Docs Home
Packages
Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse
fortios.firewall.getPolicy
Explore with Pulumi AI
Use this data source to get information on an fortios firewall policy
Using getPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getPolicy(args: GetPolicyArgs, opts?: InvokeOptions): Promise<GetPolicyResult>
function getPolicyOutput(args: GetPolicyOutputArgs, opts?: InvokeOptions): Output<GetPolicyResult>def get_policy(policyid: Optional[int] = None,
vdomparam: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetPolicyResult
def get_policy_output(policyid: Optional[pulumi.Input[int]] = None,
vdomparam: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetPolicyResult]func LookupPolicy(ctx *Context, args *LookupPolicyArgs, opts ...InvokeOption) (*LookupPolicyResult, error)
func LookupPolicyOutput(ctx *Context, args *LookupPolicyOutputArgs, opts ...InvokeOption) LookupPolicyResultOutput> Note: This function is named LookupPolicy in the Go SDK.
public static class GetPolicy
{
public static Task<GetPolicyResult> InvokeAsync(GetPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetPolicyResult> Invoke(GetPolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetPolicyResult> getPolicy(GetPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: fortios:firewall/getPolicy:getPolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- Policyid int
- Specify the policyid of the desired firewall policy.
- Vdomparam string
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Policyid int
- Specify the policyid of the desired firewall policy.
- Vdomparam string
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- policyid Integer
- Specify the policyid of the desired firewall policy.
- vdomparam String
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- policyid number
- Specify the policyid of the desired firewall policy.
- vdomparam string
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- policyid int
- Specify the policyid of the desired firewall policy.
- vdomparam str
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- policyid Number
- Specify the policyid of the desired firewall policy.
- vdomparam String
- Specifies the vdom to which the data source will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
getPolicy Result
The following output properties are available:
- Action string
- Policy action (allow/deny/ipsec).
- Anti
Replay string - Enable/disable anti-replay check.
- App
Categories List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy App Category> - Application category ID list. The structure of
app_categoryblock is documented below. - App
Groups List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy App Group> - Application group names. The structure of
app_groupblock is documented below. - Application
List string - Name of an existing Application list.
- Applications
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Application> - Application ID list. The structure of
applicationblock is documented below. - Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing.
- Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading.
- Av
Profile string - Name of an existing Antivirus profile.
- Block
Notification string - Enable/disable block notification.
- Captive
Portal stringExempt - Enable to exempt some users from the captive portal.
- Capture
Packet string - Enable/disable capture packets.
- Casb
Profile string - Name of an existing CASB profile.
- Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log List<Pulumiverse.Fields Fortios. Firewall. Outputs. Get Policy Custom Log Field> - Custom fields to append to log messages for this policy. The structure of
custom_log_fieldsblock is documented below. - Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- Devices
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Device> - Names of devices or device groups that can be matched by the policy. The structure of
devicesblock is documented below. - Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction.
- Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
- Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
- Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer.
- Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dsri string
- Enable DSRI to ignore HTTP server responses.
- Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be.
- Dstaddr6s
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Dstaddr6> - Destination IPv6 address name and address group names. The structure of
dstaddr6block is documented below. - Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be.
- Dstaddrs
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Dstaddr> - Destination address and address group names. The structure of
dstaddrblock is documented below. - Dstintfs
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Dstintf> - Outgoing (egress) interface. The structure of
dstintfblock is documented below. - Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping.
- Email
Collect string - Enable/disable email collection.
- Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.
- File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes.
- Fixedport string
- Enable to prevent source NAT from changing a session's source port.
- Fsso string
- Enable/disable Fortinet Single Sign-On.
- Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Fsso Group> - Names of FSSO groups. The structure of
fsso_groupsblock is documented below. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database.
- Geoip
Match string - Match geography address based either on its physical location or registered location.
- Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Group> - Names of user groups that can authenticate with this policy. The structure of
groupsblock is documented below. - Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy.
- Icap
Profile string - Name of an existing ICAP profile.
- Id string
- The provider-assigned unique ID for this managed resource.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
- Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode.
- Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
- Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.
- Internet
Service6Custom List<Pulumiverse.Groups Fortios. Firewall. Outputs. Get Policy Internet Service6Custom Group> - Custom Internet Service6 group name. The structure of
internet_service6_custom_groupblock is documented below. - Internet
Service6Customs List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Internet Service6Custom> - Custom IPv6 Internet Service name. The structure of
internet_service6_customblock is documented below. - Internet
Service6Groups List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Internet Service6Group> - Internet Service group name. The structure of
internet_service6_groupblock is documented below. - Internet
Service6Names List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Internet Service6Name> - IPv6 Internet Service name. The structure of
internet_service6_nameblock is documented below. - Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be.
- Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.
- Internet
Service6Src List<Pulumiverse.Custom Groups Fortios. Firewall. Outputs. Get Policy Internet Service6Src Custom Group> - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_groupblock is documented below. - Internet
Service6Src List<Pulumiverse.Customs Fortios. Firewall. Outputs. Get Policy Internet Service6Src Custom> - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_customblock is documented below. - Internet
Service6Src List<Pulumiverse.Groups Fortios. Firewall. Outputs. Get Policy Internet Service6Src Group> - Internet Service6 source group name. The structure of
internet_service6_src_groupblock is documented below. - Internet
Service6Src List<Pulumiverse.Names Fortios. Firewall. Outputs. Get Policy Internet Service6Src Name> - IPv6 Internet Service source name. The structure of
internet_service6_src_nameblock is documented below. - Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be.
- Internet
Service List<Pulumiverse.Custom Groups Fortios. Firewall. Outputs. Get Policy Internet Service Custom Group> - Custom Internet Service group name. The structure of
internet_service_custom_groupblock is documented below. - Internet
Service List<Pulumiverse.Customs Fortios. Firewall. Outputs. Get Policy Internet Service Custom> - Custom Internet Service name. The structure of
internet_service_customblock is documented below. - Internet
Service List<Pulumiverse.Groups Fortios. Firewall. Outputs. Get Policy Internet Service Group> - Internet Service group name. The structure of
internet_service_groupblock is documented below. - Internet
Service List<Pulumiverse.Ids Fortios. Firewall. Outputs. Get Policy Internet Service Id> - Internet Service ID. The structure of
internet_service_idblock is documented below. - Internet
Service List<Pulumiverse.Names Fortios. Firewall. Outputs. Get Policy Internet Service Name> - Internet Service name. The structure of
internet_service_nameblock is documented below. - Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be.
- Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
- Internet
Service List<Pulumiverse.Src Custom Groups Fortios. Firewall. Outputs. Get Policy Internet Service Src Custom Group> - Custom Internet Service source group name. The structure of
internet_service_src_custom_groupblock is documented below. - Internet
Service List<Pulumiverse.Src Customs Fortios. Firewall. Outputs. Get Policy Internet Service Src Custom> - Custom Internet Service source name. The structure of
internet_service_src_customblock is documented below. - Internet
Service List<Pulumiverse.Src Groups Fortios. Firewall. Outputs. Get Policy Internet Service Src Group> - Internet Service source group name. The structure of
internet_service_src_groupblock is documented below. - Internet
Service List<Pulumiverse.Src Ids Fortios. Firewall. Outputs. Get Policy Internet Service Src Id> - Internet Service source ID. The structure of
internet_service_src_idblock is documented below. - Internet
Service List<Pulumiverse.Src Names Fortios. Firewall. Outputs. Get Policy Internet Service Src Name> - Internet Service source name. The structure of
internet_service_src_nameblock is documented below. - Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be.
- Ippool string
- Enable to use IP Pools for source NAT.
- Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
- Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions.
- Logtraffic
Start string - Record logs when a session starts.
- Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP.
- Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
- Name string
- Mirror Interface name.
- Nat string
- Enable/disable source NAT.
- Nat46 string
- Enable/disable NAT46.
- Nat64 string
- Enable/disable NAT64.
- Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic.
- Natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic.
- Network
Service List<Pulumiverse.Dynamics Fortios. Firewall. Outputs. Get Policy Network Service Dynamic> - Dynamic Network Service name. The structure of
network_service_dynamicblock is documented below. - Network
Service List<Pulumiverse.Src Dynamics Fortios. Firewall. Outputs. Get Policy Network Service Src Dynamic> - Dynamic Network Service source name. The structure of
network_service_src_dynamicblock is documented below. - Np
Acceleration string - Enable/disable UTM Network Processor acceleration.
- Ntlm string
- Enable/disable NTLM authentication.
- Ntlm
Enabled List<Pulumiverse.Browsers Fortios. Firewall. Outputs. Get Policy Ntlm Enabled Browser> - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsersblock is documented below. - Ntlm
Guest string - Enable/disable NTLM guest user access.
- Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
- Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
- Pcp
Inbound string - Enable/disable PCP inbound DNAT.
- Pcp
Outbound string - Enable/disable PCP outbound SNAT.
- Pcp
Poolnames List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Pcp Poolname> - PCP pool names. The structure of
pcp_poolnameblock is documented below. - Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host.
- Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- Policy
Expiry string - Enable/disable policy expiry.
- Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policyid int
- Policy ID.
- Poolname6s
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Poolname6> - IPv6 pool names. The structure of
poolname6block is documented below. - Poolnames
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Poolname> - IP Pool names. The structure of
poolnameblock is documented below. - Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used.
- Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only.
- Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
- Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect.
- Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect.
- Reputation
Minimum int - Minimum Reputation to take action.
- Reputation
Minimum6 int - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO).
- Rtp
Addrs List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Rtp Addr> - Address names if this is an RTP NAT policy. The structure of
rtp_addrblock is documented below. - Rtp
Nat string - Enable Real Time Protocol (RTP) NAT.
- Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning.
- Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
- Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy.
- Service
Negate string - When enabled service specifies what the service must NOT be.
- Services
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Service> - Service and service group names. The structure of
serviceblock is documented below. - Session
Ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check.
- Sgts
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Sgt> - Security group tags. The structure of
sgtblock is documented below. - Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor List<Pulumiverse.Macs Fortios. Firewall. Outputs. Get Policy Src Vendor Mac> - Vendor MAC source ID. The structure of
src_vendor_macblock is documented below. - Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be.
- Srcaddr6s
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Srcaddr6> - Source IPv6 address name and address group names. The structure of
srcaddr6block is documented below. - Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be.
- Srcaddrs
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Srcaddr> - Source address and address group names. The structure of
srcaddrblock is documented below. - Srcintfs
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Srcintf> - Incoming (ingress) interface. The structure of
srcintfblock is documented below. - Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy.
- Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- Ssl
Mirror List<Pulumiverse.Intfs Fortios. Firewall. Outputs. Get Policy Ssl Mirror Intf> - SSL mirror interface name. The structure of
ssl_mirror_intfblock is documented below. - Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy.
- Tcp
Mss intReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss intSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag.
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire.
- Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match.
- Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Url
Categories List<Pulumiverse.Fortios. Firewall. Outputs. Get Policy Url Category> - URL category ID list. The structure of
url_categoryblock is documented below. - Users
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy User> - Names of individual users that can authenticate with this policy. The structure of
usersblock is documented below. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos intFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos intRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization.
- Wanopt
Detection string - WAN optimization auto-detection mode.
- Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
- Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- Webcache string
- Enable/disable web cache.
- Webcache
Https string - Enable/disable web cache for HTTPS.
- Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Web proxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO).
- Ztna
Device stringOwnership - Enable/disable zero trust device ownership.
-
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Ztna Ems Tag Secondary> - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondaryblock is documented below. -
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Ztna Ems Tag> - Source ztna-ems-tag names. The structure of
ztna_ems_tagblock is documented below. -
List<Pulumiverse.
Fortios. Firewall. Outputs. Get Policy Ztna Geo Tag> - Source ztna-geo-tag names. The structure of
ztna_geo_tagblock is documented below. - Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
- Ztna
Status string - Enable/disable zero trust access.
- string
- ZTNA tag matching logic.
- Vdomparam string
- Action string
- Policy action (allow/deny/ipsec).
- Anti
Replay string - Enable/disable anti-replay check.
- App
Categories []GetPolicy App Category - Application category ID list. The structure of
app_categoryblock is documented below. - App
Groups []GetPolicy App Group - Application group names. The structure of
app_groupblock is documented below. - Application
List string - Name of an existing Application list.
- Applications
[]Get
Policy Application - Application ID list. The structure of
applicationblock is documented below. - Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing.
- Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading.
- Av
Profile string - Name of an existing Antivirus profile.
- Block
Notification string - Enable/disable block notification.
- Captive
Portal stringExempt - Enable to exempt some users from the captive portal.
- Capture
Packet string - Enable/disable capture packets.
- Casb
Profile string - Name of an existing CASB profile.
- Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log []GetFields Policy Custom Log Field - Custom fields to append to log messages for this policy. The structure of
custom_log_fieldsblock is documented below. - Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- Devices
[]Get
Policy Device - Names of devices or device groups that can be matched by the policy. The structure of
devicesblock is documented below. - Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction.
- Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
- Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
- Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer.
- Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dsri string
- Enable DSRI to ignore HTTP server responses.
- Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be.
- Dstaddr6s
[]Get
Policy Dstaddr6 - Destination IPv6 address name and address group names. The structure of
dstaddr6block is documented below. - Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be.
- Dstaddrs
[]Get
Policy Dstaddr - Destination address and address group names. The structure of
dstaddrblock is documented below. - Dstintfs
[]Get
Policy Dstintf - Outgoing (egress) interface. The structure of
dstintfblock is documented below. - Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping.
- Email
Collect string - Enable/disable email collection.
- Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.
- File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes.
- Fixedport string
- Enable to prevent source NAT from changing a session's source port.
- Fsso string
- Enable/disable Fortinet Single Sign-On.
- Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []GetPolicy Fsso Group - Names of FSSO groups. The structure of
fsso_groupsblock is documented below. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database.
- Geoip
Match string - Match geography address based either on its physical location or registered location.
- Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups
[]Get
Policy Group - Names of user groups that can authenticate with this policy. The structure of
groupsblock is documented below. - Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy.
- Icap
Profile string - Name of an existing ICAP profile.
- Id string
- The provider-assigned unique ID for this managed resource.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
- Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode.
- Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
- Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.
- Internet
Service6Custom []GetGroups Policy Internet Service6Custom Group - Custom Internet Service6 group name. The structure of
internet_service6_custom_groupblock is documented below. - Internet
Service6Customs []GetPolicy Internet Service6Custom - Custom IPv6 Internet Service name. The structure of
internet_service6_customblock is documented below. - Internet
Service6Groups []GetPolicy Internet Service6Group - Internet Service group name. The structure of
internet_service6_groupblock is documented below. - Internet
Service6Names []GetPolicy Internet Service6Name - IPv6 Internet Service name. The structure of
internet_service6_nameblock is documented below. - Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be.
- Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.
- Internet
Service6Src []GetCustom Groups Policy Internet Service6Src Custom Group - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_groupblock is documented below. - Internet
Service6Src []GetCustoms Policy Internet Service6Src Custom - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_customblock is documented below. - Internet
Service6Src []GetGroups Policy Internet Service6Src Group - Internet Service6 source group name. The structure of
internet_service6_src_groupblock is documented below. - Internet
Service6Src []GetNames Policy Internet Service6Src Name - IPv6 Internet Service source name. The structure of
internet_service6_src_nameblock is documented below. - Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be.
- Internet
Service []GetCustom Groups Policy Internet Service Custom Group - Custom Internet Service group name. The structure of
internet_service_custom_groupblock is documented below. - Internet
Service []GetCustoms Policy Internet Service Custom - Custom Internet Service name. The structure of
internet_service_customblock is documented below. - Internet
Service []GetGroups Policy Internet Service Group - Internet Service group name. The structure of
internet_service_groupblock is documented below. - Internet
Service []GetIds Policy Internet Service Id - Internet Service ID. The structure of
internet_service_idblock is documented below. - Internet
Service []GetNames Policy Internet Service Name - Internet Service name. The structure of
internet_service_nameblock is documented below. - Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be.
- Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
- Internet
Service []GetSrc Custom Groups Policy Internet Service Src Custom Group - Custom Internet Service source group name. The structure of
internet_service_src_custom_groupblock is documented below. - Internet
Service []GetSrc Customs Policy Internet Service Src Custom - Custom Internet Service source name. The structure of
internet_service_src_customblock is documented below. - Internet
Service []GetSrc Groups Policy Internet Service Src Group - Internet Service source group name. The structure of
internet_service_src_groupblock is documented below. - Internet
Service []GetSrc Ids Policy Internet Service Src Id - Internet Service source ID. The structure of
internet_service_src_idblock is documented below. - Internet
Service []GetSrc Names Policy Internet Service Src Name - Internet Service source name. The structure of
internet_service_src_nameblock is documented below. - Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be.
- Ippool string
- Enable to use IP Pools for source NAT.
- Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
- Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions.
- Logtraffic
Start string - Record logs when a session starts.
- Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP.
- Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
- Name string
- Mirror Interface name.
- Nat string
- Enable/disable source NAT.
- Nat46 string
- Enable/disable NAT46.
- Nat64 string
- Enable/disable NAT64.
- Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic.
- Natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic.
- Network
Service []GetDynamics Policy Network Service Dynamic - Dynamic Network Service name. The structure of
network_service_dynamicblock is documented below. - Network
Service []GetSrc Dynamics Policy Network Service Src Dynamic - Dynamic Network Service source name. The structure of
network_service_src_dynamicblock is documented below. - Np
Acceleration string - Enable/disable UTM Network Processor acceleration.
- Ntlm string
- Enable/disable NTLM authentication.
- Ntlm
Enabled []GetBrowsers Policy Ntlm Enabled Browser - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsersblock is documented below. - Ntlm
Guest string - Enable/disable NTLM guest user access.
- Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
- Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
- Pcp
Inbound string - Enable/disable PCP inbound DNAT.
- Pcp
Outbound string - Enable/disable PCP outbound SNAT.
- Pcp
Poolnames []GetPolicy Pcp Poolname - PCP pool names. The structure of
pcp_poolnameblock is documented below. - Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host.
- Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- Policy
Expiry string - Enable/disable policy expiry.
- Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policyid int
- Policy ID.
- Poolname6s
[]Get
Policy Poolname6 - IPv6 pool names. The structure of
poolname6block is documented below. - Poolnames
[]Get
Policy Poolname - IP Pool names. The structure of
poolnameblock is documented below. - Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used.
- Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only.
- Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
- Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect.
- Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect.
- Reputation
Minimum int - Minimum Reputation to take action.
- Reputation
Minimum6 int - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO).
- Rtp
Addrs []GetPolicy Rtp Addr - Address names if this is an RTP NAT policy. The structure of
rtp_addrblock is documented below. - Rtp
Nat string - Enable Real Time Protocol (RTP) NAT.
- Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning.
- Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
- Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy.
- Service
Negate string - When enabled service specifies what the service must NOT be.
- Services
[]Get
Policy Service - Service and service group names. The structure of
serviceblock is documented below. - Session
Ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check.
- Sgts
[]Get
Policy Sgt - Security group tags. The structure of
sgtblock is documented below. - Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor []GetMacs Policy Src Vendor Mac - Vendor MAC source ID. The structure of
src_vendor_macblock is documented below. - Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be.
- Srcaddr6s
[]Get
Policy Srcaddr6 - Source IPv6 address name and address group names. The structure of
srcaddr6block is documented below. - Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be.
- Srcaddrs
[]Get
Policy Srcaddr - Source address and address group names. The structure of
srcaddrblock is documented below. - Srcintfs
[]Get
Policy Srcintf - Incoming (ingress) interface. The structure of
srcintfblock is documented below. - Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy.
- Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- Ssl
Mirror []GetIntfs Policy Ssl Mirror Intf - SSL mirror interface name. The structure of
ssl_mirror_intfblock is documented below. - Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy.
- Tcp
Mss intReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss intSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag.
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire.
- Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match.
- Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Url
Categories []GetPolicy Url Category - URL category ID list. The structure of
url_categoryblock is documented below. - Users
[]Get
Policy User - Names of individual users that can authenticate with this policy. The structure of
usersblock is documented below. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos intFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos intRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization.
- Wanopt
Detection string - WAN optimization auto-detection mode.
- Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
- Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- Webcache string
- Enable/disable web cache.
- Webcache
Https string - Enable/disable web cache for HTTPS.
- Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Web proxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO).
- Ztna
Device stringOwnership - Enable/disable zero trust device ownership.
-
[]Get
Policy Ztna Ems Tag Secondary - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondaryblock is documented below. -
[]Get
Policy Ztna Ems Tag - Source ztna-ems-tag names. The structure of
ztna_ems_tagblock is documented below. -
[]Get
Policy Ztna Geo Tag - Source ztna-geo-tag names. The structure of
ztna_geo_tagblock is documented below. - Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
- Ztna
Status string - Enable/disable zero trust access.
- string
- ZTNA tag matching logic.
- Vdomparam string
- action String
- Policy action (allow/deny/ipsec).
- anti
Replay String - Enable/disable anti-replay check.
- app
Categories List<GetPolicy App Category> - Application category ID list. The structure of
app_categoryblock is documented below. - app
Groups List<GetPolicy App Group> - Application group names. The structure of
app_groupblock is documented below. - application
List String - Name of an existing Application list.
- applications
List<Get
Policy Application> - Application ID list. The structure of
applicationblock is documented below. - auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing.
- auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading.
- av
Profile String - Name of an existing Antivirus profile.
- block
Notification String - Enable/disable block notification.
- captive
Portal StringExempt - Enable to exempt some users from the captive portal.
- capture
Packet String - Enable/disable capture packets.
- casb
Profile String - Name of an existing CASB profile.
- cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log List<GetFields Policy Custom Log Field> - Custom fields to append to log messages for this policy. The structure of
custom_log_fieldsblock is documented below. - decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- devices
List<Get
Policy Device> - Names of devices or device groups that can be matched by the policy. The structure of
devicesblock is documented below. - diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction.
- diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
- diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
- diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer.
- dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dsri String
- Enable DSRI to ignore HTTP server responses.
- dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be.
- dstaddr6s
List<Get
Policy Dstaddr6> - Destination IPv6 address name and address group names. The structure of
dstaddr6block is documented below. - dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be.
- dstaddrs
List<Get
Policy Dstaddr> - Destination address and address group names. The structure of
dstaddrblock is documented below. - dstintfs
List<Get
Policy Dstintf> - Outgoing (egress) interface. The structure of
dstintfblock is documented below. - dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping.
- email
Collect String - Enable/disable email collection.
- emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.
- file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes.
- fixedport String
- Enable to prevent source NAT from changing a session's source port.
- fsso String
- Enable/disable Fortinet Single Sign-On.
- fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<GetPolicy Fsso Group> - Names of FSSO groups. The structure of
fsso_groupsblock is documented below. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database.
- geoip
Match String - Match geography address based either on its physical location or registered location.
- global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups
List<Get
Policy Group> - Names of user groups that can authenticate with this policy. The structure of
groupsblock is documented below. - http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy.
- icap
Profile String - Name of an existing ICAP profile.
- id String
- The provider-assigned unique ID for this managed resource.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
- inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode.
- internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
- internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.
- internet
Service6Custom List<GetGroups Policy Internet Service6Custom Group> - Custom Internet Service6 group name. The structure of
internet_service6_custom_groupblock is documented below. - internet
Service6Customs List<GetPolicy Internet Service6Custom> - Custom IPv6 Internet Service name. The structure of
internet_service6_customblock is documented below. - internet
Service6Groups List<GetPolicy Internet Service6Group> - Internet Service group name. The structure of
internet_service6_groupblock is documented below. - internet
Service6Names List<GetPolicy Internet Service6Name> - IPv6 Internet Service name. The structure of
internet_service6_nameblock is documented below. - internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be.
- internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.
- internet
Service6Src List<GetCustom Groups Policy Internet Service6Src Custom Group> - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_groupblock is documented below. - internet
Service6Src List<GetCustoms Policy Internet Service6Src Custom> - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_customblock is documented below. - internet
Service6Src List<GetGroups Policy Internet Service6Src Group> - Internet Service6 source group name. The structure of
internet_service6_src_groupblock is documented below. - internet
Service6Src List<GetNames Policy Internet Service6Src Name> - IPv6 Internet Service source name. The structure of
internet_service6_src_nameblock is documented below. - internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be.
- internet
Service List<GetCustom Groups Policy Internet Service Custom Group> - Custom Internet Service group name. The structure of
internet_service_custom_groupblock is documented below. - internet
Service List<GetCustoms Policy Internet Service Custom> - Custom Internet Service name. The structure of
internet_service_customblock is documented below. - internet
Service List<GetGroups Policy Internet Service Group> - Internet Service group name. The structure of
internet_service_groupblock is documented below. - internet
Service List<GetIds Policy Internet Service Id> - Internet Service ID. The structure of
internet_service_idblock is documented below. - internet
Service List<GetNames Policy Internet Service Name> - Internet Service name. The structure of
internet_service_nameblock is documented below. - internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be.
- internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
- internet
Service List<GetSrc Custom Groups Policy Internet Service Src Custom Group> - Custom Internet Service source group name. The structure of
internet_service_src_custom_groupblock is documented below. - internet
Service List<GetSrc Customs Policy Internet Service Src Custom> - Custom Internet Service source name. The structure of
internet_service_src_customblock is documented below. - internet
Service List<GetSrc Groups Policy Internet Service Src Group> - Internet Service source group name. The structure of
internet_service_src_groupblock is documented below. - internet
Service List<GetSrc Ids Policy Internet Service Src Id> - Internet Service source ID. The structure of
internet_service_src_idblock is documented below. - internet
Service List<GetSrc Names Policy Internet Service Src Name> - Internet Service source name. The structure of
internet_service_src_nameblock is documented below. - internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be.
- ippool String
- Enable to use IP Pools for source NAT.
- ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
- logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions.
- logtraffic
Start String - Record logs when a session starts.
- match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP.
- match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
- name String
- Mirror Interface name.
- nat String
- Enable/disable source NAT.
- nat46 String
- Enable/disable NAT46.
- nat64 String
- Enable/disable NAT64.
- natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic.
- natip String
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic.
- network
Service List<GetDynamics Policy Network Service Dynamic> - Dynamic Network Service name. The structure of
network_service_dynamicblock is documented below. - network
Service List<GetSrc Dynamics Policy Network Service Src Dynamic> - Dynamic Network Service source name. The structure of
network_service_src_dynamicblock is documented below. - np
Acceleration String - Enable/disable UTM Network Processor acceleration.
- ntlm String
- Enable/disable NTLM authentication.
- ntlm
Enabled List<GetBrowsers Policy Ntlm Enabled Browser> - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsersblock is documented below. - ntlm
Guest String - Enable/disable NTLM guest user access.
- outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
- passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
- pcp
Inbound String - Enable/disable PCP inbound DNAT.
- pcp
Outbound String - Enable/disable PCP outbound SNAT.
- pcp
Poolnames List<GetPolicy Pcp Poolname> - PCP pool names. The structure of
pcp_poolnameblock is documented below. - per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host.
- permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- policy
Expiry String - Enable/disable policy expiry.
- policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policyid Integer
- Policy ID.
- poolname6s
List<Get
Policy Poolname6> - IPv6 pool names. The structure of
poolname6block is documented below. - poolnames
List<Get
Policy Poolname> - IP Pool names. The structure of
poolnameblock is documented below. - port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used.
- profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only.
- radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
- redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect.
- reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect.
- reputation
Minimum Integer - Minimum Reputation to take action.
- reputation
Minimum6 Integer - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO).
- rtp
Addrs List<GetPolicy Rtp Addr> - Address names if this is an RTP NAT policy. The structure of
rtp_addrblock is documented below. - rtp
Nat String - Enable Real Time Protocol (RTP) NAT.
- scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning.
- schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
- sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy.
- service
Negate String - When enabled service specifies what the service must NOT be.
- services
List<Get
Policy Service> - Service and service group names. The structure of
serviceblock is documented below. - session
Ttl Integer - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check.
- sgts
List<Get
Policy Sgt> - Security group tags. The structure of
sgtblock is documented below. - spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<GetMacs Policy Src Vendor Mac> - Vendor MAC source ID. The structure of
src_vendor_macblock is documented below. - srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be.
- srcaddr6s
List<Get
Policy Srcaddr6> - Source IPv6 address name and address group names. The structure of
srcaddr6block is documented below. - srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be.
- srcaddrs
List<Get
Policy Srcaddr> - Source address and address group names. The structure of
srcaddrblock is documented below. - srcintfs
List<Get
Policy Srcintf> - Incoming (ingress) interface. The structure of
srcintfblock is documented below. - ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy.
- ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- ssl
Mirror List<GetIntfs Policy Ssl Mirror Intf> - SSL mirror interface name. The structure of
ssl_mirror_intfblock is documented below. - ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy.
- tcp
Mss IntegerReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss IntegerSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag.
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire.
- tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match.
- traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- url
Categories List<GetPolicy Url Category> - URL category ID list. The structure of
url_categoryblock is documented below. - users
List<Get
Policy User> - Names of individual users that can authenticate with this policy. The structure of
usersblock is documented below. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos IntegerFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos IntegerRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization.
- wanopt
Detection String - WAN optimization auto-detection mode.
- wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
- wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- webcache String
- Enable/disable web cache.
- webcache
Https String - Enable/disable web cache for HTTPS.
- webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Web proxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO).
- ztna
Device StringOwnership - Enable/disable zero trust device ownership.
-
List<Get
Policy Ztna Ems Tag Secondary> - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondaryblock is documented below. -
List<Get
Policy Ztna Ems Tag> - Source ztna-ems-tag names. The structure of
ztna_ems_tagblock is documented below. -
List<Get
Policy Ztna Geo Tag> - Source ztna-geo-tag names. The structure of
ztna_geo_tagblock is documented below. - ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
- ztna
Status String - Enable/disable zero trust access.
- String
- ZTNA tag matching logic.
- vdomparam String
- action string
- Policy action (allow/deny/ipsec).
- anti
Replay string - Enable/disable anti-replay check.
- app
Categories GetPolicy App Category[] - Application category ID list. The structure of
app_categoryblock is documented below. - app
Groups GetPolicy App Group[] - Application group names. The structure of
app_groupblock is documented below. - application
List string - Name of an existing Application list.
- applications
Get
Policy Application[] - Application ID list. The structure of
applicationblock is documented below. - auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Path string - Enable/disable authentication-based routing.
- auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading.
- av
Profile string - Name of an existing Antivirus profile.
- block
Notification string - Enable/disable block notification.
- captive
Portal stringExempt - Enable to exempt some users from the captive portal.
- capture
Packet string - Enable/disable capture packets.
- casb
Profile string - Name of an existing CASB profile.
- cifs
Profile string - Name of an existing CIFS profile.
- comments string
- Comment.
- custom
Log GetFields Policy Custom Log Field[] - Custom fields to append to log messages for this policy. The structure of
custom_log_fieldsblock is documented below. - decrypted
Traffic stringMirror - Decrypted traffic mirror.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- devices
Get
Policy Device[] - Names of devices or device groups that can be matched by the policy. The structure of
devicesblock is documented below. - diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction.
- diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
- diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
- diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer.
- dlp
Profile string - Name of an existing DLP profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dsri string
- Enable DSRI to ignore HTTP server responses.
- dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be.
- dstaddr6s
Get
Policy Dstaddr6[] - Destination IPv6 address name and address group names. The structure of
dstaddr6block is documented below. - dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be.
- dstaddrs
Get
Policy Dstaddr[] - Destination address and address group names. The structure of
dstaddrblock is documented below. - dstintfs
Get
Policy Dstintf[] - Outgoing (egress) interface. The structure of
dstintfblock is documented below. - dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping.
- email
Collect string - Enable/disable email collection.
- emailfilter
Profile string - Name of an existing email filter profile.
- fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.
- file
Filter stringProfile - Name of an existing file-filter profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes.
- fixedport string
- Enable to prevent source NAT from changing a session's source port.
- fsso string
- Enable/disable Fortinet Single Sign-On.
- fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups GetPolicy Fsso Group[] - Names of FSSO groups. The structure of
fsso_groupsblock is documented below. - geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database.
- geoip
Match string - Match geography address based either on its physical location or registered location.
- global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups
Get
Policy Group[] - Names of user groups that can authenticate with this policy. The structure of
groupsblock is documented below. - http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy.
- icap
Profile string - Name of an existing ICAP profile.
- id string
- The provider-assigned unique ID for this managed resource.
- identity
Based stringRoute - Name of identity-based routing rule.
- inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
- inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode.
- internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
- internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.
- internet
Service6Custom GetGroups Policy Internet Service6Custom Group[] - Custom Internet Service6 group name. The structure of
internet_service6_custom_groupblock is documented below. - internet
Service6Customs GetPolicy Internet Service6Custom[] - Custom IPv6 Internet Service name. The structure of
internet_service6_customblock is documented below. - internet
Service6Groups GetPolicy Internet Service6Group[] - Internet Service group name. The structure of
internet_service6_groupblock is documented below. - internet
Service6Names GetPolicy Internet Service6Name[] - IPv6 Internet Service name. The structure of
internet_service6_nameblock is documented below. - internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be.
- internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.
- internet
Service6Src GetCustom Groups Policy Internet Service6Src Custom Group[] - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_groupblock is documented below. - internet
Service6Src GetCustoms Policy Internet Service6Src Custom[] - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_customblock is documented below. - internet
Service6Src GetGroups Policy Internet Service6Src Group[] - Internet Service6 source group name. The structure of
internet_service6_src_groupblock is documented below. - internet
Service6Src GetNames Policy Internet Service6Src Name[] - IPv6 Internet Service source name. The structure of
internet_service6_src_nameblock is documented below. - internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be.
- internet
Service GetCustom Groups Policy Internet Service Custom Group[] - Custom Internet Service group name. The structure of
internet_service_custom_groupblock is documented below. - internet
Service GetCustoms Policy Internet Service Custom[] - Custom Internet Service name. The structure of
internet_service_customblock is documented below. - internet
Service GetGroups Policy Internet Service Group[] - Internet Service group name. The structure of
internet_service_groupblock is documented below. - internet
Service GetIds Policy Internet Service Id[] - Internet Service ID. The structure of
internet_service_idblock is documented below. - internet
Service GetNames Policy Internet Service Name[] - Internet Service name. The structure of
internet_service_nameblock is documented below. - internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be.
- internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
- internet
Service GetSrc Custom Groups Policy Internet Service Src Custom Group[] - Custom Internet Service source group name. The structure of
internet_service_src_custom_groupblock is documented below. - internet
Service GetSrc Customs Policy Internet Service Src Custom[] - Custom Internet Service source name. The structure of
internet_service_src_customblock is documented below. - internet
Service GetSrc Groups Policy Internet Service Src Group[] - Internet Service source group name. The structure of
internet_service_src_groupblock is documented below. - internet
Service GetSrc Ids Policy Internet Service Src Id[] - Internet Service source ID. The structure of
internet_service_src_idblock is documented below. - internet
Service GetSrc Names Policy Internet Service Src Name[] - Internet Service source name. The structure of
internet_service_src_nameblock is documented below. - internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be.
- ippool string
- Enable to use IP Pools for source NAT.
- ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
- logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions.
- logtraffic
Start string - Record logs when a session starts.
- match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP.
- match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
- name string
- Mirror Interface name.
- nat string
- Enable/disable source NAT.
- nat46 string
- Enable/disable NAT46.
- nat64 string
- Enable/disable NAT64.
- natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic.
- natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic.
- network
Service GetDynamics Policy Network Service Dynamic[] - Dynamic Network Service name. The structure of
network_service_dynamicblock is documented below. - network
Service GetSrc Dynamics Policy Network Service Src Dynamic[] - Dynamic Network Service source name. The structure of
network_service_src_dynamicblock is documented below. - np
Acceleration string - Enable/disable UTM Network Processor acceleration.
- ntlm string
- Enable/disable NTLM authentication.
- ntlm
Enabled GetBrowsers Policy Ntlm Enabled Browser[] - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsersblock is documented below. - ntlm
Guest string - Enable/disable NTLM guest user access.
- outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
- passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
- pcp
Inbound string - Enable/disable PCP inbound DNAT.
- pcp
Outbound string - Enable/disable PCP outbound SNAT.
- pcp
Poolnames GetPolicy Pcp Poolname[] - PCP pool names. The structure of
pcp_poolnameblock is documented below. - per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host.
- permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- policy
Expiry string - Enable/disable policy expiry.
- policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policyid number
- Policy ID.
- poolname6s
Get
Policy Poolname6[] - IPv6 pool names. The structure of
poolname6block is documented below. - poolnames
Get
Policy Poolname[] - IP Pool names. The structure of
poolnameblock is documented below. - port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used.
- profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only.
- radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
- redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect.
- reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect.
- reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- rsso string
- Enable/disable RADIUS single sign-on (RSSO).
- rtp
Addrs GetPolicy Rtp Addr[] - Address names if this is an RTP NAT policy. The structure of
rtp_addrblock is documented below. - rtp
Nat string - Enable Real Time Protocol (RTP) NAT.
- scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning.
- schedule string
- Schedule name.
- schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
- sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy.
- service
Negate string - When enabled service specifies what the service must NOT be.
- services
Get
Policy Service[] - Service and service group names. The structure of
serviceblock is documented below. - session
Ttl number - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check string - Enable/disable security group tags (SGT) check.
- sgts
Get
Policy Sgt[] - Security group tags. The structure of
sgtblock is documented below. - spamfilter
Profile string - Name of an existing Spam filter profile.
- src
Vendor GetMacs Policy Src Vendor Mac[] - Vendor MAC source ID. The structure of
src_vendor_macblock is documented below. - srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be.
- srcaddr6s
Get
Policy Srcaddr6[] - Source IPv6 address name and address group names. The structure of
srcaddr6block is documented below. - srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be.
- srcaddrs
Get
Policy Srcaddr[] - Source address and address group names. The structure of
srcaddrblock is documented below. - srcintfs
Get
Policy Srcintf[] - Incoming (ingress) interface. The structure of
srcintfblock is documented below. - ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy.
- ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- ssl
Mirror GetIntfs Policy Ssl Mirror Intf[] - SSL mirror interface name. The structure of
ssl_mirror_intfblock is documented below. - ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- status string
- Enable or disable this policy.
- tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag.
- timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire.
- tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match.
- traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- url
Categories GetPolicy Url Category[] - URL category ID list. The structure of
url_categoryblock is documented below. - users
Get
Policy User[] - Names of individual users that can authenticate with this policy. The structure of
usersblock is documented below. - utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile string - Name of an existing VideoFilter profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP profile.
- vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization.
- wanopt
Detection string - WAN optimization auto-detection mode.
- wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
- wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- webcache string
- Enable/disable web cache.
- webcache
Https string - Enable/disable web cache for HTTPS.
- webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Web proxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO).
- ztna
Device stringOwnership - Enable/disable zero trust device ownership.
-
Get
Policy Ztna Ems Tag Secondary[] - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondaryblock is documented below. -
Get
Policy Ztna Ems Tag[] - Source ztna-ems-tag names. The structure of
ztna_ems_tagblock is documented below. -
Get
Policy Ztna Geo Tag[] - Source ztna-geo-tag names. The structure of
ztna_geo_tagblock is documented below. - ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
- ztna
Status string - Enable/disable zero trust access.
- string
- ZTNA tag matching logic.
- vdomparam string
- action str
- Policy action (allow/deny/ipsec).
- anti_
replay str - Enable/disable anti-replay check.
- app_
categories Sequence[GetPolicy App Category] - Application category ID list. The structure of
app_categoryblock is documented below. - app_
groups Sequence[GetPolicy App Group] - Application group names. The structure of
app_groupblock is documented below. - application_
list str - Name of an existing Application list.
- applications
Sequence[Get
Policy Application] - Application ID list. The structure of
applicationblock is documented below. - auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
path str - Enable/disable authentication-based routing.
- auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading.
- av_
profile str - Name of an existing Antivirus profile.
- block_
notification str - Enable/disable block notification.
- captive_
portal_ strexempt - Enable to exempt some users from the captive portal.
- capture_
packet str - Enable/disable capture packets.
- casb_
profile str - Name of an existing CASB profile.
- cifs_
profile str - Name of an existing CIFS profile.
- comments str
- Comment.
- custom_
log_ Sequence[Getfields Policy Custom Log Field] - Custom fields to append to log messages for this policy. The structure of
custom_log_fieldsblock is documented below. - decrypted_
traffic_ strmirror - Decrypted traffic mirror.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- devices
Sequence[Get
Policy Device] - Names of devices or device groups that can be matched by the policy. The structure of
devicesblock is documented below. - diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction.
- diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
- diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
- diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer.
- dlp_
profile str - Name of an existing DLP profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dsri str
- Enable DSRI to ignore HTTP server responses.
- dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be.
- dstaddr6s
Sequence[Get
Policy Dstaddr6] - Destination IPv6 address name and address group names. The structure of
dstaddr6block is documented below. - dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be.
- dstaddrs
Sequence[Get
Policy Dstaddr] - Destination address and address group names. The structure of
dstaddrblock is documented below. - dstintfs
Sequence[Get
Policy Dstintf] - Outgoing (egress) interface. The structure of
dstintfblock is documented below. - dynamic_
shaping str - Enable/disable dynamic RADIUS defined traffic shaping.
- email_
collect str - Enable/disable email collection.
- emailfilter_
profile str - Name of an existing email filter profile.
- fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.
- file_
filter_ strprofile - Name of an existing file-filter profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes.
- fixedport str
- Enable to prevent source NAT from changing a session's source port.
- fsso str
- Enable/disable Fortinet Single Sign-On.
- fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[GetPolicy Fsso Group] - Names of FSSO groups. The structure of
fsso_groupsblock is documented below. - geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database.
- geoip_
match str - Match geography address based either on its physical location or registered location.
- global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups
Sequence[Get
Policy Group] - Names of user groups that can authenticate with this policy. The structure of
groupsblock is documented below. - http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy.
- icap_
profile str - Name of an existing ICAP profile.
- id str
- The provider-assigned unique ID for this managed resource.
- identity_
based_ strroute - Name of identity-based routing rule.
- inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
- inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode.
- internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
- internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.
- internet_
service6_ Sequence[Getcustom_ groups Policy Internet Service6Custom Group] - Custom Internet Service6 group name. The structure of
internet_service6_custom_groupblock is documented below. - internet_
service6_ Sequence[Getcustoms Policy Internet Service6Custom] - Custom IPv6 Internet Service name. The structure of
internet_service6_customblock is documented below. - internet_
service6_ Sequence[Getgroups Policy Internet Service6Group] - Internet Service group name. The structure of
internet_service6_groupblock is documented below. - internet_
service6_ Sequence[Getnames Policy Internet Service6Name] - IPv6 Internet Service name. The structure of
internet_service6_nameblock is documented below. - internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be.
- internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.
- internet_
service6_ Sequence[Getsrc_ custom_ groups Policy Internet Service6Src Custom Group] - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_groupblock is documented below. - internet_
service6_ Sequence[Getsrc_ customs Policy Internet Service6Src Custom] - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_customblock is documented below. - internet_
service6_ Sequence[Getsrc_ groups Policy Internet Service6Src Group] - Internet Service6 source group name. The structure of
internet_service6_src_groupblock is documented below. - internet_
service6_ Sequence[Getsrc_ names Policy Internet Service6Src Name] - IPv6 Internet Service source name. The structure of
internet_service6_src_nameblock is documented below. - internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be.
- internet_
service_ Sequence[Getcustom_ groups Policy Internet Service Custom Group] - Custom Internet Service group name. The structure of
internet_service_custom_groupblock is documented below. - internet_
service_ Sequence[Getcustoms Policy Internet Service Custom] - Custom Internet Service name. The structure of
internet_service_customblock is documented below. - internet_
service_ Sequence[Getgroups Policy Internet Service Group] - Internet Service group name. The structure of
internet_service_groupblock is documented below. - internet_
service_ Sequence[Getids Policy Internet Service Id] - Internet Service ID. The structure of
internet_service_idblock is documented below. - internet_
service_ Sequence[Getnames Policy Internet Service Name] - Internet Service name. The structure of
internet_service_nameblock is documented below. - internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be.
- internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
- internet_
service_ Sequence[Getsrc_ custom_ groups Policy Internet Service Src Custom Group] - Custom Internet Service source group name. The structure of
internet_service_src_custom_groupblock is documented below. - internet_
service_ Sequence[Getsrc_ customs Policy Internet Service Src Custom] - Custom Internet Service source name. The structure of
internet_service_src_customblock is documented below. - internet_
service_ Sequence[Getsrc_ groups Policy Internet Service Src Group] - Internet Service source group name. The structure of
internet_service_src_groupblock is documented below. - internet_
service_ Sequence[Getsrc_ ids Policy Internet Service Src Id] - Internet Service source ID. The structure of
internet_service_src_idblock is documented below. - internet_
service_ Sequence[Getsrc_ names Policy Internet Service Src Name] - Internet Service source name. The structure of
internet_service_src_nameblock is documented below. - internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be.
- ippool str
- Enable to use IP Pools for source NAT.
- ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
- logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions.
- logtraffic_
start str - Record logs when a session starts.
- match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP.
- match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
- name str
- Mirror Interface name.
- nat str
- Enable/disable source NAT.
- nat46 str
- Enable/disable NAT46.
- nat64 str
- Enable/disable NAT64.
- natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic.
- natip str
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic.
- network_
service_ Sequence[Getdynamics Policy Network Service Dynamic] - Dynamic Network Service name. The structure of
network_service_dynamicblock is documented below. - network_
service_ Sequence[Getsrc_ dynamics Policy Network Service Src Dynamic] - Dynamic Network Service source name. The structure of
network_service_src_dynamicblock is documented below. - np_
acceleration str - Enable/disable UTM Network Processor acceleration.
- ntlm str
- Enable/disable NTLM authentication.
- ntlm_
enabled_ Sequence[Getbrowsers Policy Ntlm Enabled Browser] - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsersblock is documented below. - ntlm_
guest str - Enable/disable NTLM guest user access.
- outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
- passive_
wan_ strhealth_ measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
- pcp_
inbound str - Enable/disable PCP inbound DNAT.
- pcp_
outbound str - Enable/disable PCP outbound SNAT.
- pcp_
poolnames Sequence[GetPolicy Pcp Poolname] - PCP pool names. The structure of
pcp_poolnameblock is documented below. - per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host.
- permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- policy_
expiry str - Enable/disable policy expiry.
- policy_
expiry_ strdate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policyid int
- Policy ID.
- poolname6s
Sequence[Get
Policy Poolname6] - IPv6 pool names. The structure of
poolname6block is documented below. - poolnames
Sequence[Get
Policy Poolname] - IP Pool names. The structure of
poolnameblock is documented below. - port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used.
- profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only.
- radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
- redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect.
- reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect.
- reputation_
minimum int - Minimum Reputation to take action.
- reputation_
minimum6 int - IPv6 Minimum Reputation to take action.
- rsso str
- Enable/disable RADIUS single sign-on (RSSO).
- rtp_
addrs Sequence[GetPolicy Rtp Addr] - Address names if this is an RTP NAT policy. The structure of
rtp_addrblock is documented below. - rtp_
nat str - Enable Real Time Protocol (RTP) NAT.
- scan_
botnet_ strconnections - Block or monitor connections to Botnet servers or disable Botnet scanning.
- schedule str
- Schedule name.
- schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
- sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy.
- service_
negate str - When enabled service specifies what the service must NOT be.
- services
Sequence[Get
Policy Service] - Service and service group names. The structure of
serviceblock is documented below. - session_
ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt_
check str - Enable/disable security group tags (SGT) check.
- sgts
Sequence[Get
Policy Sgt] - Security group tags. The structure of
sgtblock is documented below. - spamfilter_
profile str - Name of an existing Spam filter profile.
- src_
vendor_ Sequence[Getmacs Policy Src Vendor Mac] - Vendor MAC source ID. The structure of
src_vendor_macblock is documented below. - srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be.
- srcaddr6s
Sequence[Get
Policy Srcaddr6] - Source IPv6 address name and address group names. The structure of
srcaddr6block is documented below. - srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be.
- srcaddrs
Sequence[Get
Policy Srcaddr] - Source address and address group names. The structure of
srcaddrblock is documented below. - srcintfs
Sequence[Get
Policy Srcintf] - Incoming (ingress) interface. The structure of
srcintfblock is documented below. - ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy.
- ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- ssl_
mirror_ Sequence[Getintfs Policy Ssl Mirror Intf] - SSL mirror interface name. The structure of
ssl_mirror_intfblock is documented below. - ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- status str
- Enable or disable this policy.
- tcp_
mss_ intreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ intsender - Sender TCP maximum segment size (MSS).
- tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag.
- timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire.
- tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match.
- traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- url_
categories Sequence[GetPolicy Url Category] - URL category ID list. The structure of
url_categoryblock is documented below. - users
Sequence[Get
Policy User] - Names of individual users that can authenticate with this policy. The structure of
usersblock is documented below. - utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter_
profile str - Name of an existing VideoFilter profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ intfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ intrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP profile.
- vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization.
- wanopt_
detection str - WAN optimization auto-detection mode.
- wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
- wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- webcache str
- Enable/disable web cache.
- webcache_
https str - Enable/disable web cache for HTTPS.
- webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Web proxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO).
- ztna_
device_ strownership - Enable/disable zero trust device ownership.
- ztna_
ems_ Sequence[Gettag_ secondaries Policy Ztna Ems Tag Secondary] - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondaryblock is documented below. -
Sequence[Get
Policy Ztna Ems Tag] - Source ztna-ems-tag names. The structure of
ztna_ems_tagblock is documented below. -
Sequence[Get
Policy Ztna Geo Tag] - Source ztna-geo-tag names. The structure of
ztna_geo_tagblock is documented below. - ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
- ztna_
status str - Enable/disable zero trust access.
- str
- ZTNA tag matching logic.
- vdomparam str
- action String
- Policy action (allow/deny/ipsec).
- anti
Replay String - Enable/disable anti-replay check.
- app
Categories List<Property Map> - Application category ID list. The structure of
app_categoryblock is documented below. - app
Groups List<Property Map> - Application group names. The structure of
app_groupblock is documented below. - application
List String - Name of an existing Application list.
- applications List<Property Map>
- Application ID list. The structure of
applicationblock is documented below. - auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing.
- auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading.
- av
Profile String - Name of an existing Antivirus profile.
- block
Notification String - Enable/disable block notification.
- captive
Portal StringExempt - Enable to exempt some users from the captive portal.
- capture
Packet String - Enable/disable capture packets.
- casb
Profile String - Name of an existing CASB profile.
- cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log List<Property Map>Fields - Custom fields to append to log messages for this policy. The structure of
custom_log_fieldsblock is documented below. - decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake.
- devices List<Property Map>
- Names of devices or device groups that can be matched by the policy. The structure of
devicesblock is documented below. - diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction.
- diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value.
- diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value.
- diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer.
- dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dsri String
- Enable DSRI to ignore HTTP server responses.
- dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be.
- dstaddr6s List<Property Map>
- Destination IPv6 address name and address group names. The structure of
dstaddr6block is documented below. - dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be.
- dstaddrs List<Property Map>
- Destination address and address group names. The structure of
dstaddrblock is documented below. - dstintfs List<Property Map>
- Outgoing (egress) interface. The structure of
dstintfblock is documented below. - dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping.
- email
Collect String - Enable/disable email collection.
- emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device.
- file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes.
- fixedport String
- Enable to prevent source NAT from changing a session's source port.
- fsso String
- Enable/disable Fortinet Single Sign-On.
- fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<Property Map> - Names of FSSO groups. The structure of
fsso_groupsblock is documented below. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database.
- geoip
Match String - Match geography address based either on its physical location or registered location.
- global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<Property Map>
- Names of user groups that can authenticate with this policy. The structure of
groupsblock is documented below. - http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy.
- icap
Profile String - Name of an existing ICAP profile.
- id String
- The provider-assigned unique ID for this managed resource.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN.
- inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode.
- internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
- internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used.
- internet
Service6Custom List<Property Map>Groups - Custom Internet Service6 group name. The structure of
internet_service6_custom_groupblock is documented below. - internet
Service6Customs List<Property Map> - Custom IPv6 Internet Service name. The structure of
internet_service6_customblock is documented below. - internet
Service6Groups List<Property Map> - Internet Service group name. The structure of
internet_service6_groupblock is documented below. - internet
Service6Names List<Property Map> - IPv6 Internet Service name. The structure of
internet_service6_nameblock is documented below. - internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be.
- internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used.
- internet
Service6Src List<Property Map>Custom Groups - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_groupblock is documented below. - internet
Service6Src List<Property Map>Customs - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_customblock is documented below. - internet
Service6Src List<Property Map>Groups - Internet Service6 source group name. The structure of
internet_service6_src_groupblock is documented below. - internet
Service6Src List<Property Map>Names - IPv6 Internet Service source name. The structure of
internet_service6_src_nameblock is documented below. - internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be.
- internet
Service List<Property Map>Custom Groups - Custom Internet Service group name. The structure of
internet_service_custom_groupblock is documented below. - internet
Service List<Property Map>Customs - Custom Internet Service name. The structure of
internet_service_customblock is documented below. - internet
Service List<Property Map>Groups - Internet Service group name. The structure of
internet_service_groupblock is documented below. - internet
Service List<Property Map>Ids - Internet Service ID. The structure of
internet_service_idblock is documented below. - internet
Service List<Property Map>Names - Internet Service name. The structure of
internet_service_nameblock is documented below. - internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be.
- internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
- internet
Service List<Property Map>Src Custom Groups - Custom Internet Service source group name. The structure of
internet_service_src_custom_groupblock is documented below. - internet
Service List<Property Map>Src Customs - Custom Internet Service source name. The structure of
internet_service_src_customblock is documented below. - internet
Service List<Property Map>Src Groups - Internet Service source group name. The structure of
internet_service_src_groupblock is documented below. - internet
Service List<Property Map>Src Ids - Internet Service source ID. The structure of
internet_service_src_idblock is documented below. - internet
Service List<Property Map>Src Names - Internet Service source name. The structure of
internet_service_src_nameblock is documented below. - internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be.
- ippool String
- Enable to use IP Pools for source NAT.
- ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated.
- logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions.
- logtraffic
Start String - Record logs when a session starts.
- match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP.
- match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP.
- name String
- Mirror Interface name.
- nat String
- Enable/disable source NAT.
- nat46 String
- Enable/disable NAT46.
- nat64 String
- Enable/disable NAT64.
- natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic.
- natip String
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic.
- network
Service List<Property Map>Dynamics - Dynamic Network Service name. The structure of
network_service_dynamicblock is documented below. - network
Service List<Property Map>Src Dynamics - Dynamic Network Service source name. The structure of
network_service_src_dynamicblock is documented below. - np
Acceleration String - Enable/disable UTM Network Processor acceleration.
- ntlm String
- Enable/disable NTLM authentication.
- ntlm
Enabled List<Property Map>Browsers - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsersblock is documented below. - ntlm
Guest String - Enable/disable NTLM guest user access.
- outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN.
- passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled.
- pcp
Inbound String - Enable/disable PCP inbound DNAT.
- pcp
Outbound String - Enable/disable PCP outbound SNAT.
- pcp
Poolnames List<Property Map> - PCP pool names. The structure of
pcp_poolnameblock is documented below. - per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host.
- permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host.
- policy
Expiry String - Enable/disable policy expiry.
- policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policyid Number
- Policy ID.
- poolname6s List<Property Map>
- IPv6 pool names. The structure of
poolname6block is documented below. - poolnames List<Property Map>
- IP Pool names. The structure of
poolnameblock is documented below. - port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used.
- profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only.
- radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server.
- redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect.
- reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect.
- reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO).
- rtp
Addrs List<Property Map> - Address names if this is an RTP NAT policy. The structure of
rtp_addrblock is documented below. - rtp
Nat String - Enable Real Time Protocol (RTP) NAT.
- scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning.
- schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity.
- sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy.
- service
Negate String - When enabled service specifies what the service must NOT be.
- services List<Property Map>
- Service and service group names. The structure of
serviceblock is documented below. - session
Ttl Number - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check.
- sgts List<Property Map>
- Security group tags. The structure of
sgtblock is documented below. - spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<Property Map>Macs - Vendor MAC source ID. The structure of
src_vendor_macblock is documented below. - srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be.
- srcaddr6s List<Property Map>
- Source IPv6 address name and address group names. The structure of
srcaddr6block is documented below. - srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be.
- srcaddrs List<Property Map>
- Source address and address group names. The structure of
srcaddrblock is documented below. - srcintfs List<Property Map>
- Incoming (ingress) interface. The structure of
srcintfblock is documented below. - ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy.
- ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring).
- ssl
Mirror List<Property Map>Intfs - SSL mirror interface name. The structure of
ssl_mirror_intfblock is documented below. - ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy.
- tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag.
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire.
- tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match.
- traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- url
Categories List<Property Map> - URL category ID list. The structure of
url_categoryblock is documented below. - users List<Property Map>
- Names of individual users that can authenticate with this policy. The structure of
usersblock is documented below. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
- uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization.
- wanopt
Detection String - WAN optimization auto-detection mode.
- wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server.
- wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server.
- webcache String
- Enable/disable web cache.
- webcache
Https String - Enable/disable web cache for HTTPS.
- webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Web proxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO).
- ztna
Device StringOwnership - Enable/disable zero trust device ownership.
- List<Property Map>
- Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondaryblock is documented below. - List<Property Map>
- Source ztna-ems-tag names. The structure of
ztna_ems_tagblock is documented below. - List<Property Map>
- Source ztna-geo-tag names. The structure of
ztna_geo_tagblock is documented below. - ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy.
- ztna
Status String - Enable/disable zero trust access.
- String
- ZTNA tag matching logic.
- vdomparam String
Supporting Types
GetPolicyAppCategory
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicyAppGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyApplication
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicyCustomLogField
- Field
Id string - Custom log field.
- Field
Id string - Custom log field.
- field
Id String - Custom log field.
- field
Id string - Custom log field.
- field_
id str - Custom log field.
- field
Id String - Custom log field.
GetPolicyDevice
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyDstaddr
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyDstaddr6
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyDstintf
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyFssoGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6Custom
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6CustomGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6Group
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6Name
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6SrcCustom
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6SrcCustomGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6SrcGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetService6SrcName
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceCustom
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceCustomGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceId
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicyInternetServiceName
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceSrcCustom
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceSrcCustomGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceSrcGroup
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyInternetServiceSrcId
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicyInternetServiceSrcName
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyNetworkServiceDynamic
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyNetworkServiceSrcDynamic
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyNtlmEnabledBrowser
- User
Agent stringString - User agent string.
- User
Agent stringString - User agent string.
- user
Agent StringString - User agent string.
- user
Agent stringString - User agent string.
- user_
agent_ strstring - User agent string.
- user
Agent StringString - User agent string.
GetPolicyPcpPoolname
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyPoolname
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyPoolname6
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyRtpAddr
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyService
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicySgt
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicySrcVendorMac
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicySrcaddr
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicySrcaddr6
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicySrcintf
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicySslMirrorIntf
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyUrlCategory
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
GetPolicyUser
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyZtnaEmsTag
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyZtnaEmsTagSecondary
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
GetPolicyZtnaGeoTag
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortiosTerraform Provider.