Fortinet white logo
Fortinet white logo

CLI Reference

config firewall security-policy

config firewall security-policy

Configure NGFW IPv4/IPv6 application policies.

config firewall security-policy
    Description: Configure NGFW IPv4/IPv6 application policies.
    edit <policyid>
        set action [accept|deny]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set av-profile {string}
        set cifs-profile {string}
        set comments {var-string}
        set dlp-profile {string}
        set dnsfilter-profile {string}
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstaddr6 <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set emailfilter-profile {string}
        set enforce-default-app-port [enable|disable]
        set file-filter-profile {string}
        set fsso-groups <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set icap-profile {string}
        set internet-service [enable|disable]
        set internet-service-custom <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-name <name1>, <name2>, ...
        set internet-service-negate [enable|disable]
        set internet-service-src [enable|disable]
        set internet-service-src-custom <name1>, <name2>, ...
        set internet-service-src-custom-group <name1>, <name2>, ...
        set internet-service-src-group <name1>, <name2>, ...
        set internet-service-src-name <name1>, <name2>, ...
        set internet-service-src-negate [enable|disable]
        set internet-service6 [enable|disable]
        set internet-service6-custom <name1>, <name2>, ...
        set internet-service6-custom-group <name1>, <name2>, ...
        set internet-service6-group <name1>, <name2>, ...
        set internet-service6-name <name1>, <name2>, ...
        set internet-service6-negate [enable|disable]
        set internet-service6-src [enable|disable]
        set internet-service6-src-custom <name1>, <name2>, ...
        set internet-service6-src-custom-group <name1>, <name2>, ...
        set internet-service6-src-group <name1>, <name2>, ...
        set internet-service6-src-name <name1>, <name2>, ...
        set internet-service6-src-negate [enable|disable]
        set ips-sensor {string}
        set learning-mode [enable|disable]
        set logtraffic [all|utm|...]
        set name {string}
        set nat46 [enable|disable]
        set nat64 [enable|disable]
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set schedule {string}
        set sctp-filter-profile {string}
        set send-deny-packet [disable|enable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcaddr6 <name1>, <name2>, ...
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set url-category {user}
        set users <name1>, <name2>, ...
        set uuid {uuid}
        set videofilter-profile {string}
        set voip-profile {string}
        set webfilter-profile {string}
    next
end

config firewall security-policy

Parameter

Description

Type

Size

Default

action

Policy action (accept/deny).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

Application group names.

Application group names.

string

Maximum length: 79

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

application-list

Name of an existing Application list.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

comments

Comment.

var-string

Maximum length: 1023

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

dstaddr <name>

Destination IPv4 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

dstaddr6 <name>

Destination IPv6 address name and address group names.

Address name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

groups <name>

Names of user groups that can authenticate with this policy.

User group name.

string

Maximum length: 79

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address, service and default application port enforcement are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-name <name>

Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

internet-service6

Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address, service and default application port enforcement are not used.

option

-

disable

Option

Description

enable

Enable use of IPv6 Internet Services in policy.

disable

Disable use of IPv6 Internet Services in policy.

internet-service6-custom <name>

Custom IPv6 Internet Service name.

Custom IPv6 Internet Service name.

string

Maximum length: 79

internet-service6-custom-group <name>

Custom IPv6 Internet Service group name.

Custom IPv6 Internet Service group name.

string

Maximum length: 79

internet-service6-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service6-name <name>

IPv6 Internet Service name.

IPv6 Internet Service name.

string

Maximum length: 79

internet-service6-negate

When enabled internet-service6 specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated IPv6 Internet Service match.

disable

Disable negated IPv6 Internet Service match.

internet-service6-src

Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of IPv6 Internet Services source in policy.

disable

Disable use of IPv6 Internet Services source in policy.

internet-service6-src-custom <name>

Custom IPv6 Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service6-src-custom-group <name>

Custom Internet Service6 source group name.

Custom Internet Service6 group name.

string

Maximum length: 79

internet-service6-src-group <name>

Internet Service6 source group name.

Internet Service group name.

string

Maximum length: 79

internet-service6-src-name <name>

IPv6 Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service6-src-negate

When enabled internet-service6-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated IPv6 Internet Service source match.

disable

Disable negated IPv6 Internet Service source match.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

learning-mode

Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.

option

-

disable

Option

Description

enable

Enable learning mode.

disable

Disable learning mode.

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

name

Policy name.

string

Maximum length: 35

nat46

Enable/disable NAT46.

option

-

disable

Option

Description

enable

Enable NAT46.

disable

Disable NAT46.

nat64

Enable/disable NAT64.

option

-

disable

Option

Description

enable

Enable NAT64.

disable

Disable NAT64.

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

0

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

schedule

Schedule name.

string

Maximum length: 35

sctp-filter-profile

Name of an existing SCTP filter profile.

string

Maximum length: 35

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.

option

-

disable

Option

Description

disable

Disable deny-packet sending.

enable

Enable deny-packet sending.

service <name>

Service and service group names.

Service name.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

srcaddr <name>

Source IPv4 address name and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

srcaddr6 <name>

Source IPv6 address name and address group names.

Address name.

string

Maximum length: 79

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

url-category

URL categories or groups.

user

Not Specified

users <name>

Names of individual users that can authenticate with this policy.

User name.

string

Maximum length: 79

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35

config firewall security-policy

config firewall security-policy

Configure NGFW IPv4/IPv6 application policies.

config firewall security-policy
    Description: Configure NGFW IPv4/IPv6 application policies.
    edit <policyid>
        set action [accept|deny]
        set app-category <id1>, <id2>, ...
        set app-group <name1>, <name2>, ...
        set application <id1>, <id2>, ...
        set application-list {string}
        set av-profile {string}
        set cifs-profile {string}
        set comments {var-string}
        set dlp-profile {string}
        set dnsfilter-profile {string}
        set dstaddr <name1>, <name2>, ...
        set dstaddr-negate [enable|disable]
        set dstaddr6 <name1>, <name2>, ...
        set dstintf <name1>, <name2>, ...
        set emailfilter-profile {string}
        set enforce-default-app-port [enable|disable]
        set file-filter-profile {string}
        set fsso-groups <name1>, <name2>, ...
        set groups <name1>, <name2>, ...
        set icap-profile {string}
        set internet-service [enable|disable]
        set internet-service-custom <name1>, <name2>, ...
        set internet-service-custom-group <name1>, <name2>, ...
        set internet-service-group <name1>, <name2>, ...
        set internet-service-name <name1>, <name2>, ...
        set internet-service-negate [enable|disable]
        set internet-service-src [enable|disable]
        set internet-service-src-custom <name1>, <name2>, ...
        set internet-service-src-custom-group <name1>, <name2>, ...
        set internet-service-src-group <name1>, <name2>, ...
        set internet-service-src-name <name1>, <name2>, ...
        set internet-service-src-negate [enable|disable]
        set internet-service6 [enable|disable]
        set internet-service6-custom <name1>, <name2>, ...
        set internet-service6-custom-group <name1>, <name2>, ...
        set internet-service6-group <name1>, <name2>, ...
        set internet-service6-name <name1>, <name2>, ...
        set internet-service6-negate [enable|disable]
        set internet-service6-src [enable|disable]
        set internet-service6-src-custom <name1>, <name2>, ...
        set internet-service6-src-custom-group <name1>, <name2>, ...
        set internet-service6-src-group <name1>, <name2>, ...
        set internet-service6-src-name <name1>, <name2>, ...
        set internet-service6-src-negate [enable|disable]
        set ips-sensor {string}
        set learning-mode [enable|disable]
        set logtraffic [all|utm|...]
        set name {string}
        set nat46 [enable|disable]
        set nat64 [enable|disable]
        set profile-group {string}
        set profile-protocol-options {string}
        set profile-type [single|group]
        set schedule {string}
        set sctp-filter-profile {string}
        set send-deny-packet [disable|enable]
        set service <name1>, <name2>, ...
        set service-negate [enable|disable]
        set srcaddr <name1>, <name2>, ...
        set srcaddr-negate [enable|disable]
        set srcaddr6 <name1>, <name2>, ...
        set srcintf <name1>, <name2>, ...
        set ssh-filter-profile {string}
        set ssl-ssh-profile {string}
        set status [enable|disable]
        set url-category {user}
        set users <name1>, <name2>, ...
        set uuid {uuid}
        set videofilter-profile {string}
        set voip-profile {string}
        set webfilter-profile {string}
    next
end

config firewall security-policy

Parameter

Description

Type

Size

Default

action

Policy action (accept/deny).

option

-

deny

Option

Description

accept

Allows session that match the firewall policy.

deny

Blocks sessions that match the firewall policy.

app-category <id>

Application category ID list.

Category IDs.

integer

Minimum value: 0 Maximum value: 4294967295

app-group <name>

Application group names.

Application group names.

string

Maximum length: 79

application <id>

Application ID list.

Application IDs.

integer

Minimum value: 0 Maximum value: 4294967295

application-list

Name of an existing Application list.

string

Maximum length: 35

av-profile

Name of an existing Antivirus profile.

string

Maximum length: 35

cifs-profile

Name of an existing CIFS profile.

string

Maximum length: 35

comments

Comment.

var-string

Maximum length: 1023

dlp-profile

Name of an existing DLP profile.

string

Maximum length: 35

dnsfilter-profile

Name of an existing DNS filter profile.

string

Maximum length: 35

dstaddr <name>

Destination IPv4 address name and address group names.

Address name.

string

Maximum length: 79

dstaddr-negate

When enabled dstaddr specifies what the destination address must NOT be.

option

-

disable

Option

Description

enable

Enable destination address negate.

disable

Disable destination address negate.

dstaddr6 <name>

Destination IPv6 address name and address group names.

Address name.

string

Maximum length: 79

dstintf <name>

Outgoing (egress) interface.

Interface name.

string

Maximum length: 79

emailfilter-profile

Name of an existing email filter profile.

string

Maximum length: 35

enforce-default-app-port

Enable/disable default application port enforcement for allowed applications.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

file-filter-profile

Name of an existing file-filter profile.

string

Maximum length: 35

fsso-groups <name>

Names of FSSO groups.

Names of FSSO groups.

string

Maximum length: 511

groups <name>

Names of user groups that can authenticate with this policy.

User group name.

string

Maximum length: 79

icap-profile

Name of an existing ICAP profile.

string

Maximum length: 35

internet-service

Enable/disable use of Internet Services for this policy. If enabled, destination address, service and default application port enforcement are not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services in policy.

disable

Disable use of Internet Services in policy.

internet-service-custom <name>

Custom Internet Service name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-custom-group <name>

Custom Internet Service group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service-name <name>

Internet Service name.

Internet Service name.

string

Maximum length: 79

internet-service-negate

When enabled internet-service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service match.

disable

Disable negated Internet Service match.

internet-service-src

Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of Internet Services source in policy.

disable

Disable use of Internet Services source in policy.

internet-service-src-custom <name>

Custom Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service-src-custom-group <name>

Custom Internet Service source group name.

Custom Internet Service group name.

string

Maximum length: 79

internet-service-src-group <name>

Internet Service source group name.

Internet Service group name.

string

Maximum length: 79

internet-service-src-name <name>

Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service-src-negate

When enabled internet-service-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated Internet Service source match.

disable

Disable negated Internet Service source match.

internet-service6

Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address, service and default application port enforcement are not used.

option

-

disable

Option

Description

enable

Enable use of IPv6 Internet Services in policy.

disable

Disable use of IPv6 Internet Services in policy.

internet-service6-custom <name>

Custom IPv6 Internet Service name.

Custom IPv6 Internet Service name.

string

Maximum length: 79

internet-service6-custom-group <name>

Custom IPv6 Internet Service group name.

Custom IPv6 Internet Service group name.

string

Maximum length: 79

internet-service6-group <name>

Internet Service group name.

Internet Service group name.

string

Maximum length: 79

internet-service6-name <name>

IPv6 Internet Service name.

IPv6 Internet Service name.

string

Maximum length: 79

internet-service6-negate

When enabled internet-service6 specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated IPv6 Internet Service match.

disable

Disable negated IPv6 Internet Service match.

internet-service6-src

Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.

option

-

disable

Option

Description

enable

Enable use of IPv6 Internet Services source in policy.

disable

Disable use of IPv6 Internet Services source in policy.

internet-service6-src-custom <name>

Custom IPv6 Internet Service source name.

Custom Internet Service name.

string

Maximum length: 79

internet-service6-src-custom-group <name>

Custom Internet Service6 source group name.

Custom Internet Service6 group name.

string

Maximum length: 79

internet-service6-src-group <name>

Internet Service6 source group name.

Internet Service group name.

string

Maximum length: 79

internet-service6-src-name <name>

IPv6 Internet Service source name.

Internet Service name.

string

Maximum length: 79

internet-service6-src-negate

When enabled internet-service6-src specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated IPv6 Internet Service source match.

disable

Disable negated IPv6 Internet Service source match.

ips-sensor

Name of an existing IPS sensor.

string

Maximum length: 35

learning-mode

Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.

option

-

disable

Option

Description

enable

Enable learning mode.

disable

Disable learning mode.

logtraffic

Enable or disable logging. Log all sessions or security profile sessions.

option

-

utm

Option

Description

all

Log all sessions accepted or denied by this policy.

utm

Log traffic that has a security profile applied to it.

disable

Disable all logging for this policy.

name

Policy name.

string

Maximum length: 35

nat46

Enable/disable NAT46.

option

-

disable

Option

Description

enable

Enable NAT46.

disable

Disable NAT46.

nat64

Enable/disable NAT64.

option

-

disable

Option

Description

enable

Enable NAT64.

disable

Disable NAT64.

policyid

Policy ID.

integer

Minimum value: 0 Maximum value: 4294967294

0

profile-group

Name of profile group.

string

Maximum length: 35

profile-protocol-options

Name of an existing Protocol options profile.

string

Maximum length: 35

default

profile-type

Determine whether the firewall policy allows security profile groups or single profiles only.

option

-

single

Option

Description

single

Do not allow security profile groups.

group

Allow security profile groups.

schedule

Schedule name.

string

Maximum length: 35

sctp-filter-profile

Name of an existing SCTP filter profile.

string

Maximum length: 35

send-deny-packet

Enable to send a reply when a session is denied or blocked by a firewall policy.

option

-

disable

Option

Description

disable

Disable deny-packet sending.

enable

Enable deny-packet sending.

service <name>

Service and service group names.

Service name.

string

Maximum length: 79

service-negate

When enabled service specifies what the service must NOT be.

option

-

disable

Option

Description

enable

Enable negated service match.

disable

Disable negated service match.

srcaddr <name>

Source IPv4 address name and address group names.

Address name.

string

Maximum length: 79

srcaddr-negate

When enabled srcaddr specifies what the source address must NOT be.

option

-

disable

Option

Description

enable

Enable source address negate.

disable

Disable source address negate.

srcaddr6 <name>

Source IPv6 address name and address group names.

Address name.

string

Maximum length: 79

srcintf <name>

Incoming (ingress) interface.

Interface name.

string

Maximum length: 79

ssh-filter-profile

Name of an existing SSH filter profile.

string

Maximum length: 35

ssl-ssh-profile

Name of an existing SSL SSH profile.

string

Maximum length: 35

no-inspection

status

Enable or disable this policy.

option

-

enable

Option

Description

enable

Enable setting.

disable

Disable setting.

url-category

URL categories or groups.

user

Not Specified

users <name>

Names of individual users that can authenticate with this policy.

User name.

string

Maximum length: 79

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

videofilter-profile

Name of an existing VideoFilter profile.

string

Maximum length: 35

voip-profile

Name of an existing VoIP profile.

string

Maximum length: 35

webfilter-profile

Name of an existing Web filter profile.

string

Maximum length: 35