fortios.firewall.Policy
Explore with Pulumi AI
Configure IPv4 policies.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortios from "@pulumiverse/fortios";
const trname = new fortios.firewall.Policy("trname", {
action: "accept",
dstaddrs: [{
name: "all",
}],
dstintfs: [{
name: "port4",
}],
logtraffic: "utm",
policyid: 1,
schedule: "always",
services: [{
name: "HTTP",
}],
srcaddrs: [{
name: "all",
}],
srcintfs: [{
name: "port3",
}],
wanopt: "disable",
wanoptDetection: "active",
wanoptPassiveOpt: "default",
wccp: "disable",
webcache: "disable",
webcacheHttps: "disable",
wsso: "enable",
});
const myrule = new fortios.firewall.Policy("myrule", {
action: "accept",
antiReplay: "enable",
authPath: "disable",
autoAsicOffload: "enable",
avProfile: "wifi-default",
dstintfs: [{
name: "port1",
}],
inspectionMode: "flow",
internetService: "enable",
internetServiceNames: [
{
name: "Amazon-AWS",
},
{
name: "GitHub-GitHub",
},
],
ipsSensor: "protect_email_server",
logtraffic: "utm",
policyid: 2,
schedule: "always",
srcaddrs: [{
name: "FABRIC_DEVICE",
}],
srcintfs: [{
name: "port2",
}],
sslSshProfile: "certificate-inspection",
status: "enable",
utmStatus: "enable",
});
import pulumi
import pulumiverse_fortios as fortios
trname = fortios.firewall.Policy("trname",
action="accept",
dstaddrs=[fortios.firewall.PolicyDstaddrArgs(
name="all",
)],
dstintfs=[fortios.firewall.PolicyDstintfArgs(
name="port4",
)],
logtraffic="utm",
policyid=1,
schedule="always",
services=[fortios.firewall.PolicyServiceArgs(
name="HTTP",
)],
srcaddrs=[fortios.firewall.PolicySrcaddrArgs(
name="all",
)],
srcintfs=[fortios.firewall.PolicySrcintfArgs(
name="port3",
)],
wanopt="disable",
wanopt_detection="active",
wanopt_passive_opt="default",
wccp="disable",
webcache="disable",
webcache_https="disable",
wsso="enable")
myrule = fortios.firewall.Policy("myrule",
action="accept",
anti_replay="enable",
auth_path="disable",
auto_asic_offload="enable",
av_profile="wifi-default",
dstintfs=[fortios.firewall.PolicyDstintfArgs(
name="port1",
)],
inspection_mode="flow",
internet_service="enable",
internet_service_names=[
fortios.firewall.PolicyInternetServiceNameArgs(
name="Amazon-AWS",
),
fortios.firewall.PolicyInternetServiceNameArgs(
name="GitHub-GitHub",
),
],
ips_sensor="protect_email_server",
logtraffic="utm",
policyid=2,
schedule="always",
srcaddrs=[fortios.firewall.PolicySrcaddrArgs(
name="FABRIC_DEVICE",
)],
srcintfs=[fortios.firewall.PolicySrcintfArgs(
name="port2",
)],
ssl_ssh_profile="certificate-inspection",
status="enable",
utm_status="enable")
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/firewall"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := firewall.NewPolicy(ctx, "trname", &firewall.PolicyArgs{
Action: pulumi.String("accept"),
Dstaddrs: firewall.PolicyDstaddrArray{
&firewall.PolicyDstaddrArgs{
Name: pulumi.String("all"),
},
},
Dstintfs: firewall.PolicyDstintfArray{
&firewall.PolicyDstintfArgs{
Name: pulumi.String("port4"),
},
},
Logtraffic: pulumi.String("utm"),
Policyid: pulumi.Int(1),
Schedule: pulumi.String("always"),
Services: firewall.PolicyServiceArray{
&firewall.PolicyServiceArgs{
Name: pulumi.String("HTTP"),
},
},
Srcaddrs: firewall.PolicySrcaddrArray{
&firewall.PolicySrcaddrArgs{
Name: pulumi.String("all"),
},
},
Srcintfs: firewall.PolicySrcintfArray{
&firewall.PolicySrcintfArgs{
Name: pulumi.String("port3"),
},
},
Wanopt: pulumi.String("disable"),
WanoptDetection: pulumi.String("active"),
WanoptPassiveOpt: pulumi.String("default"),
Wccp: pulumi.String("disable"),
Webcache: pulumi.String("disable"),
WebcacheHttps: pulumi.String("disable"),
Wsso: pulumi.String("enable"),
})
if err != nil {
return err
}
_, err = firewall.NewPolicy(ctx, "myrule", &firewall.PolicyArgs{
Action: pulumi.String("accept"),
AntiReplay: pulumi.String("enable"),
AuthPath: pulumi.String("disable"),
AutoAsicOffload: pulumi.String("enable"),
AvProfile: pulumi.String("wifi-default"),
Dstintfs: firewall.PolicyDstintfArray{
&firewall.PolicyDstintfArgs{
Name: pulumi.String("port1"),
},
},
InspectionMode: pulumi.String("flow"),
InternetService: pulumi.String("enable"),
InternetServiceNames: firewall.PolicyInternetServiceNameArray{
&firewall.PolicyInternetServiceNameArgs{
Name: pulumi.String("Amazon-AWS"),
},
&firewall.PolicyInternetServiceNameArgs{
Name: pulumi.String("GitHub-GitHub"),
},
},
IpsSensor: pulumi.String("protect_email_server"),
Logtraffic: pulumi.String("utm"),
Policyid: pulumi.Int(2),
Schedule: pulumi.String("always"),
Srcaddrs: firewall.PolicySrcaddrArray{
&firewall.PolicySrcaddrArgs{
Name: pulumi.String("FABRIC_DEVICE"),
},
},
Srcintfs: firewall.PolicySrcintfArray{
&firewall.PolicySrcintfArgs{
Name: pulumi.String("port2"),
},
},
SslSshProfile: pulumi.String("certificate-inspection"),
Status: pulumi.String("enable"),
UtmStatus: pulumi.String("enable"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortios = Pulumiverse.Fortios;
return await Deployment.RunAsync(() =>
{
var trname = new Fortios.Firewall.Policy("trname", new()
{
Action = "accept",
Dstaddrs = new[]
{
new Fortios.Firewall.Inputs.PolicyDstaddrArgs
{
Name = "all",
},
},
Dstintfs = new[]
{
new Fortios.Firewall.Inputs.PolicyDstintfArgs
{
Name = "port4",
},
},
Logtraffic = "utm",
Policyid = 1,
Schedule = "always",
Services = new[]
{
new Fortios.Firewall.Inputs.PolicyServiceArgs
{
Name = "HTTP",
},
},
Srcaddrs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcaddrArgs
{
Name = "all",
},
},
Srcintfs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcintfArgs
{
Name = "port3",
},
},
Wanopt = "disable",
WanoptDetection = "active",
WanoptPassiveOpt = "default",
Wccp = "disable",
Webcache = "disable",
WebcacheHttps = "disable",
Wsso = "enable",
});
var myrule = new Fortios.Firewall.Policy("myrule", new()
{
Action = "accept",
AntiReplay = "enable",
AuthPath = "disable",
AutoAsicOffload = "enable",
AvProfile = "wifi-default",
Dstintfs = new[]
{
new Fortios.Firewall.Inputs.PolicyDstintfArgs
{
Name = "port1",
},
},
InspectionMode = "flow",
InternetService = "enable",
InternetServiceNames = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceNameArgs
{
Name = "Amazon-AWS",
},
new Fortios.Firewall.Inputs.PolicyInternetServiceNameArgs
{
Name = "GitHub-GitHub",
},
},
IpsSensor = "protect_email_server",
Logtraffic = "utm",
Policyid = 2,
Schedule = "always",
Srcaddrs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcaddrArgs
{
Name = "FABRIC_DEVICE",
},
},
Srcintfs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcintfArgs
{
Name = "port2",
},
},
SslSshProfile = "certificate-inspection",
Status = "enable",
UtmStatus = "enable",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortios.firewall.Policy;
import com.pulumi.fortios.firewall.PolicyArgs;
import com.pulumi.fortios.firewall.inputs.PolicyDstaddrArgs;
import com.pulumi.fortios.firewall.inputs.PolicyDstintfArgs;
import com.pulumi.fortios.firewall.inputs.PolicyServiceArgs;
import com.pulumi.fortios.firewall.inputs.PolicySrcaddrArgs;
import com.pulumi.fortios.firewall.inputs.PolicySrcintfArgs;
import com.pulumi.fortios.firewall.inputs.PolicyInternetServiceNameArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var trname = new Policy("trname", PolicyArgs.builder()
.action("accept")
.dstaddrs(PolicyDstaddrArgs.builder()
.name("all")
.build())
.dstintfs(PolicyDstintfArgs.builder()
.name("port4")
.build())
.logtraffic("utm")
.policyid(1)
.schedule("always")
.services(PolicyServiceArgs.builder()
.name("HTTP")
.build())
.srcaddrs(PolicySrcaddrArgs.builder()
.name("all")
.build())
.srcintfs(PolicySrcintfArgs.builder()
.name("port3")
.build())
.wanopt("disable")
.wanoptDetection("active")
.wanoptPassiveOpt("default")
.wccp("disable")
.webcache("disable")
.webcacheHttps("disable")
.wsso("enable")
.build());
var myrule = new Policy("myrule", PolicyArgs.builder()
.action("accept")
.antiReplay("enable")
.authPath("disable")
.autoAsicOffload("enable")
.avProfile("wifi-default")
.dstintfs(PolicyDstintfArgs.builder()
.name("port1")
.build())
.inspectionMode("flow")
.internetService("enable")
.internetServiceNames(
PolicyInternetServiceNameArgs.builder()
.name("Amazon-AWS")
.build(),
PolicyInternetServiceNameArgs.builder()
.name("GitHub-GitHub")
.build())
.ipsSensor("protect_email_server")
.logtraffic("utm")
.policyid(2)
.schedule("always")
.srcaddrs(PolicySrcaddrArgs.builder()
.name("FABRIC_DEVICE")
.build())
.srcintfs(PolicySrcintfArgs.builder()
.name("port2")
.build())
.sslSshProfile("certificate-inspection")
.status("enable")
.utmStatus("enable")
.build());
}
}
resources:
trname:
type: fortios:firewall:Policy
properties:
action: accept
dstaddrs:
- name: all
dstintfs:
- name: port4
logtraffic: utm
policyid: 1
schedule: always
services:
- name: HTTP
srcaddrs:
- name: all
srcintfs:
- name: port3
wanopt: disable
wanoptDetection: active
wanoptPassiveOpt: default
wccp: disable
webcache: disable
webcacheHttps: disable
wsso: enable
myrule:
type: fortios:firewall:Policy
properties:
action: accept
antiReplay: enable
authPath: disable
autoAsicOffload: enable
avProfile: wifi-default
dstintfs:
- name: port1
inspectionMode: flow
internetService: enable
internetServiceNames:
- name: Amazon-AWS
- name: GitHub-GitHub
ipsSensor: protect_email_server
logtraffic: utm
policyid: 2
schedule: always
srcaddrs:
- name: FABRIC_DEVICE
srcintfs:
- name: port2
sslSshProfile: certificate-inspection
status: enable
utmStatus: enable
Create Policy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
@overload
def Policy(resource_name: str,
args: PolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Policy(resource_name: str,
opts: Optional[ResourceOptions] = None,
dstintfs: Optional[Sequence[PolicyDstintfArgs]] = None,
srcintfs: Optional[Sequence[PolicySrcintfArgs]] = None,
action: Optional[str] = None,
anti_replay: Optional[str] = None,
app_categories: Optional[Sequence[PolicyAppCategoryArgs]] = None,
app_groups: Optional[Sequence[PolicyAppGroupArgs]] = None,
application_list: Optional[str] = None,
applications: Optional[Sequence[PolicyApplicationArgs]] = None,
auth_cert: Optional[str] = None,
auth_path: Optional[str] = None,
auth_redirect_addr: Optional[str] = None,
auto_asic_offload: Optional[str] = None,
av_profile: Optional[str] = None,
block_notification: Optional[str] = None,
captive_portal_exempt: Optional[str] = None,
capture_packet: Optional[str] = None,
casb_profile: Optional[str] = None,
cifs_profile: Optional[str] = None,
comments: Optional[str] = None,
custom_log_fields: Optional[Sequence[PolicyCustomLogFieldArgs]] = None,
decrypted_traffic_mirror: Optional[str] = None,
delay_tcp_npu_session: Optional[str] = None,
devices: Optional[Sequence[PolicyDeviceArgs]] = None,
diameter_filter_profile: Optional[str] = None,
diffserv_copy: Optional[str] = None,
diffserv_forward: Optional[str] = None,
diffserv_reverse: Optional[str] = None,
diffservcode_forward: Optional[str] = None,
diffservcode_rev: Optional[str] = None,
disclaimer: Optional[str] = None,
dlp_profile: Optional[str] = None,
dlp_sensor: Optional[str] = None,
dnsfilter_profile: Optional[str] = None,
dsri: Optional[str] = None,
dstaddr6_negate: Optional[str] = None,
dstaddr6s: Optional[Sequence[PolicyDstaddr6Args]] = None,
dstaddr_negate: Optional[str] = None,
dstaddrs: Optional[Sequence[PolicyDstaddrArgs]] = None,
dynamic_shaping: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
email_collect: Optional[str] = None,
emailfilter_profile: Optional[str] = None,
fec: Optional[str] = None,
file_filter_profile: Optional[str] = None,
firewall_session_dirty: Optional[str] = None,
fixedport: Optional[str] = None,
fsso: Optional[str] = None,
fsso_agent_for_ntlm: Optional[str] = None,
fsso_groups: Optional[Sequence[PolicyFssoGroupArgs]] = None,
geoip_anycast: Optional[str] = None,
geoip_match: Optional[str] = None,
get_all_tables: Optional[str] = None,
global_label: Optional[str] = None,
groups: Optional[Sequence[PolicyGroupArgs]] = None,
http_policy_redirect: Optional[str] = None,
icap_profile: Optional[str] = None,
identity_based_route: Optional[str] = None,
inbound: Optional[str] = None,
inspection_mode: Optional[str] = None,
internet_service: Optional[str] = None,
internet_service6: Optional[str] = None,
internet_service6_custom_groups: Optional[Sequence[PolicyInternetService6CustomGroupArgs]] = None,
internet_service6_customs: Optional[Sequence[PolicyInternetService6CustomArgs]] = None,
internet_service6_groups: Optional[Sequence[PolicyInternetService6GroupArgs]] = None,
internet_service6_names: Optional[Sequence[PolicyInternetService6NameArgs]] = None,
internet_service6_negate: Optional[str] = None,
internet_service6_src: Optional[str] = None,
internet_service6_src_custom_groups: Optional[Sequence[PolicyInternetService6SrcCustomGroupArgs]] = None,
internet_service6_src_customs: Optional[Sequence[PolicyInternetService6SrcCustomArgs]] = None,
internet_service6_src_groups: Optional[Sequence[PolicyInternetService6SrcGroupArgs]] = None,
internet_service6_src_names: Optional[Sequence[PolicyInternetService6SrcNameArgs]] = None,
internet_service6_src_negate: Optional[str] = None,
internet_service_custom_groups: Optional[Sequence[PolicyInternetServiceCustomGroupArgs]] = None,
internet_service_customs: Optional[Sequence[PolicyInternetServiceCustomArgs]] = None,
internet_service_groups: Optional[Sequence[PolicyInternetServiceGroupArgs]] = None,
internet_service_ids: Optional[Sequence[PolicyInternetServiceIdArgs]] = None,
internet_service_names: Optional[Sequence[PolicyInternetServiceNameArgs]] = None,
internet_service_negate: Optional[str] = None,
internet_service_src: Optional[str] = None,
internet_service_src_custom_groups: Optional[Sequence[PolicyInternetServiceSrcCustomGroupArgs]] = None,
internet_service_src_customs: Optional[Sequence[PolicyInternetServiceSrcCustomArgs]] = None,
internet_service_src_groups: Optional[Sequence[PolicyInternetServiceSrcGroupArgs]] = None,
internet_service_src_ids: Optional[Sequence[PolicyInternetServiceSrcIdArgs]] = None,
internet_service_src_names: Optional[Sequence[PolicyInternetServiceSrcNameArgs]] = None,
internet_service_src_negate: Optional[str] = None,
ippool: Optional[str] = None,
ips_sensor: Optional[str] = None,
ips_voip_filter: Optional[str] = None,
label: Optional[str] = None,
learning_mode: Optional[str] = None,
logtraffic: Optional[str] = None,
logtraffic_start: Optional[str] = None,
match_vip: Optional[str] = None,
match_vip_only: Optional[str] = None,
name: Optional[str] = None,
nat: Optional[str] = None,
nat46: Optional[str] = None,
nat64: Optional[str] = None,
natinbound: Optional[str] = None,
natip: Optional[str] = None,
natoutbound: Optional[str] = None,
network_service_dynamics: Optional[Sequence[PolicyNetworkServiceDynamicArgs]] = None,
network_service_src_dynamics: Optional[Sequence[PolicyNetworkServiceSrcDynamicArgs]] = None,
np_acceleration: Optional[str] = None,
ntlm: Optional[str] = None,
ntlm_enabled_browsers: Optional[Sequence[PolicyNtlmEnabledBrowserArgs]] = None,
ntlm_guest: Optional[str] = None,
outbound: Optional[str] = None,
passive_wan_health_measurement: Optional[str] = None,
pcp_inbound: Optional[str] = None,
pcp_outbound: Optional[str] = None,
pcp_poolnames: Optional[Sequence[PolicyPcpPoolnameArgs]] = None,
per_ip_shaper: Optional[str] = None,
permit_any_host: Optional[str] = None,
permit_stun_host: Optional[str] = None,
policy_expiry: Optional[str] = None,
policy_expiry_date: Optional[str] = None,
policy_expiry_date_utc: Optional[str] = None,
policyid: Optional[int] = None,
poolname6s: Optional[Sequence[PolicyPoolname6Args]] = None,
poolnames: Optional[Sequence[PolicyPoolnameArgs]] = None,
port_preserve: Optional[str] = None,
profile_group: Optional[str] = None,
profile_protocol_options: Optional[str] = None,
profile_type: Optional[str] = None,
radius_mac_auth_bypass: Optional[str] = None,
redirect_url: Optional[str] = None,
replacemsg_override_group: Optional[str] = None,
reputation_direction: Optional[str] = None,
reputation_direction6: Optional[str] = None,
reputation_minimum: Optional[int] = None,
reputation_minimum6: Optional[int] = None,
rsso: Optional[str] = None,
rtp_addrs: Optional[Sequence[PolicyRtpAddrArgs]] = None,
rtp_nat: Optional[str] = None,
scan_botnet_connections: Optional[str] = None,
schedule: Optional[str] = None,
schedule_timeout: Optional[str] = None,
sctp_filter_profile: Optional[str] = None,
send_deny_packet: Optional[str] = None,
service_negate: Optional[str] = None,
services: Optional[Sequence[PolicyServiceArgs]] = None,
session_ttl: Optional[int] = None,
sgt_check: Optional[str] = None,
sgts: Optional[Sequence[PolicySgtArgs]] = None,
spamfilter_profile: Optional[str] = None,
src_vendor_macs: Optional[Sequence[PolicySrcVendorMacArgs]] = None,
srcaddr6_negate: Optional[str] = None,
srcaddr6s: Optional[Sequence[PolicySrcaddr6Args]] = None,
srcaddr_negate: Optional[str] = None,
srcaddrs: Optional[Sequence[PolicySrcaddrArgs]] = None,
ssh_filter_profile: Optional[str] = None,
ssh_policy_redirect: Optional[str] = None,
ssl_mirror: Optional[str] = None,
ssl_mirror_intfs: Optional[Sequence[PolicySslMirrorIntfArgs]] = None,
ssl_ssh_profile: Optional[str] = None,
status: Optional[str] = None,
tcp_mss_receiver: Optional[int] = None,
tcp_mss_sender: Optional[int] = None,
tcp_session_without_syn: Optional[str] = None,
timeout_send_rst: Optional[str] = None,
tos: Optional[str] = None,
tos_mask: Optional[str] = None,
tos_negate: Optional[str] = None,
traffic_shaper: Optional[str] = None,
traffic_shaper_reverse: Optional[str] = None,
url_categories: Optional[Sequence[PolicyUrlCategoryArgs]] = None,
users: Optional[Sequence[PolicyUserArgs]] = None,
utm_status: Optional[str] = None,
uuid: Optional[str] = None,
vdomparam: Optional[str] = None,
videofilter_profile: Optional[str] = None,
virtual_patch_profile: Optional[str] = None,
vlan_cos_fwd: Optional[int] = None,
vlan_cos_rev: Optional[int] = None,
vlan_filter: Optional[str] = None,
voip_profile: Optional[str] = None,
vpntunnel: Optional[str] = None,
waf_profile: Optional[str] = None,
wanopt: Optional[str] = None,
wanopt_detection: Optional[str] = None,
wanopt_passive_opt: Optional[str] = None,
wanopt_peer: Optional[str] = None,
wanopt_profile: Optional[str] = None,
wccp: Optional[str] = None,
webcache: Optional[str] = None,
webcache_https: Optional[str] = None,
webfilter_profile: Optional[str] = None,
webproxy_forward_server: Optional[str] = None,
webproxy_profile: Optional[str] = None,
wsso: Optional[str] = None,
ztna_device_ownership: Optional[str] = None,
ztna_ems_tag_secondaries: Optional[Sequence[PolicyZtnaEmsTagSecondaryArgs]] = None,
ztna_ems_tags: Optional[Sequence[PolicyZtnaEmsTagArgs]] = None,
ztna_geo_tags: Optional[Sequence[PolicyZtnaGeoTagArgs]] = None,
ztna_policy_redirect: Optional[str] = None,
ztna_status: Optional[str] = None,
ztna_tags_match_logic: Optional[str] = None)
func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)
type: fortios:firewall:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var fortiosPolicyResource = new Fortios.Firewall.Policy("fortiosPolicyResource", new()
{
Dstintfs = new[]
{
new Fortios.Firewall.Inputs.PolicyDstintfArgs
{
Name = "string",
},
},
Srcintfs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcintfArgs
{
Name = "string",
},
},
Action = "string",
AntiReplay = "string",
AppCategories = new[]
{
new Fortios.Firewall.Inputs.PolicyAppCategoryArgs
{
Id = 0,
},
},
AppGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyAppGroupArgs
{
Name = "string",
},
},
ApplicationList = "string",
Applications = new[]
{
new Fortios.Firewall.Inputs.PolicyApplicationArgs
{
Id = 0,
},
},
AuthCert = "string",
AuthPath = "string",
AuthRedirectAddr = "string",
AutoAsicOffload = "string",
AvProfile = "string",
BlockNotification = "string",
CaptivePortalExempt = "string",
CapturePacket = "string",
CasbProfile = "string",
CifsProfile = "string",
Comments = "string",
CustomLogFields = new[]
{
new Fortios.Firewall.Inputs.PolicyCustomLogFieldArgs
{
FieldId = "string",
},
},
DecryptedTrafficMirror = "string",
DelayTcpNpuSession = "string",
Devices = new[]
{
new Fortios.Firewall.Inputs.PolicyDeviceArgs
{
Name = "string",
},
},
DiameterFilterProfile = "string",
DiffservCopy = "string",
DiffservForward = "string",
DiffservReverse = "string",
DiffservcodeForward = "string",
DiffservcodeRev = "string",
Disclaimer = "string",
DlpProfile = "string",
DlpSensor = "string",
DnsfilterProfile = "string",
Dsri = "string",
Dstaddr6Negate = "string",
Dstaddr6s = new[]
{
new Fortios.Firewall.Inputs.PolicyDstaddr6Args
{
Name = "string",
},
},
DstaddrNegate = "string",
Dstaddrs = new[]
{
new Fortios.Firewall.Inputs.PolicyDstaddrArgs
{
Name = "string",
},
},
DynamicShaping = "string",
DynamicSortSubtable = "string",
EmailCollect = "string",
EmailfilterProfile = "string",
Fec = "string",
FileFilterProfile = "string",
FirewallSessionDirty = "string",
Fixedport = "string",
Fsso = "string",
FssoAgentForNtlm = "string",
FssoGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyFssoGroupArgs
{
Name = "string",
},
},
GeoipAnycast = "string",
GeoipMatch = "string",
GetAllTables = "string",
GlobalLabel = "string",
Groups = new[]
{
new Fortios.Firewall.Inputs.PolicyGroupArgs
{
Name = "string",
},
},
HttpPolicyRedirect = "string",
IcapProfile = "string",
IdentityBasedRoute = "string",
Inbound = "string",
InspectionMode = "string",
InternetService = "string",
InternetService6 = "string",
InternetService6CustomGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6CustomGroupArgs
{
Name = "string",
},
},
InternetService6Customs = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6CustomArgs
{
Name = "string",
},
},
InternetService6Groups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6GroupArgs
{
Name = "string",
},
},
InternetService6Names = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6NameArgs
{
Name = "string",
},
},
InternetService6Negate = "string",
InternetService6Src = "string",
InternetService6SrcCustomGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6SrcCustomGroupArgs
{
Name = "string",
},
},
InternetService6SrcCustoms = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6SrcCustomArgs
{
Name = "string",
},
},
InternetService6SrcGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6SrcGroupArgs
{
Name = "string",
},
},
InternetService6SrcNames = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetService6SrcNameArgs
{
Name = "string",
},
},
InternetService6SrcNegate = "string",
InternetServiceCustomGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceCustomGroupArgs
{
Name = "string",
},
},
InternetServiceCustoms = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceCustomArgs
{
Name = "string",
},
},
InternetServiceGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceGroupArgs
{
Name = "string",
},
},
InternetServiceIds = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceIdArgs
{
Id = 0,
},
},
InternetServiceNames = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceNameArgs
{
Name = "string",
},
},
InternetServiceNegate = "string",
InternetServiceSrc = "string",
InternetServiceSrcCustomGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustomGroupArgs
{
Name = "string",
},
},
InternetServiceSrcCustoms = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustomArgs
{
Name = "string",
},
},
InternetServiceSrcGroups = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceSrcGroupArgs
{
Name = "string",
},
},
InternetServiceSrcIds = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceSrcIdArgs
{
Id = 0,
},
},
InternetServiceSrcNames = new[]
{
new Fortios.Firewall.Inputs.PolicyInternetServiceSrcNameArgs
{
Name = "string",
},
},
InternetServiceSrcNegate = "string",
Ippool = "string",
IpsSensor = "string",
IpsVoipFilter = "string",
Label = "string",
LearningMode = "string",
Logtraffic = "string",
LogtrafficStart = "string",
MatchVip = "string",
MatchVipOnly = "string",
Name = "string",
Nat = "string",
Nat46 = "string",
Nat64 = "string",
Natinbound = "string",
Natip = "string",
Natoutbound = "string",
NetworkServiceDynamics = new[]
{
new Fortios.Firewall.Inputs.PolicyNetworkServiceDynamicArgs
{
Name = "string",
},
},
NetworkServiceSrcDynamics = new[]
{
new Fortios.Firewall.Inputs.PolicyNetworkServiceSrcDynamicArgs
{
Name = "string",
},
},
NpAcceleration = "string",
Ntlm = "string",
NtlmEnabledBrowsers = new[]
{
new Fortios.Firewall.Inputs.PolicyNtlmEnabledBrowserArgs
{
UserAgentString = "string",
},
},
NtlmGuest = "string",
Outbound = "string",
PassiveWanHealthMeasurement = "string",
PcpInbound = "string",
PcpOutbound = "string",
PcpPoolnames = new[]
{
new Fortios.Firewall.Inputs.PolicyPcpPoolnameArgs
{
Name = "string",
},
},
PerIpShaper = "string",
PermitAnyHost = "string",
PermitStunHost = "string",
PolicyExpiry = "string",
PolicyExpiryDate = "string",
PolicyExpiryDateUtc = "string",
Policyid = 0,
Poolname6s = new[]
{
new Fortios.Firewall.Inputs.PolicyPoolname6Args
{
Name = "string",
},
},
Poolnames = new[]
{
new Fortios.Firewall.Inputs.PolicyPoolnameArgs
{
Name = "string",
},
},
PortPreserve = "string",
ProfileGroup = "string",
ProfileProtocolOptions = "string",
ProfileType = "string",
RadiusMacAuthBypass = "string",
RedirectUrl = "string",
ReplacemsgOverrideGroup = "string",
ReputationDirection = "string",
ReputationDirection6 = "string",
ReputationMinimum = 0,
ReputationMinimum6 = 0,
Rsso = "string",
RtpAddrs = new[]
{
new Fortios.Firewall.Inputs.PolicyRtpAddrArgs
{
Name = "string",
},
},
RtpNat = "string",
ScanBotnetConnections = "string",
Schedule = "string",
ScheduleTimeout = "string",
SctpFilterProfile = "string",
SendDenyPacket = "string",
ServiceNegate = "string",
Services = new[]
{
new Fortios.Firewall.Inputs.PolicyServiceArgs
{
Name = "string",
},
},
SessionTtl = 0,
SgtCheck = "string",
Sgts = new[]
{
new Fortios.Firewall.Inputs.PolicySgtArgs
{
Id = 0,
},
},
SpamfilterProfile = "string",
SrcVendorMacs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcVendorMacArgs
{
Id = 0,
},
},
Srcaddr6Negate = "string",
Srcaddr6s = new[]
{
new Fortios.Firewall.Inputs.PolicySrcaddr6Args
{
Name = "string",
},
},
SrcaddrNegate = "string",
Srcaddrs = new[]
{
new Fortios.Firewall.Inputs.PolicySrcaddrArgs
{
Name = "string",
},
},
SshFilterProfile = "string",
SshPolicyRedirect = "string",
SslMirror = "string",
SslMirrorIntfs = new[]
{
new Fortios.Firewall.Inputs.PolicySslMirrorIntfArgs
{
Name = "string",
},
},
SslSshProfile = "string",
Status = "string",
TcpMssReceiver = 0,
TcpMssSender = 0,
TcpSessionWithoutSyn = "string",
TimeoutSendRst = "string",
Tos = "string",
TosMask = "string",
TosNegate = "string",
TrafficShaper = "string",
TrafficShaperReverse = "string",
UrlCategories = new[]
{
new Fortios.Firewall.Inputs.PolicyUrlCategoryArgs
{
Id = 0,
},
},
Users = new[]
{
new Fortios.Firewall.Inputs.PolicyUserArgs
{
Name = "string",
},
},
UtmStatus = "string",
Uuid = "string",
Vdomparam = "string",
VideofilterProfile = "string",
VirtualPatchProfile = "string",
VlanCosFwd = 0,
VlanCosRev = 0,
VlanFilter = "string",
VoipProfile = "string",
Vpntunnel = "string",
WafProfile = "string",
Wanopt = "string",
WanoptDetection = "string",
WanoptPassiveOpt = "string",
WanoptPeer = "string",
WanoptProfile = "string",
Wccp = "string",
Webcache = "string",
WebcacheHttps = "string",
WebfilterProfile = "string",
WebproxyForwardServer = "string",
WebproxyProfile = "string",
Wsso = "string",
ZtnaDeviceOwnership = "string",
ZtnaEmsTagSecondaries = new[]
{
new Fortios.Firewall.Inputs.PolicyZtnaEmsTagSecondaryArgs
{
Name = "string",
},
},
ZtnaEmsTags = new[]
{
new Fortios.Firewall.Inputs.PolicyZtnaEmsTagArgs
{
Name = "string",
},
},
ZtnaGeoTags = new[]
{
new Fortios.Firewall.Inputs.PolicyZtnaGeoTagArgs
{
Name = "string",
},
},
ZtnaPolicyRedirect = "string",
ZtnaStatus = "string",
ZtnaTagsMatchLogic = "string",
});
example, err := firewall.NewPolicy(ctx, "fortiosPolicyResource", &firewall.PolicyArgs{
Dstintfs: firewall.PolicyDstintfArray{
&firewall.PolicyDstintfArgs{
Name: pulumi.String("string"),
},
},
Srcintfs: firewall.PolicySrcintfArray{
&firewall.PolicySrcintfArgs{
Name: pulumi.String("string"),
},
},
Action: pulumi.String("string"),
AntiReplay: pulumi.String("string"),
AppCategories: firewall.PolicyAppCategoryArray{
&firewall.PolicyAppCategoryArgs{
Id: pulumi.Int(0),
},
},
AppGroups: firewall.PolicyAppGroupArray{
&firewall.PolicyAppGroupArgs{
Name: pulumi.String("string"),
},
},
ApplicationList: pulumi.String("string"),
Applications: firewall.PolicyApplicationArray{
&firewall.PolicyApplicationArgs{
Id: pulumi.Int(0),
},
},
AuthCert: pulumi.String("string"),
AuthPath: pulumi.String("string"),
AuthRedirectAddr: pulumi.String("string"),
AutoAsicOffload: pulumi.String("string"),
AvProfile: pulumi.String("string"),
BlockNotification: pulumi.String("string"),
CaptivePortalExempt: pulumi.String("string"),
CapturePacket: pulumi.String("string"),
CasbProfile: pulumi.String("string"),
CifsProfile: pulumi.String("string"),
Comments: pulumi.String("string"),
CustomLogFields: firewall.PolicyCustomLogFieldArray{
&firewall.PolicyCustomLogFieldArgs{
FieldId: pulumi.String("string"),
},
},
DecryptedTrafficMirror: pulumi.String("string"),
DelayTcpNpuSession: pulumi.String("string"),
Devices: firewall.PolicyDeviceArray{
&firewall.PolicyDeviceArgs{
Name: pulumi.String("string"),
},
},
DiameterFilterProfile: pulumi.String("string"),
DiffservCopy: pulumi.String("string"),
DiffservForward: pulumi.String("string"),
DiffservReverse: pulumi.String("string"),
DiffservcodeForward: pulumi.String("string"),
DiffservcodeRev: pulumi.String("string"),
Disclaimer: pulumi.String("string"),
DlpProfile: pulumi.String("string"),
DlpSensor: pulumi.String("string"),
DnsfilterProfile: pulumi.String("string"),
Dsri: pulumi.String("string"),
Dstaddr6Negate: pulumi.String("string"),
Dstaddr6s: firewall.PolicyDstaddr6Array{
&firewall.PolicyDstaddr6Args{
Name: pulumi.String("string"),
},
},
DstaddrNegate: pulumi.String("string"),
Dstaddrs: firewall.PolicyDstaddrArray{
&firewall.PolicyDstaddrArgs{
Name: pulumi.String("string"),
},
},
DynamicShaping: pulumi.String("string"),
DynamicSortSubtable: pulumi.String("string"),
EmailCollect: pulumi.String("string"),
EmailfilterProfile: pulumi.String("string"),
Fec: pulumi.String("string"),
FileFilterProfile: pulumi.String("string"),
FirewallSessionDirty: pulumi.String("string"),
Fixedport: pulumi.String("string"),
Fsso: pulumi.String("string"),
FssoAgentForNtlm: pulumi.String("string"),
FssoGroups: firewall.PolicyFssoGroupArray{
&firewall.PolicyFssoGroupArgs{
Name: pulumi.String("string"),
},
},
GeoipAnycast: pulumi.String("string"),
GeoipMatch: pulumi.String("string"),
GetAllTables: pulumi.String("string"),
GlobalLabel: pulumi.String("string"),
Groups: firewall.PolicyGroupArray{
&firewall.PolicyGroupArgs{
Name: pulumi.String("string"),
},
},
HttpPolicyRedirect: pulumi.String("string"),
IcapProfile: pulumi.String("string"),
IdentityBasedRoute: pulumi.String("string"),
Inbound: pulumi.String("string"),
InspectionMode: pulumi.String("string"),
InternetService: pulumi.String("string"),
InternetService6: pulumi.String("string"),
InternetService6CustomGroups: firewall.PolicyInternetService6CustomGroupArray{
&firewall.PolicyInternetService6CustomGroupArgs{
Name: pulumi.String("string"),
},
},
InternetService6Customs: firewall.PolicyInternetService6CustomArray{
&firewall.PolicyInternetService6CustomArgs{
Name: pulumi.String("string"),
},
},
InternetService6Groups: firewall.PolicyInternetService6GroupArray{
&firewall.PolicyInternetService6GroupArgs{
Name: pulumi.String("string"),
},
},
InternetService6Names: firewall.PolicyInternetService6NameArray{
&firewall.PolicyInternetService6NameArgs{
Name: pulumi.String("string"),
},
},
InternetService6Negate: pulumi.String("string"),
InternetService6Src: pulumi.String("string"),
InternetService6SrcCustomGroups: firewall.PolicyInternetService6SrcCustomGroupArray{
&firewall.PolicyInternetService6SrcCustomGroupArgs{
Name: pulumi.String("string"),
},
},
InternetService6SrcCustoms: firewall.PolicyInternetService6SrcCustomArray{
&firewall.PolicyInternetService6SrcCustomArgs{
Name: pulumi.String("string"),
},
},
InternetService6SrcGroups: firewall.PolicyInternetService6SrcGroupArray{
&firewall.PolicyInternetService6SrcGroupArgs{
Name: pulumi.String("string"),
},
},
InternetService6SrcNames: firewall.PolicyInternetService6SrcNameArray{
&firewall.PolicyInternetService6SrcNameArgs{
Name: pulumi.String("string"),
},
},
InternetService6SrcNegate: pulumi.String("string"),
InternetServiceCustomGroups: firewall.PolicyInternetServiceCustomGroupArray{
&firewall.PolicyInternetServiceCustomGroupArgs{
Name: pulumi.String("string"),
},
},
InternetServiceCustoms: firewall.PolicyInternetServiceCustomArray{
&firewall.PolicyInternetServiceCustomArgs{
Name: pulumi.String("string"),
},
},
InternetServiceGroups: firewall.PolicyInternetServiceGroupArray{
&firewall.PolicyInternetServiceGroupArgs{
Name: pulumi.String("string"),
},
},
InternetServiceIds: firewall.PolicyInternetServiceIdArray{
&firewall.PolicyInternetServiceIdArgs{
Id: pulumi.Int(0),
},
},
InternetServiceNames: firewall.PolicyInternetServiceNameArray{
&firewall.PolicyInternetServiceNameArgs{
Name: pulumi.String("string"),
},
},
InternetServiceNegate: pulumi.String("string"),
InternetServiceSrc: pulumi.String("string"),
InternetServiceSrcCustomGroups: firewall.PolicyInternetServiceSrcCustomGroupArray{
&firewall.PolicyInternetServiceSrcCustomGroupArgs{
Name: pulumi.String("string"),
},
},
InternetServiceSrcCustoms: firewall.PolicyInternetServiceSrcCustomArray{
&firewall.PolicyInternetServiceSrcCustomArgs{
Name: pulumi.String("string"),
},
},
InternetServiceSrcGroups: firewall.PolicyInternetServiceSrcGroupArray{
&firewall.PolicyInternetServiceSrcGroupArgs{
Name: pulumi.String("string"),
},
},
InternetServiceSrcIds: firewall.PolicyInternetServiceSrcIdArray{
&firewall.PolicyInternetServiceSrcIdArgs{
Id: pulumi.Int(0),
},
},
InternetServiceSrcNames: firewall.PolicyInternetServiceSrcNameArray{
&firewall.PolicyInternetServiceSrcNameArgs{
Name: pulumi.String("string"),
},
},
InternetServiceSrcNegate: pulumi.String("string"),
Ippool: pulumi.String("string"),
IpsSensor: pulumi.String("string"),
IpsVoipFilter: pulumi.String("string"),
Label: pulumi.String("string"),
LearningMode: pulumi.String("string"),
Logtraffic: pulumi.String("string"),
LogtrafficStart: pulumi.String("string"),
MatchVip: pulumi.String("string"),
MatchVipOnly: pulumi.String("string"),
Name: pulumi.String("string"),
Nat: pulumi.String("string"),
Nat46: pulumi.String("string"),
Nat64: pulumi.String("string"),
Natinbound: pulumi.String("string"),
Natip: pulumi.String("string"),
Natoutbound: pulumi.String("string"),
NetworkServiceDynamics: firewall.PolicyNetworkServiceDynamicArray{
&firewall.PolicyNetworkServiceDynamicArgs{
Name: pulumi.String("string"),
},
},
NetworkServiceSrcDynamics: firewall.PolicyNetworkServiceSrcDynamicArray{
&firewall.PolicyNetworkServiceSrcDynamicArgs{
Name: pulumi.String("string"),
},
},
NpAcceleration: pulumi.String("string"),
Ntlm: pulumi.String("string"),
NtlmEnabledBrowsers: firewall.PolicyNtlmEnabledBrowserArray{
&firewall.PolicyNtlmEnabledBrowserArgs{
UserAgentString: pulumi.String("string"),
},
},
NtlmGuest: pulumi.String("string"),
Outbound: pulumi.String("string"),
PassiveWanHealthMeasurement: pulumi.String("string"),
PcpInbound: pulumi.String("string"),
PcpOutbound: pulumi.String("string"),
PcpPoolnames: firewall.PolicyPcpPoolnameArray{
&firewall.PolicyPcpPoolnameArgs{
Name: pulumi.String("string"),
},
},
PerIpShaper: pulumi.String("string"),
PermitAnyHost: pulumi.String("string"),
PermitStunHost: pulumi.String("string"),
PolicyExpiry: pulumi.String("string"),
PolicyExpiryDate: pulumi.String("string"),
PolicyExpiryDateUtc: pulumi.String("string"),
Policyid: pulumi.Int(0),
Poolname6s: firewall.PolicyPoolname6Array{
&firewall.PolicyPoolname6Args{
Name: pulumi.String("string"),
},
},
Poolnames: firewall.PolicyPoolnameArray{
&firewall.PolicyPoolnameArgs{
Name: pulumi.String("string"),
},
},
PortPreserve: pulumi.String("string"),
ProfileGroup: pulumi.String("string"),
ProfileProtocolOptions: pulumi.String("string"),
ProfileType: pulumi.String("string"),
RadiusMacAuthBypass: pulumi.String("string"),
RedirectUrl: pulumi.String("string"),
ReplacemsgOverrideGroup: pulumi.String("string"),
ReputationDirection: pulumi.String("string"),
ReputationDirection6: pulumi.String("string"),
ReputationMinimum: pulumi.Int(0),
ReputationMinimum6: pulumi.Int(0),
Rsso: pulumi.String("string"),
RtpAddrs: firewall.PolicyRtpAddrArray{
&firewall.PolicyRtpAddrArgs{
Name: pulumi.String("string"),
},
},
RtpNat: pulumi.String("string"),
ScanBotnetConnections: pulumi.String("string"),
Schedule: pulumi.String("string"),
ScheduleTimeout: pulumi.String("string"),
SctpFilterProfile: pulumi.String("string"),
SendDenyPacket: pulumi.String("string"),
ServiceNegate: pulumi.String("string"),
Services: firewall.PolicyServiceArray{
&firewall.PolicyServiceArgs{
Name: pulumi.String("string"),
},
},
SessionTtl: pulumi.Int(0),
SgtCheck: pulumi.String("string"),
Sgts: firewall.PolicySgtArray{
&firewall.PolicySgtArgs{
Id: pulumi.Int(0),
},
},
SpamfilterProfile: pulumi.String("string"),
SrcVendorMacs: firewall.PolicySrcVendorMacArray{
&firewall.PolicySrcVendorMacArgs{
Id: pulumi.Int(0),
},
},
Srcaddr6Negate: pulumi.String("string"),
Srcaddr6s: firewall.PolicySrcaddr6Array{
&firewall.PolicySrcaddr6Args{
Name: pulumi.String("string"),
},
},
SrcaddrNegate: pulumi.String("string"),
Srcaddrs: firewall.PolicySrcaddrArray{
&firewall.PolicySrcaddrArgs{
Name: pulumi.String("string"),
},
},
SshFilterProfile: pulumi.String("string"),
SshPolicyRedirect: pulumi.String("string"),
SslMirror: pulumi.String("string"),
SslMirrorIntfs: firewall.PolicySslMirrorIntfArray{
&firewall.PolicySslMirrorIntfArgs{
Name: pulumi.String("string"),
},
},
SslSshProfile: pulumi.String("string"),
Status: pulumi.String("string"),
TcpMssReceiver: pulumi.Int(0),
TcpMssSender: pulumi.Int(0),
TcpSessionWithoutSyn: pulumi.String("string"),
TimeoutSendRst: pulumi.String("string"),
Tos: pulumi.String("string"),
TosMask: pulumi.String("string"),
TosNegate: pulumi.String("string"),
TrafficShaper: pulumi.String("string"),
TrafficShaperReverse: pulumi.String("string"),
UrlCategories: firewall.PolicyUrlCategoryArray{
&firewall.PolicyUrlCategoryArgs{
Id: pulumi.Int(0),
},
},
Users: firewall.PolicyUserArray{
&firewall.PolicyUserArgs{
Name: pulumi.String("string"),
},
},
UtmStatus: pulumi.String("string"),
Uuid: pulumi.String("string"),
Vdomparam: pulumi.String("string"),
VideofilterProfile: pulumi.String("string"),
VirtualPatchProfile: pulumi.String("string"),
VlanCosFwd: pulumi.Int(0),
VlanCosRev: pulumi.Int(0),
VlanFilter: pulumi.String("string"),
VoipProfile: pulumi.String("string"),
Vpntunnel: pulumi.String("string"),
WafProfile: pulumi.String("string"),
Wanopt: pulumi.String("string"),
WanoptDetection: pulumi.String("string"),
WanoptPassiveOpt: pulumi.String("string"),
WanoptPeer: pulumi.String("string"),
WanoptProfile: pulumi.String("string"),
Wccp: pulumi.String("string"),
Webcache: pulumi.String("string"),
WebcacheHttps: pulumi.String("string"),
WebfilterProfile: pulumi.String("string"),
WebproxyForwardServer: pulumi.String("string"),
WebproxyProfile: pulumi.String("string"),
Wsso: pulumi.String("string"),
ZtnaDeviceOwnership: pulumi.String("string"),
ZtnaEmsTagSecondaries: firewall.PolicyZtnaEmsTagSecondaryArray{
&firewall.PolicyZtnaEmsTagSecondaryArgs{
Name: pulumi.String("string"),
},
},
ZtnaEmsTags: firewall.PolicyZtnaEmsTagArray{
&firewall.PolicyZtnaEmsTagArgs{
Name: pulumi.String("string"),
},
},
ZtnaGeoTags: firewall.PolicyZtnaGeoTagArray{
&firewall.PolicyZtnaGeoTagArgs{
Name: pulumi.String("string"),
},
},
ZtnaPolicyRedirect: pulumi.String("string"),
ZtnaStatus: pulumi.String("string"),
ZtnaTagsMatchLogic: pulumi.String("string"),
})
var fortiosPolicyResource = new Policy("fortiosPolicyResource", PolicyArgs.builder()
.dstintfs(PolicyDstintfArgs.builder()
.name("string")
.build())
.srcintfs(PolicySrcintfArgs.builder()
.name("string")
.build())
.action("string")
.antiReplay("string")
.appCategories(PolicyAppCategoryArgs.builder()
.id(0)
.build())
.appGroups(PolicyAppGroupArgs.builder()
.name("string")
.build())
.applicationList("string")
.applications(PolicyApplicationArgs.builder()
.id(0)
.build())
.authCert("string")
.authPath("string")
.authRedirectAddr("string")
.autoAsicOffload("string")
.avProfile("string")
.blockNotification("string")
.captivePortalExempt("string")
.capturePacket("string")
.casbProfile("string")
.cifsProfile("string")
.comments("string")
.customLogFields(PolicyCustomLogFieldArgs.builder()
.fieldId("string")
.build())
.decryptedTrafficMirror("string")
.delayTcpNpuSession("string")
.devices(PolicyDeviceArgs.builder()
.name("string")
.build())
.diameterFilterProfile("string")
.diffservCopy("string")
.diffservForward("string")
.diffservReverse("string")
.diffservcodeForward("string")
.diffservcodeRev("string")
.disclaimer("string")
.dlpProfile("string")
.dlpSensor("string")
.dnsfilterProfile("string")
.dsri("string")
.dstaddr6Negate("string")
.dstaddr6s(PolicyDstaddr6Args.builder()
.name("string")
.build())
.dstaddrNegate("string")
.dstaddrs(PolicyDstaddrArgs.builder()
.name("string")
.build())
.dynamicShaping("string")
.dynamicSortSubtable("string")
.emailCollect("string")
.emailfilterProfile("string")
.fec("string")
.fileFilterProfile("string")
.firewallSessionDirty("string")
.fixedport("string")
.fsso("string")
.fssoAgentForNtlm("string")
.fssoGroups(PolicyFssoGroupArgs.builder()
.name("string")
.build())
.geoipAnycast("string")
.geoipMatch("string")
.getAllTables("string")
.globalLabel("string")
.groups(PolicyGroupArgs.builder()
.name("string")
.build())
.httpPolicyRedirect("string")
.icapProfile("string")
.identityBasedRoute("string")
.inbound("string")
.inspectionMode("string")
.internetService("string")
.internetService6("string")
.internetService6CustomGroups(PolicyInternetService6CustomGroupArgs.builder()
.name("string")
.build())
.internetService6Customs(PolicyInternetService6CustomArgs.builder()
.name("string")
.build())
.internetService6Groups(PolicyInternetService6GroupArgs.builder()
.name("string")
.build())
.internetService6Names(PolicyInternetService6NameArgs.builder()
.name("string")
.build())
.internetService6Negate("string")
.internetService6Src("string")
.internetService6SrcCustomGroups(PolicyInternetService6SrcCustomGroupArgs.builder()
.name("string")
.build())
.internetService6SrcCustoms(PolicyInternetService6SrcCustomArgs.builder()
.name("string")
.build())
.internetService6SrcGroups(PolicyInternetService6SrcGroupArgs.builder()
.name("string")
.build())
.internetService6SrcNames(PolicyInternetService6SrcNameArgs.builder()
.name("string")
.build())
.internetService6SrcNegate("string")
.internetServiceCustomGroups(PolicyInternetServiceCustomGroupArgs.builder()
.name("string")
.build())
.internetServiceCustoms(PolicyInternetServiceCustomArgs.builder()
.name("string")
.build())
.internetServiceGroups(PolicyInternetServiceGroupArgs.builder()
.name("string")
.build())
.internetServiceIds(PolicyInternetServiceIdArgs.builder()
.id(0)
.build())
.internetServiceNames(PolicyInternetServiceNameArgs.builder()
.name("string")
.build())
.internetServiceNegate("string")
.internetServiceSrc("string")
.internetServiceSrcCustomGroups(PolicyInternetServiceSrcCustomGroupArgs.builder()
.name("string")
.build())
.internetServiceSrcCustoms(PolicyInternetServiceSrcCustomArgs.builder()
.name("string")
.build())
.internetServiceSrcGroups(PolicyInternetServiceSrcGroupArgs.builder()
.name("string")
.build())
.internetServiceSrcIds(PolicyInternetServiceSrcIdArgs.builder()
.id(0)
.build())
.internetServiceSrcNames(PolicyInternetServiceSrcNameArgs.builder()
.name("string")
.build())
.internetServiceSrcNegate("string")
.ippool("string")
.ipsSensor("string")
.ipsVoipFilter("string")
.label("string")
.learningMode("string")
.logtraffic("string")
.logtrafficStart("string")
.matchVip("string")
.matchVipOnly("string")
.name("string")
.nat("string")
.nat46("string")
.nat64("string")
.natinbound("string")
.natip("string")
.natoutbound("string")
.networkServiceDynamics(PolicyNetworkServiceDynamicArgs.builder()
.name("string")
.build())
.networkServiceSrcDynamics(PolicyNetworkServiceSrcDynamicArgs.builder()
.name("string")
.build())
.npAcceleration("string")
.ntlm("string")
.ntlmEnabledBrowsers(PolicyNtlmEnabledBrowserArgs.builder()
.userAgentString("string")
.build())
.ntlmGuest("string")
.outbound("string")
.passiveWanHealthMeasurement("string")
.pcpInbound("string")
.pcpOutbound("string")
.pcpPoolnames(PolicyPcpPoolnameArgs.builder()
.name("string")
.build())
.perIpShaper("string")
.permitAnyHost("string")
.permitStunHost("string")
.policyExpiry("string")
.policyExpiryDate("string")
.policyExpiryDateUtc("string")
.policyid(0)
.poolname6s(PolicyPoolname6Args.builder()
.name("string")
.build())
.poolnames(PolicyPoolnameArgs.builder()
.name("string")
.build())
.portPreserve("string")
.profileGroup("string")
.profileProtocolOptions("string")
.profileType("string")
.radiusMacAuthBypass("string")
.redirectUrl("string")
.replacemsgOverrideGroup("string")
.reputationDirection("string")
.reputationDirection6("string")
.reputationMinimum(0)
.reputationMinimum6(0)
.rsso("string")
.rtpAddrs(PolicyRtpAddrArgs.builder()
.name("string")
.build())
.rtpNat("string")
.scanBotnetConnections("string")
.schedule("string")
.scheduleTimeout("string")
.sctpFilterProfile("string")
.sendDenyPacket("string")
.serviceNegate("string")
.services(PolicyServiceArgs.builder()
.name("string")
.build())
.sessionTtl(0)
.sgtCheck("string")
.sgts(PolicySgtArgs.builder()
.id(0)
.build())
.spamfilterProfile("string")
.srcVendorMacs(PolicySrcVendorMacArgs.builder()
.id(0)
.build())
.srcaddr6Negate("string")
.srcaddr6s(PolicySrcaddr6Args.builder()
.name("string")
.build())
.srcaddrNegate("string")
.srcaddrs(PolicySrcaddrArgs.builder()
.name("string")
.build())
.sshFilterProfile("string")
.sshPolicyRedirect("string")
.sslMirror("string")
.sslMirrorIntfs(PolicySslMirrorIntfArgs.builder()
.name("string")
.build())
.sslSshProfile("string")
.status("string")
.tcpMssReceiver(0)
.tcpMssSender(0)
.tcpSessionWithoutSyn("string")
.timeoutSendRst("string")
.tos("string")
.tosMask("string")
.tosNegate("string")
.trafficShaper("string")
.trafficShaperReverse("string")
.urlCategories(PolicyUrlCategoryArgs.builder()
.id(0)
.build())
.users(PolicyUserArgs.builder()
.name("string")
.build())
.utmStatus("string")
.uuid("string")
.vdomparam("string")
.videofilterProfile("string")
.virtualPatchProfile("string")
.vlanCosFwd(0)
.vlanCosRev(0)
.vlanFilter("string")
.voipProfile("string")
.vpntunnel("string")
.wafProfile("string")
.wanopt("string")
.wanoptDetection("string")
.wanoptPassiveOpt("string")
.wanoptPeer("string")
.wanoptProfile("string")
.wccp("string")
.webcache("string")
.webcacheHttps("string")
.webfilterProfile("string")
.webproxyForwardServer("string")
.webproxyProfile("string")
.wsso("string")
.ztnaDeviceOwnership("string")
.ztnaEmsTagSecondaries(PolicyZtnaEmsTagSecondaryArgs.builder()
.name("string")
.build())
.ztnaEmsTags(PolicyZtnaEmsTagArgs.builder()
.name("string")
.build())
.ztnaGeoTags(PolicyZtnaGeoTagArgs.builder()
.name("string")
.build())
.ztnaPolicyRedirect("string")
.ztnaStatus("string")
.ztnaTagsMatchLogic("string")
.build());
fortios_policy_resource = fortios.firewall.Policy("fortiosPolicyResource",
dstintfs=[fortios.firewall.PolicyDstintfArgs(
name="string",
)],
srcintfs=[fortios.firewall.PolicySrcintfArgs(
name="string",
)],
action="string",
anti_replay="string",
app_categories=[fortios.firewall.PolicyAppCategoryArgs(
id=0,
)],
app_groups=[fortios.firewall.PolicyAppGroupArgs(
name="string",
)],
application_list="string",
applications=[fortios.firewall.PolicyApplicationArgs(
id=0,
)],
auth_cert="string",
auth_path="string",
auth_redirect_addr="string",
auto_asic_offload="string",
av_profile="string",
block_notification="string",
captive_portal_exempt="string",
capture_packet="string",
casb_profile="string",
cifs_profile="string",
comments="string",
custom_log_fields=[fortios.firewall.PolicyCustomLogFieldArgs(
field_id="string",
)],
decrypted_traffic_mirror="string",
delay_tcp_npu_session="string",
devices=[fortios.firewall.PolicyDeviceArgs(
name="string",
)],
diameter_filter_profile="string",
diffserv_copy="string",
diffserv_forward="string",
diffserv_reverse="string",
diffservcode_forward="string",
diffservcode_rev="string",
disclaimer="string",
dlp_profile="string",
dlp_sensor="string",
dnsfilter_profile="string",
dsri="string",
dstaddr6_negate="string",
dstaddr6s=[fortios.firewall.PolicyDstaddr6Args(
name="string",
)],
dstaddr_negate="string",
dstaddrs=[fortios.firewall.PolicyDstaddrArgs(
name="string",
)],
dynamic_shaping="string",
dynamic_sort_subtable="string",
email_collect="string",
emailfilter_profile="string",
fec="string",
file_filter_profile="string",
firewall_session_dirty="string",
fixedport="string",
fsso="string",
fsso_agent_for_ntlm="string",
fsso_groups=[fortios.firewall.PolicyFssoGroupArgs(
name="string",
)],
geoip_anycast="string",
geoip_match="string",
get_all_tables="string",
global_label="string",
groups=[fortios.firewall.PolicyGroupArgs(
name="string",
)],
http_policy_redirect="string",
icap_profile="string",
identity_based_route="string",
inbound="string",
inspection_mode="string",
internet_service="string",
internet_service6="string",
internet_service6_custom_groups=[fortios.firewall.PolicyInternetService6CustomGroupArgs(
name="string",
)],
internet_service6_customs=[fortios.firewall.PolicyInternetService6CustomArgs(
name="string",
)],
internet_service6_groups=[fortios.firewall.PolicyInternetService6GroupArgs(
name="string",
)],
internet_service6_names=[fortios.firewall.PolicyInternetService6NameArgs(
name="string",
)],
internet_service6_negate="string",
internet_service6_src="string",
internet_service6_src_custom_groups=[fortios.firewall.PolicyInternetService6SrcCustomGroupArgs(
name="string",
)],
internet_service6_src_customs=[fortios.firewall.PolicyInternetService6SrcCustomArgs(
name="string",
)],
internet_service6_src_groups=[fortios.firewall.PolicyInternetService6SrcGroupArgs(
name="string",
)],
internet_service6_src_names=[fortios.firewall.PolicyInternetService6SrcNameArgs(
name="string",
)],
internet_service6_src_negate="string",
internet_service_custom_groups=[fortios.firewall.PolicyInternetServiceCustomGroupArgs(
name="string",
)],
internet_service_customs=[fortios.firewall.PolicyInternetServiceCustomArgs(
name="string",
)],
internet_service_groups=[fortios.firewall.PolicyInternetServiceGroupArgs(
name="string",
)],
internet_service_ids=[fortios.firewall.PolicyInternetServiceIdArgs(
id=0,
)],
internet_service_names=[fortios.firewall.PolicyInternetServiceNameArgs(
name="string",
)],
internet_service_negate="string",
internet_service_src="string",
internet_service_src_custom_groups=[fortios.firewall.PolicyInternetServiceSrcCustomGroupArgs(
name="string",
)],
internet_service_src_customs=[fortios.firewall.PolicyInternetServiceSrcCustomArgs(
name="string",
)],
internet_service_src_groups=[fortios.firewall.PolicyInternetServiceSrcGroupArgs(
name="string",
)],
internet_service_src_ids=[fortios.firewall.PolicyInternetServiceSrcIdArgs(
id=0,
)],
internet_service_src_names=[fortios.firewall.PolicyInternetServiceSrcNameArgs(
name="string",
)],
internet_service_src_negate="string",
ippool="string",
ips_sensor="string",
ips_voip_filter="string",
label="string",
learning_mode="string",
logtraffic="string",
logtraffic_start="string",
match_vip="string",
match_vip_only="string",
name="string",
nat="string",
nat46="string",
nat64="string",
natinbound="string",
natip="string",
natoutbound="string",
network_service_dynamics=[fortios.firewall.PolicyNetworkServiceDynamicArgs(
name="string",
)],
network_service_src_dynamics=[fortios.firewall.PolicyNetworkServiceSrcDynamicArgs(
name="string",
)],
np_acceleration="string",
ntlm="string",
ntlm_enabled_browsers=[fortios.firewall.PolicyNtlmEnabledBrowserArgs(
user_agent_string="string",
)],
ntlm_guest="string",
outbound="string",
passive_wan_health_measurement="string",
pcp_inbound="string",
pcp_outbound="string",
pcp_poolnames=[fortios.firewall.PolicyPcpPoolnameArgs(
name="string",
)],
per_ip_shaper="string",
permit_any_host="string",
permit_stun_host="string",
policy_expiry="string",
policy_expiry_date="string",
policy_expiry_date_utc="string",
policyid=0,
poolname6s=[fortios.firewall.PolicyPoolname6Args(
name="string",
)],
poolnames=[fortios.firewall.PolicyPoolnameArgs(
name="string",
)],
port_preserve="string",
profile_group="string",
profile_protocol_options="string",
profile_type="string",
radius_mac_auth_bypass="string",
redirect_url="string",
replacemsg_override_group="string",
reputation_direction="string",
reputation_direction6="string",
reputation_minimum=0,
reputation_minimum6=0,
rsso="string",
rtp_addrs=[fortios.firewall.PolicyRtpAddrArgs(
name="string",
)],
rtp_nat="string",
scan_botnet_connections="string",
schedule="string",
schedule_timeout="string",
sctp_filter_profile="string",
send_deny_packet="string",
service_negate="string",
services=[fortios.firewall.PolicyServiceArgs(
name="string",
)],
session_ttl=0,
sgt_check="string",
sgts=[fortios.firewall.PolicySgtArgs(
id=0,
)],
spamfilter_profile="string",
src_vendor_macs=[fortios.firewall.PolicySrcVendorMacArgs(
id=0,
)],
srcaddr6_negate="string",
srcaddr6s=[fortios.firewall.PolicySrcaddr6Args(
name="string",
)],
srcaddr_negate="string",
srcaddrs=[fortios.firewall.PolicySrcaddrArgs(
name="string",
)],
ssh_filter_profile="string",
ssh_policy_redirect="string",
ssl_mirror="string",
ssl_mirror_intfs=[fortios.firewall.PolicySslMirrorIntfArgs(
name="string",
)],
ssl_ssh_profile="string",
status="string",
tcp_mss_receiver=0,
tcp_mss_sender=0,
tcp_session_without_syn="string",
timeout_send_rst="string",
tos="string",
tos_mask="string",
tos_negate="string",
traffic_shaper="string",
traffic_shaper_reverse="string",
url_categories=[fortios.firewall.PolicyUrlCategoryArgs(
id=0,
)],
users=[fortios.firewall.PolicyUserArgs(
name="string",
)],
utm_status="string",
uuid="string",
vdomparam="string",
videofilter_profile="string",
virtual_patch_profile="string",
vlan_cos_fwd=0,
vlan_cos_rev=0,
vlan_filter="string",
voip_profile="string",
vpntunnel="string",
waf_profile="string",
wanopt="string",
wanopt_detection="string",
wanopt_passive_opt="string",
wanopt_peer="string",
wanopt_profile="string",
wccp="string",
webcache="string",
webcache_https="string",
webfilter_profile="string",
webproxy_forward_server="string",
webproxy_profile="string",
wsso="string",
ztna_device_ownership="string",
ztna_ems_tag_secondaries=[fortios.firewall.PolicyZtnaEmsTagSecondaryArgs(
name="string",
)],
ztna_ems_tags=[fortios.firewall.PolicyZtnaEmsTagArgs(
name="string",
)],
ztna_geo_tags=[fortios.firewall.PolicyZtnaGeoTagArgs(
name="string",
)],
ztna_policy_redirect="string",
ztna_status="string",
ztna_tags_match_logic="string")
const fortiosPolicyResource = new fortios.firewall.Policy("fortiosPolicyResource", {
dstintfs: [{
name: "string",
}],
srcintfs: [{
name: "string",
}],
action: "string",
antiReplay: "string",
appCategories: [{
id: 0,
}],
appGroups: [{
name: "string",
}],
applicationList: "string",
applications: [{
id: 0,
}],
authCert: "string",
authPath: "string",
authRedirectAddr: "string",
autoAsicOffload: "string",
avProfile: "string",
blockNotification: "string",
captivePortalExempt: "string",
capturePacket: "string",
casbProfile: "string",
cifsProfile: "string",
comments: "string",
customLogFields: [{
fieldId: "string",
}],
decryptedTrafficMirror: "string",
delayTcpNpuSession: "string",
devices: [{
name: "string",
}],
diameterFilterProfile: "string",
diffservCopy: "string",
diffservForward: "string",
diffservReverse: "string",
diffservcodeForward: "string",
diffservcodeRev: "string",
disclaimer: "string",
dlpProfile: "string",
dlpSensor: "string",
dnsfilterProfile: "string",
dsri: "string",
dstaddr6Negate: "string",
dstaddr6s: [{
name: "string",
}],
dstaddrNegate: "string",
dstaddrs: [{
name: "string",
}],
dynamicShaping: "string",
dynamicSortSubtable: "string",
emailCollect: "string",
emailfilterProfile: "string",
fec: "string",
fileFilterProfile: "string",
firewallSessionDirty: "string",
fixedport: "string",
fsso: "string",
fssoAgentForNtlm: "string",
fssoGroups: [{
name: "string",
}],
geoipAnycast: "string",
geoipMatch: "string",
getAllTables: "string",
globalLabel: "string",
groups: [{
name: "string",
}],
httpPolicyRedirect: "string",
icapProfile: "string",
identityBasedRoute: "string",
inbound: "string",
inspectionMode: "string",
internetService: "string",
internetService6: "string",
internetService6CustomGroups: [{
name: "string",
}],
internetService6Customs: [{
name: "string",
}],
internetService6Groups: [{
name: "string",
}],
internetService6Names: [{
name: "string",
}],
internetService6Negate: "string",
internetService6Src: "string",
internetService6SrcCustomGroups: [{
name: "string",
}],
internetService6SrcCustoms: [{
name: "string",
}],
internetService6SrcGroups: [{
name: "string",
}],
internetService6SrcNames: [{
name: "string",
}],
internetService6SrcNegate: "string",
internetServiceCustomGroups: [{
name: "string",
}],
internetServiceCustoms: [{
name: "string",
}],
internetServiceGroups: [{
name: "string",
}],
internetServiceIds: [{
id: 0,
}],
internetServiceNames: [{
name: "string",
}],
internetServiceNegate: "string",
internetServiceSrc: "string",
internetServiceSrcCustomGroups: [{
name: "string",
}],
internetServiceSrcCustoms: [{
name: "string",
}],
internetServiceSrcGroups: [{
name: "string",
}],
internetServiceSrcIds: [{
id: 0,
}],
internetServiceSrcNames: [{
name: "string",
}],
internetServiceSrcNegate: "string",
ippool: "string",
ipsSensor: "string",
ipsVoipFilter: "string",
label: "string",
learningMode: "string",
logtraffic: "string",
logtrafficStart: "string",
matchVip: "string",
matchVipOnly: "string",
name: "string",
nat: "string",
nat46: "string",
nat64: "string",
natinbound: "string",
natip: "string",
natoutbound: "string",
networkServiceDynamics: [{
name: "string",
}],
networkServiceSrcDynamics: [{
name: "string",
}],
npAcceleration: "string",
ntlm: "string",
ntlmEnabledBrowsers: [{
userAgentString: "string",
}],
ntlmGuest: "string",
outbound: "string",
passiveWanHealthMeasurement: "string",
pcpInbound: "string",
pcpOutbound: "string",
pcpPoolnames: [{
name: "string",
}],
perIpShaper: "string",
permitAnyHost: "string",
permitStunHost: "string",
policyExpiry: "string",
policyExpiryDate: "string",
policyExpiryDateUtc: "string",
policyid: 0,
poolname6s: [{
name: "string",
}],
poolnames: [{
name: "string",
}],
portPreserve: "string",
profileGroup: "string",
profileProtocolOptions: "string",
profileType: "string",
radiusMacAuthBypass: "string",
redirectUrl: "string",
replacemsgOverrideGroup: "string",
reputationDirection: "string",
reputationDirection6: "string",
reputationMinimum: 0,
reputationMinimum6: 0,
rsso: "string",
rtpAddrs: [{
name: "string",
}],
rtpNat: "string",
scanBotnetConnections: "string",
schedule: "string",
scheduleTimeout: "string",
sctpFilterProfile: "string",
sendDenyPacket: "string",
serviceNegate: "string",
services: [{
name: "string",
}],
sessionTtl: 0,
sgtCheck: "string",
sgts: [{
id: 0,
}],
spamfilterProfile: "string",
srcVendorMacs: [{
id: 0,
}],
srcaddr6Negate: "string",
srcaddr6s: [{
name: "string",
}],
srcaddrNegate: "string",
srcaddrs: [{
name: "string",
}],
sshFilterProfile: "string",
sshPolicyRedirect: "string",
sslMirror: "string",
sslMirrorIntfs: [{
name: "string",
}],
sslSshProfile: "string",
status: "string",
tcpMssReceiver: 0,
tcpMssSender: 0,
tcpSessionWithoutSyn: "string",
timeoutSendRst: "string",
tos: "string",
tosMask: "string",
tosNegate: "string",
trafficShaper: "string",
trafficShaperReverse: "string",
urlCategories: [{
id: 0,
}],
users: [{
name: "string",
}],
utmStatus: "string",
uuid: "string",
vdomparam: "string",
videofilterProfile: "string",
virtualPatchProfile: "string",
vlanCosFwd: 0,
vlanCosRev: 0,
vlanFilter: "string",
voipProfile: "string",
vpntunnel: "string",
wafProfile: "string",
wanopt: "string",
wanoptDetection: "string",
wanoptPassiveOpt: "string",
wanoptPeer: "string",
wanoptProfile: "string",
wccp: "string",
webcache: "string",
webcacheHttps: "string",
webfilterProfile: "string",
webproxyForwardServer: "string",
webproxyProfile: "string",
wsso: "string",
ztnaDeviceOwnership: "string",
ztnaEmsTagSecondaries: [{
name: "string",
}],
ztnaEmsTags: [{
name: "string",
}],
ztnaGeoTags: [{
name: "string",
}],
ztnaPolicyRedirect: "string",
ztnaStatus: "string",
ztnaTagsMatchLogic: "string",
});
type: fortios:firewall:Policy
properties:
action: string
antiReplay: string
appCategories:
- id: 0
appGroups:
- name: string
applicationList: string
applications:
- id: 0
authCert: string
authPath: string
authRedirectAddr: string
autoAsicOffload: string
avProfile: string
blockNotification: string
captivePortalExempt: string
capturePacket: string
casbProfile: string
cifsProfile: string
comments: string
customLogFields:
- fieldId: string
decryptedTrafficMirror: string
delayTcpNpuSession: string
devices:
- name: string
diameterFilterProfile: string
diffservCopy: string
diffservForward: string
diffservReverse: string
diffservcodeForward: string
diffservcodeRev: string
disclaimer: string
dlpProfile: string
dlpSensor: string
dnsfilterProfile: string
dsri: string
dstaddr6Negate: string
dstaddr6s:
- name: string
dstaddrNegate: string
dstaddrs:
- name: string
dstintfs:
- name: string
dynamicShaping: string
dynamicSortSubtable: string
emailCollect: string
emailfilterProfile: string
fec: string
fileFilterProfile: string
firewallSessionDirty: string
fixedport: string
fsso: string
fssoAgentForNtlm: string
fssoGroups:
- name: string
geoipAnycast: string
geoipMatch: string
getAllTables: string
globalLabel: string
groups:
- name: string
httpPolicyRedirect: string
icapProfile: string
identityBasedRoute: string
inbound: string
inspectionMode: string
internetService: string
internetService6: string
internetService6CustomGroups:
- name: string
internetService6Customs:
- name: string
internetService6Groups:
- name: string
internetService6Names:
- name: string
internetService6Negate: string
internetService6Src: string
internetService6SrcCustomGroups:
- name: string
internetService6SrcCustoms:
- name: string
internetService6SrcGroups:
- name: string
internetService6SrcNames:
- name: string
internetService6SrcNegate: string
internetServiceCustomGroups:
- name: string
internetServiceCustoms:
- name: string
internetServiceGroups:
- name: string
internetServiceIds:
- id: 0
internetServiceNames:
- name: string
internetServiceNegate: string
internetServiceSrc: string
internetServiceSrcCustomGroups:
- name: string
internetServiceSrcCustoms:
- name: string
internetServiceSrcGroups:
- name: string
internetServiceSrcIds:
- id: 0
internetServiceSrcNames:
- name: string
internetServiceSrcNegate: string
ippool: string
ipsSensor: string
ipsVoipFilter: string
label: string
learningMode: string
logtraffic: string
logtrafficStart: string
matchVip: string
matchVipOnly: string
name: string
nat: string
nat46: string
nat64: string
natinbound: string
natip: string
natoutbound: string
networkServiceDynamics:
- name: string
networkServiceSrcDynamics:
- name: string
npAcceleration: string
ntlm: string
ntlmEnabledBrowsers:
- userAgentString: string
ntlmGuest: string
outbound: string
passiveWanHealthMeasurement: string
pcpInbound: string
pcpOutbound: string
pcpPoolnames:
- name: string
perIpShaper: string
permitAnyHost: string
permitStunHost: string
policyExpiry: string
policyExpiryDate: string
policyExpiryDateUtc: string
policyid: 0
poolname6s:
- name: string
poolnames:
- name: string
portPreserve: string
profileGroup: string
profileProtocolOptions: string
profileType: string
radiusMacAuthBypass: string
redirectUrl: string
replacemsgOverrideGroup: string
reputationDirection: string
reputationDirection6: string
reputationMinimum: 0
reputationMinimum6: 0
rsso: string
rtpAddrs:
- name: string
rtpNat: string
scanBotnetConnections: string
schedule: string
scheduleTimeout: string
sctpFilterProfile: string
sendDenyPacket: string
serviceNegate: string
services:
- name: string
sessionTtl: 0
sgtCheck: string
sgts:
- id: 0
spamfilterProfile: string
srcVendorMacs:
- id: 0
srcaddr6Negate: string
srcaddr6s:
- name: string
srcaddrNegate: string
srcaddrs:
- name: string
srcintfs:
- name: string
sshFilterProfile: string
sshPolicyRedirect: string
sslMirror: string
sslMirrorIntfs:
- name: string
sslSshProfile: string
status: string
tcpMssReceiver: 0
tcpMssSender: 0
tcpSessionWithoutSyn: string
timeoutSendRst: string
tos: string
tosMask: string
tosNegate: string
trafficShaper: string
trafficShaperReverse: string
urlCategories:
- id: 0
users:
- name: string
utmStatus: string
uuid: string
vdomparam: string
videofilterProfile: string
virtualPatchProfile: string
vlanCosFwd: 0
vlanCosRev: 0
vlanFilter: string
voipProfile: string
vpntunnel: string
wafProfile: string
wanopt: string
wanoptDetection: string
wanoptPassiveOpt: string
wanoptPeer: string
wanoptProfile: string
wccp: string
webcache: string
webcacheHttps: string
webfilterProfile: string
webproxyForwardServer: string
webproxyProfile: string
wsso: string
ztnaDeviceOwnership: string
ztnaEmsTagSecondaries:
- name: string
ztnaEmsTags:
- name: string
ztnaGeoTags:
- name: string
ztnaPolicyRedirect: string
ztnaStatus: string
ztnaTagsMatchLogic: string
Policy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Policy resource accepts the following input properties:
- Dstintfs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Dstintf> - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - Srcintfs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Srcintf> - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - Action string
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
enable
,disable
. - App
Categories List<Pulumiverse.Fortios. Firewall. Inputs. Policy App Category> - Application category ID list. The structure of
app_category
block is documented below. - App
Groups List<Pulumiverse.Fortios. Firewall. Inputs. Policy App Group> - Application group names. The structure of
app_group
block is documented below. - Application
List string - Name of an existing Application list.
- Applications
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Application> - Application ID list. The structure of
application
block is documented below. - Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - Av
Profile string - Name of an existing Antivirus profile.
- Block
Notification string - Enable/disable block notification. Valid values:
enable
,disable
. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - Capture
Packet string - Enable/disable capture packets. Valid values:
enable
,disable
. - Casb
Profile string - Name of an existing CASB profile.
- Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log List<Pulumiverse.Fields Fortios. Firewall. Inputs. Policy Custom Log Field> - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - Devices
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Device> - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddr6s
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Dstaddr6> - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddrs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Dstaddr> - Destination address and address group names. The structure of
dstaddr
block is documented below. - Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Email
Collect string - Enable/disable email collection. Valid values:
enable
,disable
. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<Pulumiverse.Fortios. Firewall. Inputs. Policy Fsso Group> - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Group> - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6Custom List<Pulumiverse.Groups Fortios. Firewall. Inputs. Policy Internet Service6Custom Group> - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - Internet
Service6Customs List<Pulumiverse.Fortios. Firewall. Inputs. Policy Internet Service6Custom> - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - Internet
Service6Groups List<Pulumiverse.Fortios. Firewall. Inputs. Policy Internet Service6Group> - Internet Service group name. The structure of
internet_service6_group
block is documented below. - Internet
Service6Names List<Pulumiverse.Fortios. Firewall. Inputs. Policy Internet Service6Name> - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service6Src List<Pulumiverse.Custom Groups Fortios. Firewall. Inputs. Policy Internet Service6Src Custom Group> - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - Internet
Service6Src List<Pulumiverse.Customs Fortios. Firewall. Inputs. Policy Internet Service6Src Custom> - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - Internet
Service6Src List<Pulumiverse.Groups Fortios. Firewall. Inputs. Policy Internet Service6Src Group> - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - Internet
Service6Src List<Pulumiverse.Names Fortios. Firewall. Inputs. Policy Internet Service6Src Name> - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service List<Pulumiverse.Custom Groups Fortios. Firewall. Inputs. Policy Internet Service Custom Group> - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - Internet
Service List<Pulumiverse.Customs Fortios. Firewall. Inputs. Policy Internet Service Custom> - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - Internet
Service List<Pulumiverse.Groups Fortios. Firewall. Inputs. Policy Internet Service Group> - Internet Service group name. The structure of
internet_service_group
block is documented below. - Internet
Service List<Pulumiverse.Ids Fortios. Firewall. Inputs. Policy Internet Service Id> - Internet Service ID. The structure of
internet_service_id
block is documented below. - Internet
Service List<Pulumiverse.Names Fortios. Firewall. Inputs. Policy Internet Service Name> - Internet Service name. The structure of
internet_service_name
block is documented below. - Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service List<Pulumiverse.Src Custom Groups Fortios. Firewall. Inputs. Policy Internet Service Src Custom Group> - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - Internet
Service List<Pulumiverse.Src Customs Fortios. Firewall. Inputs. Policy Internet Service Src Custom> - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - Internet
Service List<Pulumiverse.Src Groups Fortios. Firewall. Inputs. Policy Internet Service Src Group> - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - Internet
Service List<Pulumiverse.Src Ids Fortios. Firewall. Inputs. Policy Internet Service Src Id> - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - Internet
Service List<Pulumiverse.Src Names Fortios. Firewall. Inputs. Policy Internet Service Src Name> - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Ippool string
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - Logtraffic
Start string - Record logs when a session starts. Valid values:
enable
,disable
. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
enable
,disable
. - Nat46 string
- Enable/disable NAT46. Valid values:
enable
,disable
. - Nat64 string
- Enable/disable NAT64. Valid values:
enable
,disable
. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - Natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - Network
Service List<Pulumiverse.Dynamics Fortios. Firewall. Inputs. Policy Network Service Dynamic> - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - Network
Service List<Pulumiverse.Src Dynamics Fortios. Firewall. Inputs. Policy Network Service Src Dynamic> - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - Ntlm
Enabled List<Pulumiverse.Browsers Fortios. Firewall. Inputs. Policy Ntlm Enabled Browser> - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - Pcp
Poolnames List<Pulumiverse.Fortios. Firewall. Inputs. Policy Pcp Poolname> - PCP pool names. The structure of
pcp_poolname
block is documented below. - Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - Policy
Expiry string - Enable/disable policy expiry. Valid values:
enable
,disable
. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policyid int
- Policy ID.
- Poolname6s
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Poolname6> - IPv6 pool names. The structure of
poolname6
block is documented below. - Poolnames
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Poolname> - IP Pool names. The structure of
poolname
block is documented below. - Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - Reputation
Minimum int - Minimum Reputation to take action.
- Reputation
Minimum6 int - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - Rtp
Addrs List<Pulumiverse.Fortios. Firewall. Inputs. Policy Rtp Addr> - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - Schedule string
- Schedule name.(Default is
always
) - Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - Services
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Service> - Service and service group names. The structure of
service
block is documented below. - Session
Ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - Sgts
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Sgt> - Security group tags. The structure of
sgt
block is documented below. - Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor List<Pulumiverse.Macs Fortios. Firewall. Inputs. Policy Src Vendor Mac> - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddr6s
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Srcaddr6> - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddrs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Srcaddr> - Source address and address group names. The structure of
srcaddr
block is documented below. - Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - Ssl
Mirror List<Pulumiverse.Intfs Fortios. Firewall. Inputs. Policy Ssl Mirror Intf> - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
enable
,disable
. - Tcp
Mss intReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss intSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
enable
,disable
. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Url
Categories List<Pulumiverse.Fortios. Firewall. Inputs. Policy Url Category> - URL category ID list. The structure of
url_category
block is documented below. - Users
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy User> - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos intFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos intRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP (voipd) profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - Webcache string
- Enable/disable web cache. Valid values:
enable
,disable
. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Web proxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Ztna Ems Tag Secondary> - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Ztna Ems Tag> - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Ztna Geo Tag> - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - Ztna
Status string - Enable/disable zero trust access. Valid values:
enable
,disable
. - string
- ZTNA tag matching logic. Valid values:
or
,and
.
- Dstintfs
[]Policy
Dstintf Args - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - Srcintfs
[]Policy
Srcintf Args - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - Action string
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
enable
,disable
. - App
Categories []PolicyApp Category Args - Application category ID list. The structure of
app_category
block is documented below. - App
Groups []PolicyApp Group Args - Application group names. The structure of
app_group
block is documented below. - Application
List string - Name of an existing Application list.
- Applications
[]Policy
Application Args - Application ID list. The structure of
application
block is documented below. - Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - Av
Profile string - Name of an existing Antivirus profile.
- Block
Notification string - Enable/disable block notification. Valid values:
enable
,disable
. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - Capture
Packet string - Enable/disable capture packets. Valid values:
enable
,disable
. - Casb
Profile string - Name of an existing CASB profile.
- Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log []PolicyFields Custom Log Field Args - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - Devices
[]Policy
Device Args - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddr6s
[]Policy
Dstaddr6Args - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddrs
[]Policy
Dstaddr Args - Destination address and address group names. The structure of
dstaddr
block is documented below. - Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Email
Collect string - Enable/disable email collection. Valid values:
enable
,disable
. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []PolicyFsso Group Args - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups
[]Policy
Group Args - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6Custom []PolicyGroups Internet Service6Custom Group Args - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - Internet
Service6Customs []PolicyInternet Service6Custom Args - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - Internet
Service6Groups []PolicyInternet Service6Group Args - Internet Service group name. The structure of
internet_service6_group
block is documented below. - Internet
Service6Names []PolicyInternet Service6Name Args - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service6Src []PolicyCustom Groups Internet Service6Src Custom Group Args - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - Internet
Service6Src []PolicyCustoms Internet Service6Src Custom Args - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - Internet
Service6Src []PolicyGroups Internet Service6Src Group Args - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - Internet
Service6Src []PolicyNames Internet Service6Src Name Args - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service []PolicyCustom Groups Internet Service Custom Group Args - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - Internet
Service []PolicyCustoms Internet Service Custom Args - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - Internet
Service []PolicyGroups Internet Service Group Args - Internet Service group name. The structure of
internet_service_group
block is documented below. - Internet
Service []PolicyIds Internet Service Id Args - Internet Service ID. The structure of
internet_service_id
block is documented below. - Internet
Service []PolicyNames Internet Service Name Args - Internet Service name. The structure of
internet_service_name
block is documented below. - Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service []PolicySrc Custom Groups Internet Service Src Custom Group Args - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - Internet
Service []PolicySrc Customs Internet Service Src Custom Args - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - Internet
Service []PolicySrc Groups Internet Service Src Group Args - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - Internet
Service []PolicySrc Ids Internet Service Src Id Args - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - Internet
Service []PolicySrc Names Internet Service Src Name Args - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Ippool string
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - Logtraffic
Start string - Record logs when a session starts. Valid values:
enable
,disable
. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
enable
,disable
. - Nat46 string
- Enable/disable NAT46. Valid values:
enable
,disable
. - Nat64 string
- Enable/disable NAT64. Valid values:
enable
,disable
. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - Natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - Network
Service []PolicyDynamics Network Service Dynamic Args - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - Network
Service []PolicySrc Dynamics Network Service Src Dynamic Args - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - Ntlm
Enabled []PolicyBrowsers Ntlm Enabled Browser Args - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - Pcp
Poolnames []PolicyPcp Poolname Args - PCP pool names. The structure of
pcp_poolname
block is documented below. - Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - Policy
Expiry string - Enable/disable policy expiry. Valid values:
enable
,disable
. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policyid int
- Policy ID.
- Poolname6s
[]Policy
Poolname6Args - IPv6 pool names. The structure of
poolname6
block is documented below. - Poolnames
[]Policy
Poolname Args - IP Pool names. The structure of
poolname
block is documented below. - Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - Reputation
Minimum int - Minimum Reputation to take action.
- Reputation
Minimum6 int - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - Rtp
Addrs []PolicyRtp Addr Args - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - Schedule string
- Schedule name.(Default is
always
) - Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - Services
[]Policy
Service Args - Service and service group names. The structure of
service
block is documented below. - Session
Ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - Sgts
[]Policy
Sgt Args - Security group tags. The structure of
sgt
block is documented below. - Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor []PolicyMacs Src Vendor Mac Args - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddr6s
[]Policy
Srcaddr6Args - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddrs
[]Policy
Srcaddr Args - Source address and address group names. The structure of
srcaddr
block is documented below. - Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - Ssl
Mirror []PolicyIntfs Ssl Mirror Intf Args - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
enable
,disable
. - Tcp
Mss intReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss intSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
enable
,disable
. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Url
Categories []PolicyUrl Category Args - URL category ID list. The structure of
url_category
block is documented below. - Users
[]Policy
User Args - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos intFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos intRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP (voipd) profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - Webcache string
- Enable/disable web cache. Valid values:
enable
,disable
. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Web proxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - []Policy
Ztna Ems Tag Secondary Args - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - []Policy
Ztna Ems Tag Args - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - []Policy
Ztna Geo Tag Args - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - Ztna
Status string - Enable/disable zero trust access. Valid values:
enable
,disable
. - string
- ZTNA tag matching logic. Valid values:
or
,and
.
- dstintfs
List<Policy
Dstintf> - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - srcintfs
List<Policy
Srcintf> - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - action String
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti
Replay String - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app
Categories List<PolicyApp Category> - Application category ID list. The structure of
app_category
block is documented below. - app
Groups List<PolicyApp Group> - Application group names. The structure of
app_group
block is documented below. - application
List String - Name of an existing Application list.
- applications
List<Policy
Application> - Application ID list. The structure of
application
block is documented below. - auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av
Profile String - Name of an existing Antivirus profile.
- block
Notification String - Enable/disable block notification. Valid values:
enable
,disable
. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture
Packet String - Enable/disable capture packets. Valid values:
enable
,disable
. - casb
Profile String - Name of an existing CASB profile.
- cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log List<PolicyFields Custom Log Field> - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices
List<Policy
Device> - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s
List<Policy
Dstaddr6> - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs
List<Policy
Dstaddr> - Destination address and address group names. The structure of
dstaddr
block is documented below. - dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email
Collect String - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<PolicyFsso Group> - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups
List<Policy
Group> - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6Custom List<PolicyGroups Internet Service6Custom Group> - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet
Service6Customs List<PolicyInternet Service6Custom> - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet
Service6Groups List<PolicyInternet Service6Group> - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet
Service6Names List<PolicyInternet Service6Name> - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service6Src List<PolicyCustom Groups Internet Service6Src Custom Group> - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet
Service6Src List<PolicyCustoms Internet Service6Src Custom> - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet
Service6Src List<PolicyGroups Internet Service6Src Group> - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet
Service6Src List<PolicyNames Internet Service6Src Name> - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service List<PolicyCustom Groups Internet Service Custom Group> - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet
Service List<PolicyCustoms Internet Service Custom> - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet
Service List<PolicyGroups Internet Service Group> - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet
Service List<PolicyIds Internet Service Id> - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet
Service List<PolicyNames Internet Service Name> - Internet Service name. The structure of
internet_service_name
block is documented below. - internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service List<PolicySrc Custom Groups Internet Service Src Custom Group> - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet
Service List<PolicySrc Customs Internet Service Src Custom> - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet
Service List<PolicySrc Groups Internet Service Src Group> - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet
Service List<PolicySrc Ids Internet Service Src Id> - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet
Service List<PolicySrc Names Internet Service Src Name> - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool String
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic
Start String - Record logs when a session starts. Valid values:
enable
,disable
. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 String
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 String
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip String
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network
Service List<PolicyDynamics Network Service Dynamic> - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network
Service List<PolicySrc Dynamics Network Service Src Dynamic> - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm String
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm
Enabled List<PolicyBrowsers Ntlm Enabled Browser> - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp
Poolnames List<PolicyPcp Poolname> - PCP pool names. The structure of
pcp_poolname
block is documented below. - per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy
Expiry String - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policyid Integer
- Policy ID.
- poolname6s
List<Policy
Poolname6> - IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames
List<Policy
Poolname> - IP Pool names. The structure of
poolname
block is documented below. - port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation
Minimum Integer - Minimum Reputation to take action.
- reputation
Minimum6 Integer - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp
Addrs List<PolicyRtp Addr> - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule String
- Schedule name.(Default is
always
) - schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services
List<Policy
Service> - Service and service group names. The structure of
service
block is documented below. - session
Ttl Integer - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts
List<Policy
Sgt> - Security group tags. The structure of
sgt
block is documented below. - spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<PolicyMacs Src Vendor Mac> - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s
List<Policy
Srcaddr6> - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs
List<Policy
Srcaddr> - Source address and address group names. The structure of
srcaddr
block is documented below. - ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl
Mirror List<PolicyIntfs Ssl Mirror Intf> - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp
Mss IntegerReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss IntegerSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
enable
,disable
. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- url
Categories List<PolicyUrl Category> - URL category ID list. The structure of
url_category
block is documented below. - users
List<Policy
User> - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos IntegerFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos IntegerRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP (voipd) profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache String
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Web proxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - List<Policy
Ztna Ems Tag Secondary> - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - List<Policy
Ztna Ems Tag> - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - List<Policy
Ztna Geo Tag> - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna
Status String - Enable/disable zero trust access. Valid values:
enable
,disable
. - String
- ZTNA tag matching logic. Valid values:
or
,and
.
- dstintfs
Policy
Dstintf[] - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - srcintfs
Policy
Srcintf[] - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - action string
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti
Replay string - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app
Categories PolicyApp Category[] - Application category ID list. The structure of
app_category
block is documented below. - app
Groups PolicyApp Group[] - Application group names. The structure of
app_group
block is documented below. - application
List string - Name of an existing Application list.
- applications
Policy
Application[] - Application ID list. The structure of
application
block is documented below. - auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Path string - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av
Profile string - Name of an existing Antivirus profile.
- block
Notification string - Enable/disable block notification. Valid values:
enable
,disable
. - captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture
Packet string - Enable/disable capture packets. Valid values:
enable
,disable
. - casb
Profile string - Name of an existing CASB profile.
- cifs
Profile string - Name of an existing CIFS profile.
- comments string
- Comment.
- custom
Log PolicyFields Custom Log Field[] - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted
Traffic stringMirror - Decrypted traffic mirror.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices
Policy
Device[] - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp
Profile string - Name of an existing DLP profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s
Policy
Dstaddr6[] - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs
Policy
Dstaddr[] - Destination address and address group names. The structure of
dstaddr
block is documented below. - dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email
Collect string - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter
Profile string - Name of an existing email filter profile.
- fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file
Filter stringProfile - Name of an existing file-filter profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups PolicyFsso Group[] - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups
Policy
Group[] - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap
Profile string - Name of an existing ICAP profile.
- identity
Based stringRoute - Name of identity-based routing rule.
- inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6Custom PolicyGroups Internet Service6Custom Group[] - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet
Service6Customs PolicyInternet Service6Custom[] - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet
Service6Groups PolicyInternet Service6Group[] - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet
Service6Names PolicyInternet Service6Name[] - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service6Src PolicyCustom Groups Internet Service6Src Custom Group[] - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet
Service6Src PolicyCustoms Internet Service6Src Custom[] - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet
Service6Src PolicyGroups Internet Service6Src Group[] - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet
Service6Src PolicyNames Internet Service6Src Name[] - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service PolicyCustom Groups Internet Service Custom Group[] - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet
Service PolicyCustoms Internet Service Custom[] - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet
Service PolicyGroups Internet Service Group[] - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet
Service PolicyIds Internet Service Id[] - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet
Service PolicyNames Internet Service Name[] - Internet Service name. The structure of
internet_service_name
block is documented below. - internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service PolicySrc Custom Groups Internet Service Src Custom Group[] - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet
Service PolicySrc Customs Internet Service Src Custom[] - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet
Service PolicySrc Groups Internet Service Src Group[] - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet
Service PolicySrc Ids Internet Service Src Id[] - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet
Service PolicySrc Names Internet Service Src Name[] - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool string
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic
Start string - Record logs when a session starts. Valid values:
enable
,disable
. - match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name string
- Policy name.
- nat string
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 string
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 string
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network
Service PolicyDynamics Network Service Dynamic[] - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network
Service PolicySrc Dynamics Network Service Src Dynamic[] - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm string
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm
Enabled PolicyBrowsers Ntlm Enabled Browser[] - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp
Poolnames PolicyPcp Poolname[] - PCP pool names. The structure of
pcp_poolname
block is documented below. - per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy
Expiry string - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policyid number
- Policy ID.
- poolname6s
Policy
Poolname6[] - IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames
Policy
Poolname[] - IP Pool names. The structure of
poolname
block is documented below. - port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp
Addrs PolicyRtp Addr[] - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule string
- Schedule name.(Default is
always
) - schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services
Policy
Service[] - Service and service group names. The structure of
service
block is documented below. - session
Ttl number - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts
Policy
Sgt[] - Security group tags. The structure of
sgt
block is documented below. - spamfilter
Profile string - Name of an existing Spam filter profile.
- src
Vendor PolicyMacs Src Vendor Mac[] - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s
Policy
Srcaddr6[] - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs
Policy
Srcaddr[] - Source address and address group names. The structure of
srcaddr
block is documented below. - ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl
Mirror PolicyIntfs Ssl Mirror Intf[] - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- status string
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match. Valid values:
enable
,disable
. - traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- url
Categories PolicyUrl Category[] - URL category ID list. The structure of
url_category
block is documented below. - users
Policy
User[] - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter
Profile string - Name of an existing VideoFilter profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP (voipd) profile.
- vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache string
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Web proxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - Policy
Ztna Ems Tag Secondary[] - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - Policy
Ztna Ems Tag[] - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - Policy
Ztna Geo Tag[] - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna
Status string - Enable/disable zero trust access. Valid values:
enable
,disable
. - string
- ZTNA tag matching logic. Valid values:
or
,and
.
- dstintfs
Sequence[Policy
Dstintf Args] - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - srcintfs
Sequence[Policy
Srcintf Args] - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - action str
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti_
replay str - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app_
categories Sequence[PolicyApp Category Args] - Application category ID list. The structure of
app_category
block is documented below. - app_
groups Sequence[PolicyApp Group Args] - Application group names. The structure of
app_group
block is documented below. - application_
list str - Name of an existing Application list.
- applications
Sequence[Policy
Application Args] - Application ID list. The structure of
application
block is documented below. - auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
path str - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av_
profile str - Name of an existing Antivirus profile.
- block_
notification str - Enable/disable block notification. Valid values:
enable
,disable
. - captive_
portal_ strexempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture_
packet str - Enable/disable capture packets. Valid values:
enable
,disable
. - casb_
profile str - Name of an existing CASB profile.
- cifs_
profile str - Name of an existing CIFS profile.
- comments str
- Comment.
- custom_
log_ Sequence[Policyfields Custom Log Field Args] - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted_
traffic_ strmirror - Decrypted traffic mirror.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices
Sequence[Policy
Device Args] - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp_
profile str - Name of an existing DLP profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dsri str
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s
Sequence[Policy
Dstaddr6Args] - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs
Sequence[Policy
Dstaddr Args] - Destination address and address group names. The structure of
dstaddr
block is documented below. - dynamic_
shaping str - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email_
collect str - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter_
profile str - Name of an existing email filter profile.
- fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file_
filter_ strprofile - Name of an existing file-filter profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport str
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso str
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[PolicyFsso Group Args] - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip_
match str - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups
Sequence[Policy
Group Args] - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap_
profile str - Name of an existing ICAP profile.
- identity_
based_ strroute - Name of identity-based routing rule.
- inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet_
service6_ Sequence[Policycustom_ groups Internet Service6Custom Group Args] - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet_
service6_ Sequence[Policycustoms Internet Service6Custom Args] - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet_
service6_ Sequence[Policygroups Internet Service6Group Args] - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet_
service6_ Sequence[Policynames Internet Service6Name Args] - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet_
service6_ Sequence[Policysrc_ custom_ groups Internet Service6Src Custom Group Args] - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet_
service6_ Sequence[Policysrc_ customs Internet Service6Src Custom Args] - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet_
service6_ Sequence[Policysrc_ groups Internet Service6Src Group Args] - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet_
service6_ Sequence[Policysrc_ names Internet Service6Src Name Args] - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet_
service_ Sequence[Policycustom_ groups Internet Service Custom Group Args] - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet_
service_ Sequence[Policycustoms Internet Service Custom Args] - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet_
service_ Sequence[Policygroups Internet Service Group Args] - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet_
service_ Sequence[Policyids Internet Service Id Args] - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet_
service_ Sequence[Policynames Internet Service Name Args] - Internet Service name. The structure of
internet_service_name
block is documented below. - internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet_
service_ Sequence[Policysrc_ custom_ groups Internet Service Src Custom Group Args] - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet_
service_ Sequence[Policysrc_ customs Internet Service Src Custom Args] - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet_
service_ Sequence[Policysrc_ groups Internet Service Src Group Args] - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet_
service_ Sequence[Policysrc_ ids Internet Service Src Id Args] - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet_
service_ Sequence[Policysrc_ names Internet Service Src Name Args] - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool str
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic_
start str - Record logs when a session starts. Valid values:
enable
,disable
. - match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name str
- Policy name.
- nat str
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 str
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 str
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip str
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network_
service_ Sequence[Policydynamics Network Service Dynamic Args] - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network_
service_ Sequence[Policysrc_ dynamics Network Service Src Dynamic Args] - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np_
acceleration str - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm str
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm_
enabled_ Sequence[Policybrowsers Ntlm Enabled Browser Args] - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm_
guest str - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive_
wan_ strhealth_ measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp_
inbound str - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp_
outbound str - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp_
poolnames Sequence[PolicyPcp Poolname Args] - PCP pool names. The structure of
pcp_poolname
block is documented below. - per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy_
expiry str - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy_
expiry_ strdate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policyid int
- Policy ID.
- poolname6s
Sequence[Policy
Poolname6Args] - IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames
Sequence[Policy
Poolname Args] - IP Pool names. The structure of
poolname
block is documented below. - port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation_
minimum int - Minimum Reputation to take action.
- reputation_
minimum6 int - IPv6 Minimum Reputation to take action.
- rsso str
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp_
addrs Sequence[PolicyRtp Addr Args] - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp_
nat str - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan_
botnet_ strconnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule str
- Schedule name.(Default is
always
) - schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service_
negate str - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services
Sequence[Policy
Service Args] - Service and service group names. The structure of
service
block is documented below. - session_
ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt_
check str - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts
Sequence[Policy
Sgt Args] - Security group tags. The structure of
sgt
block is documented below. - spamfilter_
profile str - Name of an existing Spam filter profile.
- src_
vendor_ Sequence[Policymacs Src Vendor Mac Args] - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s
Sequence[Policy
Srcaddr6Args] - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs
Sequence[Policy
Srcaddr Args] - Source address and address group names. The structure of
srcaddr
block is documented below. - ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl_
mirror_ Sequence[Policyintfs Ssl Mirror Intf Args] - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- status str
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp_
mss_ intreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ intsender - Sender TCP maximum segment size (MSS).
- tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match. Valid values:
enable
,disable
. - traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- url_
categories Sequence[PolicyUrl Category Args] - URL category ID list. The structure of
url_category
block is documented below. - users
Sequence[Policy
User Args] - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter_
profile str - Name of an existing VideoFilter profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ intfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ intrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP (voipd) profile.
- vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt_
detection str - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache str
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache_
https str - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Web proxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna_
device_ strownership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - ztna_
ems_ Sequence[Policytag_ secondaries Ztna Ems Tag Secondary Args] - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - Sequence[Policy
Ztna Ems Tag Args] - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - Sequence[Policy
Ztna Geo Tag Args] - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna_
status str - Enable/disable zero trust access. Valid values:
enable
,disable
. - str
- ZTNA tag matching logic. Valid values:
or
,and
.
- dstintfs List<Property Map>
- Outgoing (egress) interface. The structure of
dstintf
block is documented below. - srcintfs List<Property Map>
- Incoming (ingress) interface. The structure of
srcintf
block is documented below. - action String
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti
Replay String - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app
Categories List<Property Map> - Application category ID list. The structure of
app_category
block is documented below. - app
Groups List<Property Map> - Application group names. The structure of
app_group
block is documented below. - application
List String - Name of an existing Application list.
- applications List<Property Map>
- Application ID list. The structure of
application
block is documented below. - auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av
Profile String - Name of an existing Antivirus profile.
- block
Notification String - Enable/disable block notification. Valid values:
enable
,disable
. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture
Packet String - Enable/disable capture packets. Valid values:
enable
,disable
. - casb
Profile String - Name of an existing CASB profile.
- cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log List<Property Map>Fields - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices List<Property Map>
- Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s List<Property Map>
- Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs List<Property Map>
- Destination address and address group names. The structure of
dstaddr
block is documented below. - dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email
Collect String - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<Property Map> - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<Property Map>
- Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6Custom List<Property Map>Groups - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet
Service6Customs List<Property Map> - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet
Service6Groups List<Property Map> - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet
Service6Names List<Property Map> - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service6Src List<Property Map>Custom Groups - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet
Service6Src List<Property Map>Customs - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet
Service6Src List<Property Map>Groups - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet
Service6Src List<Property Map>Names - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service List<Property Map>Custom Groups - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet
Service List<Property Map>Customs - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet
Service List<Property Map>Groups - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet
Service List<Property Map>Ids - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet
Service List<Property Map>Names - Internet Service name. The structure of
internet_service_name
block is documented below. - internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service List<Property Map>Src Custom Groups - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet
Service List<Property Map>Src Customs - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet
Service List<Property Map>Src Groups - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet
Service List<Property Map>Src Ids - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet
Service List<Property Map>Src Names - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool String
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic
Start String - Record logs when a session starts. Valid values:
enable
,disable
. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 String
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 String
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip String
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network
Service List<Property Map>Dynamics - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network
Service List<Property Map>Src Dynamics - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm String
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm
Enabled List<Property Map>Browsers - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp
Poolnames List<Property Map> - PCP pool names. The structure of
pcp_poolname
block is documented below. - per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy
Expiry String - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policyid Number
- Policy ID.
- poolname6s List<Property Map>
- IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames List<Property Map>
- IP Pool names. The structure of
poolname
block is documented below. - port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp
Addrs List<Property Map> - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule String
- Schedule name.(Default is
always
) - schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services List<Property Map>
- Service and service group names. The structure of
service
block is documented below. - session
Ttl Number - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts List<Property Map>
- Security group tags. The structure of
sgt
block is documented below. - spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<Property Map>Macs - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s List<Property Map>
- Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs List<Property Map>
- Source address and address group names. The structure of
srcaddr
block is documented below. - ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl
Mirror List<Property Map>Intfs - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
enable
,disable
. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- url
Categories List<Property Map> - URL category ID list. The structure of
url_category
block is documented below. - users List<Property Map>
- Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP (voipd) profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache String
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Web proxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - List<Property Map>
- Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - List<Property Map>
- Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - List<Property Map>
- Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna
Status String - Enable/disable zero trust access. Valid values:
enable
,disable
. - String
- ZTNA tag matching logic. Valid values:
or
,and
.
Outputs
All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Policy Resource
Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
action: Optional[str] = None,
anti_replay: Optional[str] = None,
app_categories: Optional[Sequence[PolicyAppCategoryArgs]] = None,
app_groups: Optional[Sequence[PolicyAppGroupArgs]] = None,
application_list: Optional[str] = None,
applications: Optional[Sequence[PolicyApplicationArgs]] = None,
auth_cert: Optional[str] = None,
auth_path: Optional[str] = None,
auth_redirect_addr: Optional[str] = None,
auto_asic_offload: Optional[str] = None,
av_profile: Optional[str] = None,
block_notification: Optional[str] = None,
captive_portal_exempt: Optional[str] = None,
capture_packet: Optional[str] = None,
casb_profile: Optional[str] = None,
cifs_profile: Optional[str] = None,
comments: Optional[str] = None,
custom_log_fields: Optional[Sequence[PolicyCustomLogFieldArgs]] = None,
decrypted_traffic_mirror: Optional[str] = None,
delay_tcp_npu_session: Optional[str] = None,
devices: Optional[Sequence[PolicyDeviceArgs]] = None,
diameter_filter_profile: Optional[str] = None,
diffserv_copy: Optional[str] = None,
diffserv_forward: Optional[str] = None,
diffserv_reverse: Optional[str] = None,
diffservcode_forward: Optional[str] = None,
diffservcode_rev: Optional[str] = None,
disclaimer: Optional[str] = None,
dlp_profile: Optional[str] = None,
dlp_sensor: Optional[str] = None,
dnsfilter_profile: Optional[str] = None,
dsri: Optional[str] = None,
dstaddr6_negate: Optional[str] = None,
dstaddr6s: Optional[Sequence[PolicyDstaddr6Args]] = None,
dstaddr_negate: Optional[str] = None,
dstaddrs: Optional[Sequence[PolicyDstaddrArgs]] = None,
dstintfs: Optional[Sequence[PolicyDstintfArgs]] = None,
dynamic_shaping: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
email_collect: Optional[str] = None,
emailfilter_profile: Optional[str] = None,
fec: Optional[str] = None,
file_filter_profile: Optional[str] = None,
firewall_session_dirty: Optional[str] = None,
fixedport: Optional[str] = None,
fsso: Optional[str] = None,
fsso_agent_for_ntlm: Optional[str] = None,
fsso_groups: Optional[Sequence[PolicyFssoGroupArgs]] = None,
geoip_anycast: Optional[str] = None,
geoip_match: Optional[str] = None,
get_all_tables: Optional[str] = None,
global_label: Optional[str] = None,
groups: Optional[Sequence[PolicyGroupArgs]] = None,
http_policy_redirect: Optional[str] = None,
icap_profile: Optional[str] = None,
identity_based_route: Optional[str] = None,
inbound: Optional[str] = None,
inspection_mode: Optional[str] = None,
internet_service: Optional[str] = None,
internet_service6: Optional[str] = None,
internet_service6_custom_groups: Optional[Sequence[PolicyInternetService6CustomGroupArgs]] = None,
internet_service6_customs: Optional[Sequence[PolicyInternetService6CustomArgs]] = None,
internet_service6_groups: Optional[Sequence[PolicyInternetService6GroupArgs]] = None,
internet_service6_names: Optional[Sequence[PolicyInternetService6NameArgs]] = None,
internet_service6_negate: Optional[str] = None,
internet_service6_src: Optional[str] = None,
internet_service6_src_custom_groups: Optional[Sequence[PolicyInternetService6SrcCustomGroupArgs]] = None,
internet_service6_src_customs: Optional[Sequence[PolicyInternetService6SrcCustomArgs]] = None,
internet_service6_src_groups: Optional[Sequence[PolicyInternetService6SrcGroupArgs]] = None,
internet_service6_src_names: Optional[Sequence[PolicyInternetService6SrcNameArgs]] = None,
internet_service6_src_negate: Optional[str] = None,
internet_service_custom_groups: Optional[Sequence[PolicyInternetServiceCustomGroupArgs]] = None,
internet_service_customs: Optional[Sequence[PolicyInternetServiceCustomArgs]] = None,
internet_service_groups: Optional[Sequence[PolicyInternetServiceGroupArgs]] = None,
internet_service_ids: Optional[Sequence[PolicyInternetServiceIdArgs]] = None,
internet_service_names: Optional[Sequence[PolicyInternetServiceNameArgs]] = None,
internet_service_negate: Optional[str] = None,
internet_service_src: Optional[str] = None,
internet_service_src_custom_groups: Optional[Sequence[PolicyInternetServiceSrcCustomGroupArgs]] = None,
internet_service_src_customs: Optional[Sequence[PolicyInternetServiceSrcCustomArgs]] = None,
internet_service_src_groups: Optional[Sequence[PolicyInternetServiceSrcGroupArgs]] = None,
internet_service_src_ids: Optional[Sequence[PolicyInternetServiceSrcIdArgs]] = None,
internet_service_src_names: Optional[Sequence[PolicyInternetServiceSrcNameArgs]] = None,
internet_service_src_negate: Optional[str] = None,
ippool: Optional[str] = None,
ips_sensor: Optional[str] = None,
ips_voip_filter: Optional[str] = None,
label: Optional[str] = None,
learning_mode: Optional[str] = None,
logtraffic: Optional[str] = None,
logtraffic_start: Optional[str] = None,
match_vip: Optional[str] = None,
match_vip_only: Optional[str] = None,
name: Optional[str] = None,
nat: Optional[str] = None,
nat46: Optional[str] = None,
nat64: Optional[str] = None,
natinbound: Optional[str] = None,
natip: Optional[str] = None,
natoutbound: Optional[str] = None,
network_service_dynamics: Optional[Sequence[PolicyNetworkServiceDynamicArgs]] = None,
network_service_src_dynamics: Optional[Sequence[PolicyNetworkServiceSrcDynamicArgs]] = None,
np_acceleration: Optional[str] = None,
ntlm: Optional[str] = None,
ntlm_enabled_browsers: Optional[Sequence[PolicyNtlmEnabledBrowserArgs]] = None,
ntlm_guest: Optional[str] = None,
outbound: Optional[str] = None,
passive_wan_health_measurement: Optional[str] = None,
pcp_inbound: Optional[str] = None,
pcp_outbound: Optional[str] = None,
pcp_poolnames: Optional[Sequence[PolicyPcpPoolnameArgs]] = None,
per_ip_shaper: Optional[str] = None,
permit_any_host: Optional[str] = None,
permit_stun_host: Optional[str] = None,
policy_expiry: Optional[str] = None,
policy_expiry_date: Optional[str] = None,
policy_expiry_date_utc: Optional[str] = None,
policyid: Optional[int] = None,
poolname6s: Optional[Sequence[PolicyPoolname6Args]] = None,
poolnames: Optional[Sequence[PolicyPoolnameArgs]] = None,
port_preserve: Optional[str] = None,
profile_group: Optional[str] = None,
profile_protocol_options: Optional[str] = None,
profile_type: Optional[str] = None,
radius_mac_auth_bypass: Optional[str] = None,
redirect_url: Optional[str] = None,
replacemsg_override_group: Optional[str] = None,
reputation_direction: Optional[str] = None,
reputation_direction6: Optional[str] = None,
reputation_minimum: Optional[int] = None,
reputation_minimum6: Optional[int] = None,
rsso: Optional[str] = None,
rtp_addrs: Optional[Sequence[PolicyRtpAddrArgs]] = None,
rtp_nat: Optional[str] = None,
scan_botnet_connections: Optional[str] = None,
schedule: Optional[str] = None,
schedule_timeout: Optional[str] = None,
sctp_filter_profile: Optional[str] = None,
send_deny_packet: Optional[str] = None,
service_negate: Optional[str] = None,
services: Optional[Sequence[PolicyServiceArgs]] = None,
session_ttl: Optional[int] = None,
sgt_check: Optional[str] = None,
sgts: Optional[Sequence[PolicySgtArgs]] = None,
spamfilter_profile: Optional[str] = None,
src_vendor_macs: Optional[Sequence[PolicySrcVendorMacArgs]] = None,
srcaddr6_negate: Optional[str] = None,
srcaddr6s: Optional[Sequence[PolicySrcaddr6Args]] = None,
srcaddr_negate: Optional[str] = None,
srcaddrs: Optional[Sequence[PolicySrcaddrArgs]] = None,
srcintfs: Optional[Sequence[PolicySrcintfArgs]] = None,
ssh_filter_profile: Optional[str] = None,
ssh_policy_redirect: Optional[str] = None,
ssl_mirror: Optional[str] = None,
ssl_mirror_intfs: Optional[Sequence[PolicySslMirrorIntfArgs]] = None,
ssl_ssh_profile: Optional[str] = None,
status: Optional[str] = None,
tcp_mss_receiver: Optional[int] = None,
tcp_mss_sender: Optional[int] = None,
tcp_session_without_syn: Optional[str] = None,
timeout_send_rst: Optional[str] = None,
tos: Optional[str] = None,
tos_mask: Optional[str] = None,
tos_negate: Optional[str] = None,
traffic_shaper: Optional[str] = None,
traffic_shaper_reverse: Optional[str] = None,
url_categories: Optional[Sequence[PolicyUrlCategoryArgs]] = None,
users: Optional[Sequence[PolicyUserArgs]] = None,
utm_status: Optional[str] = None,
uuid: Optional[str] = None,
vdomparam: Optional[str] = None,
videofilter_profile: Optional[str] = None,
virtual_patch_profile: Optional[str] = None,
vlan_cos_fwd: Optional[int] = None,
vlan_cos_rev: Optional[int] = None,
vlan_filter: Optional[str] = None,
voip_profile: Optional[str] = None,
vpntunnel: Optional[str] = None,
waf_profile: Optional[str] = None,
wanopt: Optional[str] = None,
wanopt_detection: Optional[str] = None,
wanopt_passive_opt: Optional[str] = None,
wanopt_peer: Optional[str] = None,
wanopt_profile: Optional[str] = None,
wccp: Optional[str] = None,
webcache: Optional[str] = None,
webcache_https: Optional[str] = None,
webfilter_profile: Optional[str] = None,
webproxy_forward_server: Optional[str] = None,
webproxy_profile: Optional[str] = None,
wsso: Optional[str] = None,
ztna_device_ownership: Optional[str] = None,
ztna_ems_tag_secondaries: Optional[Sequence[PolicyZtnaEmsTagSecondaryArgs]] = None,
ztna_ems_tags: Optional[Sequence[PolicyZtnaEmsTagArgs]] = None,
ztna_geo_tags: Optional[Sequence[PolicyZtnaGeoTagArgs]] = None,
ztna_policy_redirect: Optional[str] = None,
ztna_status: Optional[str] = None,
ztna_tags_match_logic: Optional[str] = None) -> Policy
func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
enable
,disable
. - App
Categories List<Pulumiverse.Fortios. Firewall. Inputs. Policy App Category> - Application category ID list. The structure of
app_category
block is documented below. - App
Groups List<Pulumiverse.Fortios. Firewall. Inputs. Policy App Group> - Application group names. The structure of
app_group
block is documented below. - Application
List string - Name of an existing Application list.
- Applications
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Application> - Application ID list. The structure of
application
block is documented below. - Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - Av
Profile string - Name of an existing Antivirus profile.
- Block
Notification string - Enable/disable block notification. Valid values:
enable
,disable
. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - Capture
Packet string - Enable/disable capture packets. Valid values:
enable
,disable
. - Casb
Profile string - Name of an existing CASB profile.
- Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log List<Pulumiverse.Fields Fortios. Firewall. Inputs. Policy Custom Log Field> - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - Devices
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Device> - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddr6s
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Dstaddr6> - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddrs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Dstaddr> - Destination address and address group names. The structure of
dstaddr
block is documented below. - Dstintfs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Dstintf> - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Email
Collect string - Enable/disable email collection. Valid values:
enable
,disable
. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<Pulumiverse.Fortios. Firewall. Inputs. Policy Fsso Group> - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Group> - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6Custom List<Pulumiverse.Groups Fortios. Firewall. Inputs. Policy Internet Service6Custom Group> - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - Internet
Service6Customs List<Pulumiverse.Fortios. Firewall. Inputs. Policy Internet Service6Custom> - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - Internet
Service6Groups List<Pulumiverse.Fortios. Firewall. Inputs. Policy Internet Service6Group> - Internet Service group name. The structure of
internet_service6_group
block is documented below. - Internet
Service6Names List<Pulumiverse.Fortios. Firewall. Inputs. Policy Internet Service6Name> - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service6Src List<Pulumiverse.Custom Groups Fortios. Firewall. Inputs. Policy Internet Service6Src Custom Group> - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - Internet
Service6Src List<Pulumiverse.Customs Fortios. Firewall. Inputs. Policy Internet Service6Src Custom> - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - Internet
Service6Src List<Pulumiverse.Groups Fortios. Firewall. Inputs. Policy Internet Service6Src Group> - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - Internet
Service6Src List<Pulumiverse.Names Fortios. Firewall. Inputs. Policy Internet Service6Src Name> - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service List<Pulumiverse.Custom Groups Fortios. Firewall. Inputs. Policy Internet Service Custom Group> - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - Internet
Service List<Pulumiverse.Customs Fortios. Firewall. Inputs. Policy Internet Service Custom> - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - Internet
Service List<Pulumiverse.Groups Fortios. Firewall. Inputs. Policy Internet Service Group> - Internet Service group name. The structure of
internet_service_group
block is documented below. - Internet
Service List<Pulumiverse.Ids Fortios. Firewall. Inputs. Policy Internet Service Id> - Internet Service ID. The structure of
internet_service_id
block is documented below. - Internet
Service List<Pulumiverse.Names Fortios. Firewall. Inputs. Policy Internet Service Name> - Internet Service name. The structure of
internet_service_name
block is documented below. - Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service List<Pulumiverse.Src Custom Groups Fortios. Firewall. Inputs. Policy Internet Service Src Custom Group> - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - Internet
Service List<Pulumiverse.Src Customs Fortios. Firewall. Inputs. Policy Internet Service Src Custom> - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - Internet
Service List<Pulumiverse.Src Groups Fortios. Firewall. Inputs. Policy Internet Service Src Group> - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - Internet
Service List<Pulumiverse.Src Ids Fortios. Firewall. Inputs. Policy Internet Service Src Id> - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - Internet
Service List<Pulumiverse.Src Names Fortios. Firewall. Inputs. Policy Internet Service Src Name> - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Ippool string
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - Logtraffic
Start string - Record logs when a session starts. Valid values:
enable
,disable
. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
enable
,disable
. - Nat46 string
- Enable/disable NAT46. Valid values:
enable
,disable
. - Nat64 string
- Enable/disable NAT64. Valid values:
enable
,disable
. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - Natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - Network
Service List<Pulumiverse.Dynamics Fortios. Firewall. Inputs. Policy Network Service Dynamic> - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - Network
Service List<Pulumiverse.Src Dynamics Fortios. Firewall. Inputs. Policy Network Service Src Dynamic> - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - Ntlm
Enabled List<Pulumiverse.Browsers Fortios. Firewall. Inputs. Policy Ntlm Enabled Browser> - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - Pcp
Poolnames List<Pulumiverse.Fortios. Firewall. Inputs. Policy Pcp Poolname> - PCP pool names. The structure of
pcp_poolname
block is documented below. - Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - Policy
Expiry string - Enable/disable policy expiry. Valid values:
enable
,disable
. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policyid int
- Policy ID.
- Poolname6s
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Poolname6> - IPv6 pool names. The structure of
poolname6
block is documented below. - Poolnames
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Poolname> - IP Pool names. The structure of
poolname
block is documented below. - Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - Reputation
Minimum int - Minimum Reputation to take action.
- Reputation
Minimum6 int - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - Rtp
Addrs List<Pulumiverse.Fortios. Firewall. Inputs. Policy Rtp Addr> - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - Schedule string
- Schedule name.(Default is
always
) - Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - Services
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Service> - Service and service group names. The structure of
service
block is documented below. - Session
Ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - Sgts
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Sgt> - Security group tags. The structure of
sgt
block is documented below. - Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor List<Pulumiverse.Macs Fortios. Firewall. Inputs. Policy Src Vendor Mac> - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddr6s
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Srcaddr6> - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddrs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Srcaddr> - Source address and address group names. The structure of
srcaddr
block is documented below. - Srcintfs
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Srcintf> - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - Ssl
Mirror List<Pulumiverse.Intfs Fortios. Firewall. Inputs. Policy Ssl Mirror Intf> - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
enable
,disable
. - Tcp
Mss intReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss intSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
enable
,disable
. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Url
Categories List<Pulumiverse.Fortios. Firewall. Inputs. Policy Url Category> - URL category ID list. The structure of
url_category
block is documented below. - Users
List<Pulumiverse.
Fortios. Firewall. Inputs. Policy User> - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos intFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos intRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP (voipd) profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - Webcache string
- Enable/disable web cache. Valid values:
enable
,disable
. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Web proxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Ztna Ems Tag Secondary> - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Ztna Ems Tag> - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - List<Pulumiverse.
Fortios. Firewall. Inputs. Policy Ztna Geo Tag> - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - Ztna
Status string - Enable/disable zero trust access. Valid values:
enable
,disable
. - string
- ZTNA tag matching logic. Valid values:
or
,and
.
- Action string
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
enable
,disable
. - App
Categories []PolicyApp Category Args - Application category ID list. The structure of
app_category
block is documented below. - App
Groups []PolicyApp Group Args - Application group names. The structure of
app_group
block is documented below. - Application
List string - Name of an existing Application list.
- Applications
[]Policy
Application Args - Application ID list. The structure of
application
block is documented below. - Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - Av
Profile string - Name of an existing Antivirus profile.
- Block
Notification string - Enable/disable block notification. Valid values:
enable
,disable
. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - Capture
Packet string - Enable/disable capture packets. Valid values:
enable
,disable
. - Casb
Profile string - Name of an existing CASB profile.
- Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log []PolicyFields Custom Log Field Args - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - Devices
[]Policy
Device Args - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddr6s
[]Policy
Dstaddr6Args - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - Dstaddrs
[]Policy
Dstaddr Args - Destination address and address group names. The structure of
dstaddr
block is documented below. - Dstintfs
[]Policy
Dstintf Args - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - Dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- Email
Collect string - Enable/disable email collection. Valid values:
enable
,disable
. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []PolicyFsso Group Args - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - Get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups
[]Policy
Group Args - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - Internet
Service6Custom []PolicyGroups Internet Service6Custom Group Args - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - Internet
Service6Customs []PolicyInternet Service6Custom Args - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - Internet
Service6Groups []PolicyInternet Service6Group Args - Internet Service group name. The structure of
internet_service6_group
block is documented below. - Internet
Service6Names []PolicyInternet Service6Name Args - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service6Src []PolicyCustom Groups Internet Service6Src Custom Group Args - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - Internet
Service6Src []PolicyCustoms Internet Service6Src Custom Args - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - Internet
Service6Src []PolicyGroups Internet Service6Src Group Args - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - Internet
Service6Src []PolicyNames Internet Service6Src Name Args - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service []PolicyCustom Groups Internet Service Custom Group Args - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - Internet
Service []PolicyCustoms Internet Service Custom Args - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - Internet
Service []PolicyGroups Internet Service Group Args - Internet Service group name. The structure of
internet_service_group
block is documented below. - Internet
Service []PolicyIds Internet Service Id Args - Internet Service ID. The structure of
internet_service_id
block is documented below. - Internet
Service []PolicyNames Internet Service Name Args - Internet Service name. The structure of
internet_service_name
block is documented below. - Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - Internet
Service []PolicySrc Custom Groups Internet Service Src Custom Group Args - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - Internet
Service []PolicySrc Customs Internet Service Src Custom Args - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - Internet
Service []PolicySrc Groups Internet Service Src Group Args - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - Internet
Service []PolicySrc Ids Internet Service Src Id Args - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - Internet
Service []PolicySrc Names Internet Service Src Name Args - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - Ippool string
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - Logtraffic
Start string - Record logs when a session starts. Valid values:
enable
,disable
. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
enable
,disable
. - Nat46 string
- Enable/disable NAT46. Valid values:
enable
,disable
. - Nat64 string
- Enable/disable NAT64. Valid values:
enable
,disable
. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - Natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - Network
Service []PolicyDynamics Network Service Dynamic Args - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - Network
Service []PolicySrc Dynamics Network Service Src Dynamic Args - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - Ntlm
Enabled []PolicyBrowsers Ntlm Enabled Browser Args - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - Pcp
Poolnames []PolicyPcp Poolname Args - PCP pool names. The structure of
pcp_poolname
block is documented below. - Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - Policy
Expiry string - Enable/disable policy expiry. Valid values:
enable
,disable
. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policyid int
- Policy ID.
- Poolname6s
[]Policy
Poolname6Args - IPv6 pool names. The structure of
poolname6
block is documented below. - Poolnames
[]Policy
Poolname Args - IP Pool names. The structure of
poolname
block is documented below. - Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - Reputation
Minimum int - Minimum Reputation to take action.
- Reputation
Minimum6 int - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - Rtp
Addrs []PolicyRtp Addr Args - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - Schedule string
- Schedule name.(Default is
always
) - Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - Services
[]Policy
Service Args - Service and service group names. The structure of
service
block is documented below. - Session
Ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - Sgts
[]Policy
Sgt Args - Security group tags. The structure of
sgt
block is documented below. - Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor []PolicyMacs Src Vendor Mac Args - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddr6s
[]Policy
Srcaddr6Args - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - Srcaddrs
[]Policy
Srcaddr Args - Source address and address group names. The structure of
srcaddr
block is documented below. - Srcintfs
[]Policy
Srcintf Args - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - Ssl
Mirror []PolicyIntfs Ssl Mirror Intf Args - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
enable
,disable
. - Tcp
Mss intReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss intSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
enable
,disable
. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Url
Categories []PolicyUrl Category Args - URL category ID list. The structure of
url_category
block is documented below. - Users
[]Policy
User Args - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos intFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos intRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP (voipd) profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - Webcache string
- Enable/disable web cache. Valid values:
enable
,disable
. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Web proxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - []Policy
Ztna Ems Tag Secondary Args - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - []Policy
Ztna Ems Tag Args - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - []Policy
Ztna Geo Tag Args - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - Ztna
Status string - Enable/disable zero trust access. Valid values:
enable
,disable
. - string
- ZTNA tag matching logic. Valid values:
or
,and
.
- action String
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti
Replay String - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app
Categories List<PolicyApp Category> - Application category ID list. The structure of
app_category
block is documented below. - app
Groups List<PolicyApp Group> - Application group names. The structure of
app_group
block is documented below. - application
List String - Name of an existing Application list.
- applications
List<Policy
Application> - Application ID list. The structure of
application
block is documented below. - auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av
Profile String - Name of an existing Antivirus profile.
- block
Notification String - Enable/disable block notification. Valid values:
enable
,disable
. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture
Packet String - Enable/disable capture packets. Valid values:
enable
,disable
. - casb
Profile String - Name of an existing CASB profile.
- cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log List<PolicyFields Custom Log Field> - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices
List<Policy
Device> - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s
List<Policy
Dstaddr6> - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs
List<Policy
Dstaddr> - Destination address and address group names. The structure of
dstaddr
block is documented below. - dstintfs
List<Policy
Dstintf> - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email
Collect String - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<PolicyFsso Group> - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups
List<Policy
Group> - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6Custom List<PolicyGroups Internet Service6Custom Group> - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet
Service6Customs List<PolicyInternet Service6Custom> - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet
Service6Groups List<PolicyInternet Service6Group> - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet
Service6Names List<PolicyInternet Service6Name> - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service6Src List<PolicyCustom Groups Internet Service6Src Custom Group> - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet
Service6Src List<PolicyCustoms Internet Service6Src Custom> - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet
Service6Src List<PolicyGroups Internet Service6Src Group> - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet
Service6Src List<PolicyNames Internet Service6Src Name> - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service List<PolicyCustom Groups Internet Service Custom Group> - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet
Service List<PolicyCustoms Internet Service Custom> - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet
Service List<PolicyGroups Internet Service Group> - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet
Service List<PolicyIds Internet Service Id> - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet
Service List<PolicyNames Internet Service Name> - Internet Service name. The structure of
internet_service_name
block is documented below. - internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service List<PolicySrc Custom Groups Internet Service Src Custom Group> - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet
Service List<PolicySrc Customs Internet Service Src Custom> - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet
Service List<PolicySrc Groups Internet Service Src Group> - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet
Service List<PolicySrc Ids Internet Service Src Id> - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet
Service List<PolicySrc Names Internet Service Src Name> - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool String
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic
Start String - Record logs when a session starts. Valid values:
enable
,disable
. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 String
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 String
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip String
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network
Service List<PolicyDynamics Network Service Dynamic> - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network
Service List<PolicySrc Dynamics Network Service Src Dynamic> - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm String
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm
Enabled List<PolicyBrowsers Ntlm Enabled Browser> - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp
Poolnames List<PolicyPcp Poolname> - PCP pool names. The structure of
pcp_poolname
block is documented below. - per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy
Expiry String - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policyid Integer
- Policy ID.
- poolname6s
List<Policy
Poolname6> - IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames
List<Policy
Poolname> - IP Pool names. The structure of
poolname
block is documented below. - port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation
Minimum Integer - Minimum Reputation to take action.
- reputation
Minimum6 Integer - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp
Addrs List<PolicyRtp Addr> - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule String
- Schedule name.(Default is
always
) - schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services
List<Policy
Service> - Service and service group names. The structure of
service
block is documented below. - session
Ttl Integer - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts
List<Policy
Sgt> - Security group tags. The structure of
sgt
block is documented below. - spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<PolicyMacs Src Vendor Mac> - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s
List<Policy
Srcaddr6> - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs
List<Policy
Srcaddr> - Source address and address group names. The structure of
srcaddr
block is documented below. - srcintfs
List<Policy
Srcintf> - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl
Mirror List<PolicyIntfs Ssl Mirror Intf> - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp
Mss IntegerReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss IntegerSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
enable
,disable
. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- url
Categories List<PolicyUrl Category> - URL category ID list. The structure of
url_category
block is documented below. - users
List<Policy
User> - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos IntegerFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos IntegerRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP (voipd) profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache String
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Web proxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - List<Policy
Ztna Ems Tag Secondary> - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - List<Policy
Ztna Ems Tag> - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - List<Policy
Ztna Geo Tag> - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna
Status String - Enable/disable zero trust access. Valid values:
enable
,disable
. - String
- ZTNA tag matching logic. Valid values:
or
,and
.
- action string
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti
Replay string - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app
Categories PolicyApp Category[] - Application category ID list. The structure of
app_category
block is documented below. - app
Groups PolicyApp Group[] - Application group names. The structure of
app_group
block is documented below. - application
List string - Name of an existing Application list.
- applications
Policy
Application[] - Application ID list. The structure of
application
block is documented below. - auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Path string - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av
Profile string - Name of an existing Antivirus profile.
- block
Notification string - Enable/disable block notification. Valid values:
enable
,disable
. - captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture
Packet string - Enable/disable capture packets. Valid values:
enable
,disable
. - casb
Profile string - Name of an existing CASB profile.
- cifs
Profile string - Name of an existing CIFS profile.
- comments string
- Comment.
- custom
Log PolicyFields Custom Log Field[] - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted
Traffic stringMirror - Decrypted traffic mirror.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices
Policy
Device[] - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp
Profile string - Name of an existing DLP profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s
Policy
Dstaddr6[] - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs
Policy
Dstaddr[] - Destination address and address group names. The structure of
dstaddr
block is documented below. - dstintfs
Policy
Dstintf[] - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic
Sort stringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email
Collect string - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter
Profile string - Name of an existing email filter profile.
- fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file
Filter stringProfile - Name of an existing file-filter profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups PolicyFsso Group[] - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get
All stringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups
Policy
Group[] - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap
Profile string - Name of an existing ICAP profile.
- identity
Based stringRoute - Name of identity-based routing rule.
- inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6Custom PolicyGroups Internet Service6Custom Group[] - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet
Service6Customs PolicyInternet Service6Custom[] - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet
Service6Groups PolicyInternet Service6Group[] - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet
Service6Names PolicyInternet Service6Name[] - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service6Src PolicyCustom Groups Internet Service6Src Custom Group[] - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet
Service6Src PolicyCustoms Internet Service6Src Custom[] - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet
Service6Src PolicyGroups Internet Service6Src Group[] - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet
Service6Src PolicyNames Internet Service6Src Name[] - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service PolicyCustom Groups Internet Service Custom Group[] - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet
Service PolicyCustoms Internet Service Custom[] - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet
Service PolicyGroups Internet Service Group[] - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet
Service PolicyIds Internet Service Id[] - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet
Service PolicyNames Internet Service Name[] - Internet Service name. The structure of
internet_service_name
block is documented below. - internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service PolicySrc Custom Groups Internet Service Src Custom Group[] - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet
Service PolicySrc Customs Internet Service Src Custom[] - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet
Service PolicySrc Groups Internet Service Src Group[] - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet
Service PolicySrc Ids Internet Service Src Id[] - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet
Service PolicySrc Names Internet Service Src Name[] - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool string
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic
Start string - Record logs when a session starts. Valid values:
enable
,disable
. - match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name string
- Policy name.
- nat string
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 string
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 string
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network
Service PolicyDynamics Network Service Dynamic[] - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network
Service PolicySrc Dynamics Network Service Src Dynamic[] - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm string
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm
Enabled PolicyBrowsers Ntlm Enabled Browser[] - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp
Poolnames PolicyPcp Poolname[] - PCP pool names. The structure of
pcp_poolname
block is documented below. - per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy
Expiry string - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policyid number
- Policy ID.
- poolname6s
Policy
Poolname6[] - IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames
Policy
Poolname[] - IP Pool names. The structure of
poolname
block is documented below. - port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp
Addrs PolicyRtp Addr[] - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule string
- Schedule name.(Default is
always
) - schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services
Policy
Service[] - Service and service group names. The structure of
service
block is documented below. - session
Ttl number - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts
Policy
Sgt[] - Security group tags. The structure of
sgt
block is documented below. - spamfilter
Profile string - Name of an existing Spam filter profile.
- src
Vendor PolicyMacs Src Vendor Mac[] - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s
Policy
Srcaddr6[] - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs
Policy
Srcaddr[] - Source address and address group names. The structure of
srcaddr
block is documented below. - srcintfs
Policy
Srcintf[] - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl
Mirror PolicyIntfs Ssl Mirror Intf[] - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- status string
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match. Valid values:
enable
,disable
. - traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- url
Categories PolicyUrl Category[] - URL category ID list. The structure of
url_category
block is documented below. - users
Policy
User[] - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam string
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter
Profile string - Name of an existing VideoFilter profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP (voipd) profile.
- vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache string
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Web proxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - Policy
Ztna Ems Tag Secondary[] - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - Policy
Ztna Ems Tag[] - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - Policy
Ztna Geo Tag[] - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna
Status string - Enable/disable zero trust access. Valid values:
enable
,disable
. - string
- ZTNA tag matching logic. Valid values:
or
,and
.
- action str
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti_
replay str - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app_
categories Sequence[PolicyApp Category Args] - Application category ID list. The structure of
app_category
block is documented below. - app_
groups Sequence[PolicyApp Group Args] - Application group names. The structure of
app_group
block is documented below. - application_
list str - Name of an existing Application list.
- applications
Sequence[Policy
Application Args] - Application ID list. The structure of
application
block is documented below. - auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
path str - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av_
profile str - Name of an existing Antivirus profile.
- block_
notification str - Enable/disable block notification. Valid values:
enable
,disable
. - captive_
portal_ strexempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture_
packet str - Enable/disable capture packets. Valid values:
enable
,disable
. - casb_
profile str - Name of an existing CASB profile.
- cifs_
profile str - Name of an existing CIFS profile.
- comments str
- Comment.
- custom_
log_ Sequence[Policyfields Custom Log Field Args] - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted_
traffic_ strmirror - Decrypted traffic mirror.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices
Sequence[Policy
Device Args] - Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp_
profile str - Name of an existing DLP profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dsri str
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s
Sequence[Policy
Dstaddr6Args] - Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs
Sequence[Policy
Dstaddr Args] - Destination address and address group names. The structure of
dstaddr
block is documented below. - dstintfs
Sequence[Policy
Dstintf Args] - Outgoing (egress) interface. The structure of
dstintf
block is documented below. - dynamic_
shaping str - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic_
sort_ strsubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email_
collect str - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter_
profile str - Name of an existing email filter profile.
- fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file_
filter_ strprofile - Name of an existing file-filter profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport str
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso str
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[PolicyFsso Group Args] - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip_
match str - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get_
all_ strtables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups
Sequence[Policy
Group Args] - Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap_
profile str - Name of an existing ICAP profile.
- identity_
based_ strroute - Name of identity-based routing rule.
- inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet_
service6_ Sequence[Policycustom_ groups Internet Service6Custom Group Args] - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet_
service6_ Sequence[Policycustoms Internet Service6Custom Args] - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet_
service6_ Sequence[Policygroups Internet Service6Group Args] - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet_
service6_ Sequence[Policynames Internet Service6Name Args] - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet_
service6_ Sequence[Policysrc_ custom_ groups Internet Service6Src Custom Group Args] - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet_
service6_ Sequence[Policysrc_ customs Internet Service6Src Custom Args] - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet_
service6_ Sequence[Policysrc_ groups Internet Service6Src Group Args] - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet_
service6_ Sequence[Policysrc_ names Internet Service6Src Name Args] - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet_
service_ Sequence[Policycustom_ groups Internet Service Custom Group Args] - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet_
service_ Sequence[Policycustoms Internet Service Custom Args] - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet_
service_ Sequence[Policygroups Internet Service Group Args] - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet_
service_ Sequence[Policyids Internet Service Id Args] - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet_
service_ Sequence[Policynames Internet Service Name Args] - Internet Service name. The structure of
internet_service_name
block is documented below. - internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet_
service_ Sequence[Policysrc_ custom_ groups Internet Service Src Custom Group Args] - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet_
service_ Sequence[Policysrc_ customs Internet Service Src Custom Args] - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet_
service_ Sequence[Policysrc_ groups Internet Service Src Group Args] - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet_
service_ Sequence[Policysrc_ ids Internet Service Src Id Args] - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet_
service_ Sequence[Policysrc_ names Internet Service Src Name Args] - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool str
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic_
start str - Record logs when a session starts. Valid values:
enable
,disable
. - match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name str
- Policy name.
- nat str
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 str
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 str
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip str
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network_
service_ Sequence[Policydynamics Network Service Dynamic Args] - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network_
service_ Sequence[Policysrc_ dynamics Network Service Src Dynamic Args] - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np_
acceleration str - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm str
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm_
enabled_ Sequence[Policybrowsers Ntlm Enabled Browser Args] - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm_
guest str - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive_
wan_ strhealth_ measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp_
inbound str - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp_
outbound str - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp_
poolnames Sequence[PolicyPcp Poolname Args] - PCP pool names. The structure of
pcp_poolname
block is documented below. - per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy_
expiry str - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy_
expiry_ strdate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policyid int
- Policy ID.
- poolname6s
Sequence[Policy
Poolname6Args] - IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames
Sequence[Policy
Poolname Args] - IP Pool names. The structure of
poolname
block is documented below. - port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation_
minimum int - Minimum Reputation to take action.
- reputation_
minimum6 int - IPv6 Minimum Reputation to take action.
- rsso str
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp_
addrs Sequence[PolicyRtp Addr Args] - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp_
nat str - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan_
botnet_ strconnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule str
- Schedule name.(Default is
always
) - schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service_
negate str - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services
Sequence[Policy
Service Args] - Service and service group names. The structure of
service
block is documented below. - session_
ttl int - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt_
check str - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts
Sequence[Policy
Sgt Args] - Security group tags. The structure of
sgt
block is documented below. - spamfilter_
profile str - Name of an existing Spam filter profile.
- src_
vendor_ Sequence[Policymacs Src Vendor Mac Args] - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s
Sequence[Policy
Srcaddr6Args] - Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs
Sequence[Policy
Srcaddr Args] - Source address and address group names. The structure of
srcaddr
block is documented below. - srcintfs
Sequence[Policy
Srcintf Args] - Incoming (ingress) interface. The structure of
srcintf
block is documented below. - ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl_
mirror_ Sequence[Policyintfs Ssl Mirror Intf Args] - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- status str
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp_
mss_ intreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ intsender - Sender TCP maximum segment size (MSS).
- tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match. Valid values:
enable
,disable
. - traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- url_
categories Sequence[PolicyUrl Category Args] - URL category ID list. The structure of
url_category
block is documented below. - users
Sequence[Policy
User Args] - Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam str
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter_
profile str - Name of an existing VideoFilter profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ intfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ intrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP (voipd) profile.
- vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt_
detection str - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache str
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache_
https str - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Web proxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna_
device_ strownership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - ztna_
ems_ Sequence[Policytag_ secondaries Ztna Ems Tag Secondary Args] - Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - Sequence[Policy
Ztna Ems Tag Args] - Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - Sequence[Policy
Ztna Geo Tag Args] - Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna_
status str - Enable/disable zero trust access. Valid values:
enable
,disable
. - str
- ZTNA tag matching logic. Valid values:
or
,and
.
- action String
- Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values:
accept
,deny
,ipsec
. - anti
Replay String - Enable/disable anti-replay check. Valid values:
enable
,disable
. - app
Categories List<Property Map> - Application category ID list. The structure of
app_category
block is documented below. - app
Groups List<Property Map> - Application group names. The structure of
app_group
block is documented below. - application
List String - Name of an existing Application list.
- applications List<Property Map>
- Application ID list. The structure of
application
block is documented below. - auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
enable
,disable
. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
enable
,disable
. - av
Profile String - Name of an existing Antivirus profile.
- block
Notification String - Enable/disable block notification. Valid values:
enable
,disable
. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
enable
,disable
. - capture
Packet String - Enable/disable capture packets. Valid values:
enable
,disable
. - casb
Profile String - Name of an existing CASB profile.
- cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log List<Property Map>Fields - Custom fields to append to log messages for this policy. The structure of
custom_log_fields
block is documented below. - decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
enable
,disable
. - devices List<Property Map>
- Names of devices or device groups that can be matched by the policy. The structure of
devices
block is documented below. - diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
enable
,disable
. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
enable
,disable
. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
enable
,disable
. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
enable
,disable
. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
enable
,disable
. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddr6s List<Property Map>
- Destination IPv6 address name and address group names. The structure of
dstaddr6
block is documented below. - dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
enable
,disable
. - dstaddrs List<Property Map>
- Destination address and address group names. The structure of
dstaddr
block is documented below. - dstintfs List<Property Map>
- Outgoing (egress) interface. The structure of
dstintf
block is documented below. - dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
enable
,disable
. - dynamic
Sort StringSubtable - Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
- email
Collect String - Enable/disable email collection. Valid values:
enable
,disable
. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
enable
,disable
. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all
,check-new
. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
enable
,disable
. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
enable
,disable
. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<Property Map> - Names of FSSO groups. The structure of
fsso_groups
block is documented below. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
enable
,disable
. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location
,registered-location
. - get
All StringTables - Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
- global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<Property Map>
- Names of user groups that can authenticate with this policy. The structure of
groups
block is documented below. - http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
enable
,disable
. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
enable
,disable
. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy
,flow
. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
enable
,disable
. - internet
Service6Custom List<Property Map>Groups - Custom Internet Service6 group name. The structure of
internet_service6_custom_group
block is documented below. - internet
Service6Customs List<Property Map> - Custom IPv6 Internet Service name. The structure of
internet_service6_custom
block is documented below. - internet
Service6Groups List<Property Map> - Internet Service group name. The structure of
internet_service6_group
block is documented below. - internet
Service6Names List<Property Map> - IPv6 Internet Service name. The structure of
internet_service6_name
block is documented below. - internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service6Src List<Property Map>Custom Groups - Custom Internet Service6 source group name. The structure of
internet_service6_src_custom_group
block is documented below. - internet
Service6Src List<Property Map>Customs - Custom IPv6 Internet Service source name. The structure of
internet_service6_src_custom
block is documented below. - internet
Service6Src List<Property Map>Groups - Internet Service6 source group name. The structure of
internet_service6_src_group
block is documented below. - internet
Service6Src List<Property Map>Names - IPv6 Internet Service source name. The structure of
internet_service6_src_name
block is documented below. - internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service List<Property Map>Custom Groups - Custom Internet Service group name. The structure of
internet_service_custom_group
block is documented below. - internet
Service List<Property Map>Customs - Custom Internet Service name. The structure of
internet_service_custom
block is documented below. - internet
Service List<Property Map>Groups - Internet Service group name. The structure of
internet_service_group
block is documented below. - internet
Service List<Property Map>Ids - Internet Service ID. The structure of
internet_service_id
block is documented below. - internet
Service List<Property Map>Names - Internet Service name. The structure of
internet_service_name
block is documented below. - internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
enable
,disable
. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
enable
,disable
. - internet
Service List<Property Map>Src Custom Groups - Custom Internet Service source group name. The structure of
internet_service_src_custom_group
block is documented below. - internet
Service List<Property Map>Src Customs - Custom Internet Service source name. The structure of
internet_service_src_custom
block is documented below. - internet
Service List<Property Map>Src Groups - Internet Service source group name. The structure of
internet_service_src_group
block is documented below. - internet
Service List<Property Map>Src Ids - Internet Service source ID. The structure of
internet_service_src_id
block is documented below. - internet
Service List<Property Map>Src Names - Internet Service source name. The structure of
internet_service_src_name
block is documented below. - internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
enable
,disable
. - ippool String
- Enable to use IP Pools for source NAT. Valid values:
enable
,disable
. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
enable
,disable
. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
all
,utm
,disable
. - logtraffic
Start String - Record logs when a session starts. Valid values:
enable
,disable
. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
enable
,disable
. - name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
enable
,disable
. - nat46 String
- Enable/disable NAT46. Valid values:
enable
,disable
. - nat64 String
- Enable/disable NAT64. Valid values:
enable
,disable
. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
enable
,disable
. - natip String
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
enable
,disable
. - network
Service List<Property Map>Dynamics - Dynamic Network Service name. The structure of
network_service_dynamic
block is documented below. - network
Service List<Property Map>Src Dynamics - Dynamic Network Service source name. The structure of
network_service_src_dynamic
block is documented below. - np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
enable
,disable
. - ntlm String
- Enable/disable NTLM authentication. Valid values:
enable
,disable
. - ntlm
Enabled List<Property Map>Browsers - HTTP-User-Agent value of supported browsers. The structure of
ntlm_enabled_browsers
block is documented below. - ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
enable
,disable
. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
enable
,disable
. - passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
enable
,disable
. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
enable
,disable
. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
enable
,disable
. - pcp
Poolnames List<Property Map> - PCP pool names. The structure of
pcp_poolname
block is documented below. - per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
enable
,disable
. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
enable
,disable
. - policy
Expiry String - Enable/disable policy expiry. Valid values:
enable
,disable
. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policyid Number
- Policy ID.
- poolname6s List<Property Map>
- IPv6 pool names. The structure of
poolname6
block is documented below. - poolnames List<Property Map>
- IP Pool names. The structure of
poolname
block is documented below. - port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
enable
,disable
. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single
,group
. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
enable
,disable
. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source
,destination
. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source
,destination
. - reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
enable
,disable
. - rtp
Addrs List<Property Map> - Address names if this is an RTP NAT policy. The structure of
rtp_addr
block is documented below. - rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable
,enable
. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable
,block
,monitor
. - schedule String
- Schedule name.(Default is
always
) - schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
enable
,disable
. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable
,enable
. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
enable
,disable
. - services List<Property Map>
- Service and service group names. The structure of
service
block is documented below. - session
Ttl Number - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
enable
,disable
. - sgts List<Property Map>
- Security group tags. The structure of
sgt
block is documented below. - spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<Property Map>Macs - Vendor MAC source ID. The structure of
src_vendor_mac
block is documented below. - srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddr6s List<Property Map>
- Source IPv6 address name and address group names. The structure of
srcaddr6
block is documented below. - srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
enable
,disable
. - srcaddrs List<Property Map>
- Source address and address group names. The structure of
srcaddr
block is documented below. - srcintfs List<Property Map>
- Incoming (ingress) interface. The structure of
srcintf
block is documented below. - ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
enable
,disable
. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
enable
,disable
. - ssl
Mirror List<Property Map>Intfs - SSL mirror interface name. The structure of
ssl_mirror_intf
block is documented below. - ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
enable
,disable
. - tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all
,data-only
,disable
. - timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
enable
,disable
. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
enable
,disable
. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- url
Categories List<Property Map> - URL category ID list. The structure of
url_category
block is documented below. - users List<Property Map>
- Names of individual users that can authenticate with this policy. The structure of
users
block is documented below. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
enable
,disable
. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- vdomparam String
- Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP (voipd) profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
enable
,disable
. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active
,passive
,off
. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default
,transparent
,non-transparent
. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
enable
,disable
. - webcache String
- Enable/disable web cache. Valid values:
enable
,disable
. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable
,enable
. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Web proxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
enable
,disable
. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
enable
,disable
. - List<Property Map>
- Source ztna-ems-tag-secondary names. The structure of
ztna_ems_tag_secondary
block is documented below. - List<Property Map>
- Source ztna-ems-tag names. The structure of
ztna_ems_tag
block is documented below. - List<Property Map>
- Source ztna-geo-tag names. The structure of
ztna_geo_tag
block is documented below. - ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
enable
,disable
. - ztna
Status String - Enable/disable zero trust access. Valid values:
enable
,disable
. - String
- ZTNA tag matching logic. Valid values:
or
,and
.
Supporting Types
PolicyAppCategory, PolicyAppCategoryArgs
- Id int
- Category IDs.
- Id int
- Category IDs.
- id Integer
- Category IDs.
- id number
- Category IDs.
- id int
- Category IDs.
- id Number
- Category IDs.
PolicyAppGroup, PolicyAppGroupArgs
- Name string
- Application group names.
- Name string
- Application group names.
- name String
- Application group names.
- name string
- Application group names.
- name str
- Application group names.
- name String
- Application group names.
PolicyApplication, PolicyApplicationArgs
- Id int
- Application IDs.
- Id int
- Application IDs.
- id Integer
- Application IDs.
- id number
- Application IDs.
- id int
- Application IDs.
- id Number
- Application IDs.
PolicyCustomLogField, PolicyCustomLogFieldArgs
- Field
Id string - Custom log field.
- Field
Id string - Custom log field.
- field
Id String - Custom log field.
- field
Id string - Custom log field.
- field_
id str - Custom log field.
- field
Id String - Custom log field.
PolicyDevice, PolicyDeviceArgs
- Name string
- Device or group name.
- Name string
- Device or group name.
- name String
- Device or group name.
- name string
- Device or group name.
- name str
- Device or group name.
- name String
- Device or group name.
PolicyDstaddr, PolicyDstaddrArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
PolicyDstaddr6, PolicyDstaddr6Args
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyDstintf, PolicyDstintfArgs
- Name string
- Interface name.
- Name string
- Interface name.
- name String
- Interface name.
- name string
- Interface name.
- name str
- Interface name.
- name String
- Interface name.
PolicyFssoGroup, PolicyFssoGroupArgs
- Name string
- Names of FSSO groups.
- Name string
- Names of FSSO groups.
- name String
- Names of FSSO groups.
- name string
- Names of FSSO groups.
- name str
- Names of FSSO groups.
- name String
- Names of FSSO groups.
PolicyGroup, PolicyGroupArgs
- Name string
- Group name.
- Name string
- Group name.
- name String
- Group name.
- name string
- Group name.
- name str
- Group name.
- name String
- Group name.
PolicyInternetService6Custom, PolicyInternetService6CustomArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6CustomGroup, PolicyInternetService6CustomGroupArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6Group, PolicyInternetService6GroupArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6Name, PolicyInternetService6NameArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6SrcCustom, PolicyInternetService6SrcCustomArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6SrcCustomGroup, PolicyInternetService6SrcCustomGroupArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6SrcGroup, PolicyInternetService6SrcGroupArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetService6SrcName, PolicyInternetService6SrcNameArgs
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyInternetServiceCustom, PolicyInternetServiceCustomArgs
- Name string
- Custom Internet Service name.
- Name string
- Custom Internet Service name.
- name String
- Custom Internet Service name.
- name string
- Custom Internet Service name.
- name str
- Custom Internet Service name.
- name String
- Custom Internet Service name.
PolicyInternetServiceCustomGroup, PolicyInternetServiceCustomGroupArgs
- Name string
- Custom Internet Service group name.
- Name string
- Custom Internet Service group name.
- name String
- Custom Internet Service group name.
- name string
- Custom Internet Service group name.
- name str
- Custom Internet Service group name.
- name String
- Custom Internet Service group name.
PolicyInternetServiceGroup, PolicyInternetServiceGroupArgs
- Name string
- Internet Service group name.
- Name string
- Internet Service group name.
- name String
- Internet Service group name.
- name string
- Internet Service group name.
- name str
- Internet Service group name.
- name String
- Internet Service group name.
PolicyInternetServiceId, PolicyInternetServiceIdArgs
- Id int
- Internet Service ID.
- Id int
- Internet Service ID.
- id Integer
- Internet Service ID.
- id number
- Internet Service ID.
- id int
- Internet Service ID.
- id Number
- Internet Service ID.
PolicyInternetServiceName, PolicyInternetServiceNameArgs
- Name string
- Internet Service name.
- Name string
- Internet Service name.
- name String
- Internet Service name.
- name string
- Internet Service name.
- name str
- Internet Service name.
- name String
- Internet Service name.
PolicyInternetServiceSrcCustom, PolicyInternetServiceSrcCustomArgs
- Name string
- Custom Internet Service name.
- Name string
- Custom Internet Service name.
- name String
- Custom Internet Service name.
- name string
- Custom Internet Service name.
- name str
- Custom Internet Service name.
- name String
- Custom Internet Service name.
PolicyInternetServiceSrcCustomGroup, PolicyInternetServiceSrcCustomGroupArgs
- Name string
- Custom Internet Service group name.
- Name string
- Custom Internet Service group name.
- name String
- Custom Internet Service group name.
- name string
- Custom Internet Service group name.
- name str
- Custom Internet Service group name.
- name String
- Custom Internet Service group name.
PolicyInternetServiceSrcGroup, PolicyInternetServiceSrcGroupArgs
- Name string
- Internet Service group name.
- Name string
- Internet Service group name.
- name String
- Internet Service group name.
- name string
- Internet Service group name.
- name str
- Internet Service group name.
- name String
- Internet Service group name.
PolicyInternetServiceSrcId, PolicyInternetServiceSrcIdArgs
- Id int
- Internet Service ID.
- Id int
- Internet Service ID.
- id Integer
- Internet Service ID.
- id number
- Internet Service ID.
- id int
- Internet Service ID.
- id Number
- Internet Service ID.
PolicyInternetServiceSrcName, PolicyInternetServiceSrcNameArgs
- Name string
- Internet Service name.
- Name string
- Internet Service name.
- name String
- Internet Service name.
- name string
- Internet Service name.
- name str
- Internet Service name.
- name String
- Internet Service name.
PolicyNetworkServiceDynamic, PolicyNetworkServiceDynamicArgs
- Name string
- Dynamic Network Service name.
- Name string
- Dynamic Network Service name.
- name String
- Dynamic Network Service name.
- name string
- Dynamic Network Service name.
- name str
- Dynamic Network Service name.
- name String
- Dynamic Network Service name.
PolicyNetworkServiceSrcDynamic, PolicyNetworkServiceSrcDynamicArgs
- Name string
- Dynamic Network Service name.
- Name string
- Dynamic Network Service name.
- name String
- Dynamic Network Service name.
- name string
- Dynamic Network Service name.
- name str
- Dynamic Network Service name.
- name String
- Dynamic Network Service name.
PolicyNtlmEnabledBrowser, PolicyNtlmEnabledBrowserArgs
- User
Agent stringString - User agent string.
- User
Agent stringString - User agent string.
- user
Agent StringString - User agent string.
- user
Agent stringString - User agent string.
- user_
agent_ strstring - User agent string.
- user
Agent StringString - User agent string.
PolicyPcpPoolname, PolicyPcpPoolnameArgs
- Name string
- PCP pool name.
- Name string
- PCP pool name.
- name String
- PCP pool name.
- name string
- PCP pool name.
- name str
- PCP pool name.
- name String
- PCP pool name.
PolicyPoolname, PolicyPoolnameArgs
- Name string
- IPv6 pool name.
- Name string
- IPv6 pool name.
- name String
- IPv6 pool name.
- name string
- IPv6 pool name.
- name str
- IPv6 pool name.
- name String
- IPv6 pool name.
PolicyPoolname6, PolicyPoolname6Args
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicyRtpAddr, PolicyRtpAddrArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
PolicyService, PolicyServiceArgs
- Name string
- Service and service group names.
- Name string
- Service and service group names.
- name String
- Service and service group names.
- name string
- Service and service group names.
- name str
- Service and service group names.
- name String
- Service and service group names.
PolicySgt, PolicySgtArgs
- Id int
- Security group tag.
- Id int
- Security group tag.
- id Integer
- Security group tag.
- id number
- Security group tag.
- id int
- Security group tag.
- id Number
- Security group tag.
PolicySrcVendorMac, PolicySrcVendorMacArgs
- Id int
Vendor MAC ID.
The
internet_service6_name
block supports:
- Id int
Vendor MAC ID.
The
internet_service6_name
block supports:
- id Integer
Vendor MAC ID.
The
internet_service6_name
block supports:
- id number
Vendor MAC ID.
The
internet_service6_name
block supports:
- id int
Vendor MAC ID.
The
internet_service6_name
block supports:
- id Number
Vendor MAC ID.
The
internet_service6_name
block supports:
PolicySrcaddr, PolicySrcaddrArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
PolicySrcaddr6, PolicySrcaddr6Args
- Name string
- Policy name.
- Name string
- Policy name.
- name String
- Policy name.
- name string
- Policy name.
- name str
- Policy name.
- name String
- Policy name.
PolicySrcintf, PolicySrcintfArgs
- Name string
- Interface name.
- Name string
- Interface name.
- name String
- Interface name.
- name string
- Interface name.
- name str
- Interface name.
- name String
- Interface name.
PolicySslMirrorIntf, PolicySslMirrorIntfArgs
- Name string
- Mirror Interface name.
- Name string
- Mirror Interface name.
- name String
- Mirror Interface name.
- name string
- Mirror Interface name.
- name str
- Mirror Interface name.
- name String
- Mirror Interface name.
PolicyUrlCategory, PolicyUrlCategoryArgs
- Id int
- URL category ID.
- Id int
- URL category ID.
- id Integer
- URL category ID.
- id number
- URL category ID.
- id int
- URL category ID.
- id Number
- URL category ID.
PolicyUser, PolicyUserArgs
- Name string
- Names of individual users that can authenticate with this policy.
- Name string
- Names of individual users that can authenticate with this policy.
- name String
- Names of individual users that can authenticate with this policy.
- name string
- Names of individual users that can authenticate with this policy.
- name str
- Names of individual users that can authenticate with this policy.
- name String
- Names of individual users that can authenticate with this policy.
PolicyZtnaEmsTag, PolicyZtnaEmsTagArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
PolicyZtnaEmsTagSecondary, PolicyZtnaEmsTagSecondaryArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
PolicyZtnaGeoTag, PolicyZtnaGeoTagArgs
- Name string
- Address name.
- Name string
- Address name.
- name String
- Address name.
- name string
- Address name.
- name str
- Address name.
- name String
- Address name.
Import
Firewall Policy can be imported using any of these accepted formats:
$ pulumi import fortios:firewall/policy:Policy labelname {{policyid}}
If you do not want to import arguments of block:
$ export “FORTIOS_IMPORT_TABLE”=“false”
$ pulumi import fortios:firewall/policy:Policy labelname {{policyid}}
$ unset “FORTIOS_IMPORT_TABLE”
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortios pulumiverse/pulumi-fortios
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
fortios
Terraform Provider.