address name.

string

Maximum length: 79

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.

option

-

disable

Option

Description

disable

Disable deny-packet sending.

enable

Enable deny-packet sending.

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.

option

-

check-all

Option

Description

check-all

Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.

check-new

Continue to allow sessions already accepted by this policy.

schedule

Schedule name.

string

Maximum length: 35

schedule-timeout

Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.

option

-

disable

Option

Description

enable

Enable schedule timeout.

disable

Disable schedule timeout.

policy-expiry

Enable/disable policy expiry.

option

-

disable

Option

Description

enable

Enable policy expiry.

disable

Disable polcy expiry.

policy-expiry-date

Policy expiry date (YYYY-MM-DD HH:MM:SS).

datetime

Not Specified

0000-00-00 00:00:00

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.

option

-

disable

Option

Description

enable

Enable TOS match negate.

disable

Disable TOS match negate.

anti-replay

Enable/disable anti-replay check.

option

-

enable

Option

Description

enable

Enable anti-replay check.

disable

Disable anti-replay check.

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.

option

-

disable

Option

Description

all

Enable TCP session without SYN.

data-only

Enable TCP session data only.

disable

Disable TCP session without SYN.

geoip-anycast

Enable/disable recognition of anycast IP addresses using the geography IP database.

option

-

disable

Option

Description

enable

Enable recognition of anycast IP addresses using the geography IP database.

disable

Disable recognition of anycast IP addresses using the geography IP database.

geoip-match

Match geography address based either on its physical location or registered location.

option

-

physical-location

Option

Description

physical-location

Match geography address to its physical location using the geography IP database.

registered-location

Match geography address to its registered location using the geography IP database.

dynamic-shaping

Enable/disable dynamic RADIUS defined traffic shaping.

option

-

disable

Option

Description

enable

Enable dynamic RADIUS defined traffic shaping.

disable

Disable dynamic RADIUS defined traffic shaping.

passive-wan-health-measurement

Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.

option

-

disable

Option

Description

enable

Enable Passive WAN health measurement.

disable

Disable Passive WAN health measurement.

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

flow

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

disable

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

disable

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

sctp-filter-profile

Name of an existing SCTP filter profile.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

option

-

enable

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

np-acceleration *

Enable/disable UTM Network Processor acceleration.

option

-

enable

Option

Description

enable

Enable UTM Network Processor acceleration.

disable

Disable UTM Network Processor acceleration.

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

traffic-shaper

Traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-any-host

Accept UDP packets from any host.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-stun-host

Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ippool

Enable to use IP Pools for source NAT.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

poolname <name>

IP Pool names.

IP pool name.

string

Maximum length: 79

poolname6 <name>

IPv6 pool names.

IPv6 pool name.

string

Maximum length: 79

session-ttl

TTL in seconds for sessions accepted by this policy .

user

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

255

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

255

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

fec

Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.

option

-

disable

Option

Description

enable

Enable Forward Error Correction.

disable

Disable Forward Error Correction.

wccp

Enable/disable forwarding traffic matching this policy to a configured WCCP server.

option

-

disable

Option

Description

enable

Enable WCCP setting.

disable

Disable WCCP setting.

ntlm

Enable/disable NTLM authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ntlm-guest

Enable/disable NTLM guest user access.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ntlm-enabled-browsers <user-agent-string>

HTTP-User-Agent value of supported browsers.

User agent string.

string

Maximum length: 79

fsso-agent-for-ntlm

FSSO agent to use for NTLM authentication.

string

Maximum length: 35

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

auth-path

Enable/disable authentication-based routing.

option

-

disable

Option

Description

enable

Enable authentication-based routing.

disable

Disable authentication-based routing.

disclaimer

Enable/disable user authentication disclaimer.

option

-

disable

Option

Description

enable

Enable user authentication disclaimer.

disable

Disable user authentication disclaimer.

email-collect

Enable/disable email collection.

option

-

disable

Option

Description

enable

Enable email collection.

disable

Disable email collection.

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

natip

Policy-based IPsec VPN: source NAT IP address for outgoing traffic.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

match-vip

Enable to match packets that have had their destination addresses changed by a VIP.

option

-

disable

Option

Description

enable

Match DNATed packet.

disable

Do not match DNATed packet.

match-vip-only

Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.

option

-

disable

Option

Description

enable

Enable matching of only those packets that have had their destination addresses changed by a VIP.

disable

Disable matching of only those packets that have had their destination addresses changed by a VIP.

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

disable

Option

Description

enable

Enable setting forward (original) traffic Diffserv.

disable

Disable setting forward (original) traffic Diffserv.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

disable

Option

Description

enable

Enable setting reverse (reply) traffic DiffServ.

disable

Disable setting reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

0

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

0

comments

Comment.

var-string

Maximum length: 1023

auth-cert

HTTPS server certificate for policy authentication.

string

Maximum length: 35

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication.

string

Maximum length: 63

redirect-url

URL users are directed to after seeing and accepting the disclaimer or authenticating.

var-string

Maximum length: 1023

identity-based-route

Name of identity-based routing rule.

string

Maximum length: 35

block-notification

Enable/disable block notification.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr/srcaddr6 specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.

option

-

disable

Option

Description

enable

Enable sending of RST packet upon TCP session expiration.

disable

Disable sending of RST packet upon TCP session expiration.

captive-portal-exempt

Enable to exempt some users from the captive portal.

option

-

disable

Option

Description

enable

Enable exemption of captive portal.

disable

Disable exemption of captive portal.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.

option

-

disable

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

option

-

disable

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

delay-tcp-npu-session

Enable TCP NPU session delay to guarantee packet order of 3-way handshake.

option

-

disable

Option

Description

enable

Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

disable

Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

vlan-filter

Set VLAN filters.

user

Not Specified

sgt-check

Enable/disable security group tags (SGT) check.

option

-

disable

Option

Description

enable

Enable SGT check.

disable

Disable SGT check.

sgt <id>

Security group tags.

Security group tag (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

* This parameter may not exist in some models.

config firewall policy

config firewall policy

Configure IPv4/IPv6 policies.

config firewall policy

Description: Configure IPv4/IPv6 policies.

edit <policyid>

set status [enable|disable]

set name {string}

set uuid {uuid}

set srcintf <name1>, <name2>, ...

set dstintf <name1>, <name2>, ...

set action [accept|deny|...]

set nat64 [enable|disable]

set nat46 [enable|disable]

set ztna-status [enable|disable]

set srcaddr <name1>, <name2>, ...

set dstaddr <name1>, <name2>, ...

set srcaddr6 <name1>, <name2>, ...

set dstaddr6 <name1>, <name2>, ...

set ztna-ems-tag <name1>, <name2>, ...

set ztna-geo-tag <name1>, <name2>, ...

set internet-service [enable|disable]

set internet-service-name <name1>, <name2>, ...

set internet-service-group <name1>, <name2>, ...

set internet-service-custom <name1>, <name2>, ...

set internet-service-custom-group <name1>, <name2>, ...

set internet-service-src [enable|disable]

set internet-service-src-name <name1>, <name2>, ...

set internet-service-src-group <name1>, <name2>, ...

set internet-service-src-custom <name1>, <name2>, ...

set internet-service-src-custom-group <name1>, <name2>, ...

set reputation-minimum {integer}

set reputation-direction [source|destination]

set src-vendor-mac <id1>, <id2>, ...

set rtp-nat [disable|enable]

set rtp-addr <name1>, <name2>, ...

set send-deny-packet [disable|enable]

set firewall-session-dirty [check-all|check-new]

set schedule {string}

set schedule-timeout [enable|disable]

set policy-expiry [enable|disable]

set policy-expiry-date {datetime}

set service <name1>, <name2>, ...

set tos {user}

set tos-mask {user}

set tos-negate [enable|disable]

set anti-replay [enable|disable]

set tcp-session-without-syn [all|data-only|...]

set geoip-anycast [enable|disable]

set geoip-match [physical-location|registered-location]

set dynamic-shaping [enable|disable]

set passive-wan-health-measurement [enable|disable]

set utm-status [enable|disable]

set inspection-mode [proxy|flow]

set http-policy-redirect [enable|disable]

set ssh-policy-redirect [enable|disable]

set webproxy-profile {string}

set profile-type [single|group]

set profile-group {string}

set profile-protocol-options {string}

set ssl-ssh-profile {string}

set av-profile {string}

set webfilter-profile {string}

set dnsfilter-profile {string}

set emailfilter-profile {string}

set dlp-profile {string}

set file-filter-profile {string}

set ips-sensor {string}

set application-list {string}

set voip-profile {string}

set sctp-filter-profile {string}

set icap-profile {string}

set cifs-profile {string}

set videofilter-profile {string}

set waf-profile {string}

set ssh-filter-profile {string}

set logtraffic [all|utm|...]

set logtraffic-start [enable|disable]

set auto-asic-offload [enable|disable]

set np-acceleration [enable|disable]

set webproxy-forward-server {string}

set traffic-shaper {string}

set traffic-shaper-reverse {string}

set per-ip-shaper {string}

set nat [enable|disable]

set permit-any-host [enable|disable]

set permit-stun-host [enable|disable]

set fixedport [enable|disable]

set ippool [enable|disable]

set poolname <name1>, <name2>, ...

set poolname6 <name1>, <name2>, ...

set session-ttl {user}

set vlan-cos-fwd {integer}

set vlan-cos-rev {integer}

set inbound [enable|disable]

set outbound [enable|disable]

set natinbound [enable|disable]

set natoutbound [enable|disable]

set fec [enable|disable]

set wccp [enable|disable]

set ntlm [enable|disable]

set ntlm-guest [enable|disable]

set ntlm-enabled-browsers <user-agent-string1>, <user-agent-string2>, ...

set fsso-agent-for-ntlm {string}

set groups <name1>, <name2>, ...

set users <name1>, <name2>, ...

set fsso-groups <name1>, <name2>, ...

set auth-path [enable|disable]

set disclaimer [enable|disable]

set email-collect [enable|disable]

set vpntunnel {string}

set natip {ipv4-classnet}

set match-vip [enable|disable]

set match-vip-only [enable|disable]

set diffserv-forward [enable|disable]

set diffserv-reverse [enable|disable]

set diffservcode-forward {user}

set diffservcode-rev {user}

set tcp-mss-sender {integer}

set tcp-mss-receiver {integer}

set comments {var-string}

set auth-cert {string}

set auth-redirect-addr {string}

set redirect-url {var-string}

set identity-based-route {string}

set block-notification [enable|disable]

set custom-log-fields <field-id1>, <field-id2>, ...

set replacemsg-override-group {string}

set srcaddr-negate [enable|disable]

set dstaddr-negate [enable|disable]

set service-negate [enable|disable]

set internet-service-negate [enable|disable]

set internet-service-src-negate [enable|disable]

set timeout-send-rst [enable|disable]

set captive-portal-exempt [enable|disable]

set decrypted-traffic-mirror {string}

set dsri [enable|disable]

set radius-mac-auth-bypass [enable|disable]

set delay-tcp-npu-session [enable|disable]

set vlan-filter {user}

set sgt-check [enable|disable]

set sgt <id1>, <id2>, ...

next

end

config firewall policy

Parameter

Description

Type

Size

Default

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

name

Policy name.

string

Maximum length: 35

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

action

Policy action (accept/deny/ipsec).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

ipsec

Firewall policy becomes a policy-based IPsec VPN policy.

nat64

Enable/disable NAT64.

option

-

disable

Option

Description

enable

Enable NAT64.

disable

Disable NAT64.

nat46

Enable/disable NAT46.

option

-

disable

Option

Description

enable

Enable NAT46.

disable

Disable NAT46.

ztna-status

Enable/disable zero trust access.

option

-

disable

Option

Description

enable

Enable zero trust network access.

disable

Disable zero trust network access.

srcaddr <name>

Source IPv4 address and address group names.

Address name.

string

Maximum length: 79

dstaddr <name>

Destination IPv4 address and address group names.

Address name.

string

Maximum length: 79

srcaddr6 <name>

Source IPv6 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr6 <name>

Destination IPv6 address name and address group names.

Address name.

string

Maximum length: 79

ztna-ems-tag <name>

Source ztna-ems-tag names.

Address name.

string

Maximum length: 79

ztna-geo-tag <name>

Source ztna-geo-tag names.

Address name.

string

Maximum length: 79

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-name <name>

Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

reputation-minimum

Minimum Reputation to take action.

integer

Minimum value: 0 Maximum value: 4294967295

0

reputation-direction

Direction of the initial traffic for reputation to take effect.

option

-

destination

Option

Description

source

Check reputation for source address.

destination

Check reputation for destination address.

src-vendor-mac <id>

Vendor MAC source ID.

Vendor MAC ID.

integer

Minimum value: 0 Maximum value: 4294967295

rtp-nat

Enable Real Time Protocol (RTP) NAT.

option

-

disable

Option

Description

disable

Disable setting.

enable

Enable setting.

rtp-addr <name>

Address names if this is an RTP NAT policy.

Address name.

string

Maximum length: 79

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.

option

-

disable

Option

Description

disable

Disable deny-packet sending.

enable

Enable deny-packet sending.

firewall-session-dirty

How to handle sessions if the configuration of this firewall policy changes.

option

-

check-all

Option

Description

check-all

Flush all current sessions accepted by this policy. These sessions must be started and re-matched with policies.

check-new

Continue to allow sessions already accepted by this policy.

schedule

Schedule name.

string

Maximum length: 35

schedule-timeout

Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.

option

-

disable

Option

Description

enable

Enable schedule timeout.

disable

Disable schedule timeout.

policy-expiry

Enable/disable policy expiry.

option

-

disable

Option

Description

enable

Enable policy expiry.

disable

Disable polcy expiry.

policy-expiry-date

Policy expiry date (YYYY-MM-DD HH:MM:SS).

datetime

Not Specified

0000-00-00 00:00:00

service <name>

Service and service group names.

Service and service group names.

string

Maximum length: 79

tos

ToS (Type of Service) value used for comparison.

user

Not Specified

tos-mask

Non-zero bit positions are used for comparison while zero bit positions are ignored.

user

Not Specified

tos-negate

Enable negated TOS match.

option

-

disable

Option

Description

enable

Enable TOS match negate.

disable

Disable TOS match negate.

anti-replay

Enable/disable anti-replay check.

option

-

enable

Option

Description

enable

Enable anti-replay check.

disable

Disable anti-replay check.

tcp-session-without-syn

Enable/disable creation of TCP session without SYN flag.

option

-

disable

Option

Description

all

Enable TCP session without SYN.

data-only

Enable TCP session data only.

disable

Disable TCP session without SYN.

geoip-anycast

Enable/disable recognition of anycast IP addresses using the geography IP database.

option

-

disable

Option

Description

enable

Enable recognition of anycast IP addresses using the geography IP database.

disable

Disable recognition of anycast IP addresses using the geography IP database.

geoip-match

Match geography address based either on its physical location or registered location.

option

-

physical-location

Option

Description

physical-location

Match geography address to its physical location using the geography IP database.

registered-location

Match geography address to its registered location using the geography IP database.

dynamic-shaping

Enable/disable dynamic RADIUS defined traffic shaping.

option

-

disable

Option

Description

enable

Enable dynamic RADIUS defined traffic shaping.

disable

Disable dynamic RADIUS defined traffic shaping.

passive-wan-health-measurement

Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.

option

-

disable

Option

Description

enable

Enable Passive WAN health measurement.

disable

Disable Passive WAN health measurement.

utm-status

Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

inspection-mode

Policy inspection mode (Flow/proxy). Default is Flow mode.

option

-

flow

Option

Description

proxy

Proxy based inspection.

flow

Flow based inspection.

http-policy-redirect

Redirect HTTP(S) traffic to matching transparent web proxy policy.

option

-

disable

Option

Description

enable

Enable HTTP(S) policy redirect.

disable

Disable HTTP(S) policy redirect.

ssh-policy-redirect

Redirect SSH traffic to matching transparent proxy policy.

option

-

disable

Option

Description

enable

Enable SSH policy redirect.

disable

Disable SSH policy redirect.

webproxy-profile

Webproxy profile name.

string

Maximum length: 63

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

application-list

Name of an existing Application list.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

sctp-filter-profile

Name of an existing SCTP filter profile.

string

Maximum length: 35

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

waf-profile

Name of an existing Web application firewall profile.

string

Maximum length: 35

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

logtraffic-start

Record logs when a session starts.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

auto-asic-offload

Enable/disable policy traffic ASIC offloading.

option

-

enable

Option

Description

enable

Enable auto ASIC offloading.

disable

Disable ASIC offloading.

np-acceleration *

Enable/disable UTM Network Processor acceleration.

option

-

enable

Option

Description

enable

Enable UTM Network Processor acceleration.

disable

Disable UTM Network Processor acceleration.

webproxy-forward-server

Webproxy forward server name.

string

Maximum length: 63

traffic-shaper

Traffic shaper.

string

Maximum length: 35

traffic-shaper-reverse

Reverse traffic shaper.

string

Maximum length: 35

per-ip-shaper

Per-IP traffic shaper.

string

Maximum length: 35

nat

Enable/disable source NAT.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-any-host

Accept UDP packets from any host.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-stun-host

Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

fixedport

Enable to prevent source NAT from changing a session's source port.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ippool

Enable to use IP Pools for source NAT.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

poolname <name>

IP Pool names.

IP pool name.

string

Maximum length: 79

poolname6 <name>

IPv6 pool names.

IPv6 pool name.

string

Maximum length: 79

session-ttl

TTL in seconds for sessions accepted by this policy .

user

Not Specified

vlan-cos-fwd

VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

255

vlan-cos-rev

VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.

integer

Minimum value: 0 Maximum value: 7

255

inbound

Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

outbound

Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

natinbound

Policy-based IPsec VPN: apply destination NAT to inbound traffic.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

natoutbound

Policy-based IPsec VPN: apply source NAT to outbound traffic.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

fec

Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.

option

-

disable

Option

Description

enable

Enable Forward Error Correction.

disable

Disable Forward Error Correction.

wccp

Enable/disable forwarding traffic matching this policy to a configured WCCP server.

option

-

disable

Option

Description

enable

Enable WCCP setting.

disable

Disable WCCP setting.

ntlm

Enable/disable NTLM authentication.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ntlm-guest

Enable/disable NTLM guest user access.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ntlm-enabled-browsers <user-agent-string>

HTTP-User-Agent value of supported browsers.

User agent string.

string

Maximum length: 79

fsso-agent-for-ntlm

FSSO agent to use for NTLM authentication.

string

Maximum length: 35

groups <name>

Names of user groups that can authenticate with this policy.

Group name.

string

Maximum length: 79

users <name>

Names of individual users that can authenticate with this policy.

Names of individual users that can authenticate with this policy.

string

Maximum length: 79

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

auth-path

Enable/disable authentication-based routing.

option

-

disable

Option

Description

enable

Enable authentication-based routing.

disable

Disable authentication-based routing.

disclaimer

Enable/disable user authentication disclaimer.

option

-

disable

Option

Description

enable

Enable user authentication disclaimer.

disable

Disable user authentication disclaimer.

email-collect

Enable/disable email collection.

option

-

disable

Option

Description

enable

Enable email collection.

disable

Disable email collection.

vpntunnel

Policy-based IPsec VPN: name of the IPsec VPN Phase 1.

string

Maximum length: 35

natip

Policy-based IPsec VPN: source NAT IP address for outgoing traffic.

ipv4-classnet

Not Specified

0.0.0.0 0.0.0.0

match-vip

Enable to match packets that have had their destination addresses changed by a VIP.

option

-

disable

Option

Description

enable

Match DNATed packet.

disable

Do not match DNATed packet.

match-vip-only

Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.

option

-

disable

Option

Description

enable

Enable matching of only those packets that have had their destination addresses changed by a VIP.

disable

Disable matching of only those packets that have had their destination addresses changed by a VIP.

diffserv-forward

Enable to change packet's DiffServ values to the specified diffservcode-forward value.

option

-

disable

Option

Description

enable

Enable setting forward (original) traffic Diffserv.

disable

Disable setting forward (original) traffic Diffserv.

diffserv-reverse

Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.

option

-

disable

Option

Description

enable

Enable setting reverse (reply) traffic DiffServ.

disable

Disable setting reverse (reply) traffic DiffServ.

diffservcode-forward

Change packet's DiffServ to this value.

user

Not Specified

diffservcode-rev

Change packet's reverse (reply) DiffServ to this value.

user

Not Specified

tcp-mss-sender

Sender TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

0

tcp-mss-receiver

Receiver TCP maximum segment size (MSS).

integer

Minimum value: 0 Maximum value: 65535

0

comments

Comment.

var-string

Maximum length: 1023

auth-cert

HTTPS server certificate for policy authentication.

string

Maximum length: 35

auth-redirect-addr

HTTP-to-HTTPS redirect address for firewall authentication.

string

Maximum length: 63

redirect-url

URL users are directed to after seeing and accepting the disclaimer or authenticating.

var-string

Maximum length: 1023

identity-based-route

Name of identity-based routing rule.

string

Maximum length: 35

block-notification

Enable/disable block notification.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

custom-log-fields <field-id>

Custom fields to append to log messages for this policy.

Custom log field.

string

Maximum length: 35

replacemsg-override-group

Override the default replacement message group for this policy.

string

Maximum length: 35

srcaddr-negate

When enabled srcaddr/srcaddr6 specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

dstaddr-negate

When enabled dstaddr/dstaddr6 specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

timeout-send-rst

Enable/disable sending RST packets when TCP sessions expire.

option

-

disable

Option

Description

enable

Enable sending of RST packet upon TCP session expiration.

disable

Disable sending of RST packet upon TCP session expiration.

captive-portal-exempt

Enable to exempt some users from the captive portal.

option

-

disable

Option

Description

enable

Enable exemption of captive portal.

disable

Disable exemption of captive portal.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

dsri

Enable DSRI to ignore HTTP server responses.

option

-

disable

Option

Description

enable

Enable DSRI.

disable

Disable DSRI.

radius-mac-auth-bypass

Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.

option

-

disable

Option

Description

enable

Enable MAC authentication bypass.

disable

Disable MAC authentication bypass.

delay-tcp-npu-session

Enable TCP NPU session delay to guarantee packet order of 3-way handshake.

option

-

disable

Option

Description

enable

Enable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

disable

Disable TCP NPU session delay in order to guarantee packet order of 3-way handshake.

vlan-filter

Set VLAN filters.

user

Not Specified

sgt-check

Enable/disable security group tags (SGT) check.

option

-

disable

Option

Description

enable

Enable SGT check.

disable

Disable SGT check.

sgt <id>

Security group tags.

Security group tag (1 - 65535).

integer

Minimum value: 1 Maximum value: 65535

* This parameter may not exist in some models.