1. Packages
  2. Fortios
  3. API Docs
  4. firewall
  5. Policy
Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse

fortios.firewall.Policy

Explore with Pulumi AI

fortios logo
Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse

    Configure IPv4 policies.

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as fortios from "@pulumiverse/fortios";
    
    const trname = new fortios.firewall.Policy("trname", {
        action: "accept",
        dstaddrs: [{
            name: "all",
        }],
        dstintfs: [{
            name: "port4",
        }],
        logtraffic: "utm",
        policyid: 1,
        schedule: "always",
        services: [{
            name: "HTTP",
        }],
        srcaddrs: [{
            name: "all",
        }],
        srcintfs: [{
            name: "port3",
        }],
        wanopt: "disable",
        wanoptDetection: "active",
        wanoptPassiveOpt: "default",
        wccp: "disable",
        webcache: "disable",
        webcacheHttps: "disable",
        wsso: "enable",
    });
    const myrule = new fortios.firewall.Policy("myrule", {
        action: "accept",
        antiReplay: "enable",
        authPath: "disable",
        autoAsicOffload: "enable",
        avProfile: "wifi-default",
        dstintfs: [{
            name: "port1",
        }],
        inspectionMode: "flow",
        internetService: "enable",
        internetServiceNames: [
            {
                name: "Amazon-AWS",
            },
            {
                name: "GitHub-GitHub",
            },
        ],
        ipsSensor: "protect_email_server",
        logtraffic: "utm",
        policyid: 2,
        schedule: "always",
        srcaddrs: [{
            name: "FABRIC_DEVICE",
        }],
        srcintfs: [{
            name: "port2",
        }],
        sslSshProfile: "certificate-inspection",
        status: "enable",
        utmStatus: "enable",
    });
    
    import pulumi
    import pulumiverse_fortios as fortios
    
    trname = fortios.firewall.Policy("trname",
        action="accept",
        dstaddrs=[fortios.firewall.PolicyDstaddrArgs(
            name="all",
        )],
        dstintfs=[fortios.firewall.PolicyDstintfArgs(
            name="port4",
        )],
        logtraffic="utm",
        policyid=1,
        schedule="always",
        services=[fortios.firewall.PolicyServiceArgs(
            name="HTTP",
        )],
        srcaddrs=[fortios.firewall.PolicySrcaddrArgs(
            name="all",
        )],
        srcintfs=[fortios.firewall.PolicySrcintfArgs(
            name="port3",
        )],
        wanopt="disable",
        wanopt_detection="active",
        wanopt_passive_opt="default",
        wccp="disable",
        webcache="disable",
        webcache_https="disable",
        wsso="enable")
    myrule = fortios.firewall.Policy("myrule",
        action="accept",
        anti_replay="enable",
        auth_path="disable",
        auto_asic_offload="enable",
        av_profile="wifi-default",
        dstintfs=[fortios.firewall.PolicyDstintfArgs(
            name="port1",
        )],
        inspection_mode="flow",
        internet_service="enable",
        internet_service_names=[
            fortios.firewall.PolicyInternetServiceNameArgs(
                name="Amazon-AWS",
            ),
            fortios.firewall.PolicyInternetServiceNameArgs(
                name="GitHub-GitHub",
            ),
        ],
        ips_sensor="protect_email_server",
        logtraffic="utm",
        policyid=2,
        schedule="always",
        srcaddrs=[fortios.firewall.PolicySrcaddrArgs(
            name="FABRIC_DEVICE",
        )],
        srcintfs=[fortios.firewall.PolicySrcintfArgs(
            name="port2",
        )],
        ssl_ssh_profile="certificate-inspection",
        status="enable",
        utm_status="enable")
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumiverse/pulumi-fortios/sdk/go/fortios/firewall"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := firewall.NewPolicy(ctx, "trname", &firewall.PolicyArgs{
    			Action: pulumi.String("accept"),
    			Dstaddrs: firewall.PolicyDstaddrArray{
    				&firewall.PolicyDstaddrArgs{
    					Name: pulumi.String("all"),
    				},
    			},
    			Dstintfs: firewall.PolicyDstintfArray{
    				&firewall.PolicyDstintfArgs{
    					Name: pulumi.String("port4"),
    				},
    			},
    			Logtraffic: pulumi.String("utm"),
    			Policyid:   pulumi.Int(1),
    			Schedule:   pulumi.String("always"),
    			Services: firewall.PolicyServiceArray{
    				&firewall.PolicyServiceArgs{
    					Name: pulumi.String("HTTP"),
    				},
    			},
    			Srcaddrs: firewall.PolicySrcaddrArray{
    				&firewall.PolicySrcaddrArgs{
    					Name: pulumi.String("all"),
    				},
    			},
    			Srcintfs: firewall.PolicySrcintfArray{
    				&firewall.PolicySrcintfArgs{
    					Name: pulumi.String("port3"),
    				},
    			},
    			Wanopt:           pulumi.String("disable"),
    			WanoptDetection:  pulumi.String("active"),
    			WanoptPassiveOpt: pulumi.String("default"),
    			Wccp:             pulumi.String("disable"),
    			Webcache:         pulumi.String("disable"),
    			WebcacheHttps:    pulumi.String("disable"),
    			Wsso:             pulumi.String("enable"),
    		})
    		if err != nil {
    			return err
    		}
    		_, err = firewall.NewPolicy(ctx, "myrule", &firewall.PolicyArgs{
    			Action:          pulumi.String("accept"),
    			AntiReplay:      pulumi.String("enable"),
    			AuthPath:        pulumi.String("disable"),
    			AutoAsicOffload: pulumi.String("enable"),
    			AvProfile:       pulumi.String("wifi-default"),
    			Dstintfs: firewall.PolicyDstintfArray{
    				&firewall.PolicyDstintfArgs{
    					Name: pulumi.String("port1"),
    				},
    			},
    			InspectionMode:  pulumi.String("flow"),
    			InternetService: pulumi.String("enable"),
    			InternetServiceNames: firewall.PolicyInternetServiceNameArray{
    				&firewall.PolicyInternetServiceNameArgs{
    					Name: pulumi.String("Amazon-AWS"),
    				},
    				&firewall.PolicyInternetServiceNameArgs{
    					Name: pulumi.String("GitHub-GitHub"),
    				},
    			},
    			IpsSensor:  pulumi.String("protect_email_server"),
    			Logtraffic: pulumi.String("utm"),
    			Policyid:   pulumi.Int(2),
    			Schedule:   pulumi.String("always"),
    			Srcaddrs: firewall.PolicySrcaddrArray{
    				&firewall.PolicySrcaddrArgs{
    					Name: pulumi.String("FABRIC_DEVICE"),
    				},
    			},
    			Srcintfs: firewall.PolicySrcintfArray{
    				&firewall.PolicySrcintfArgs{
    					Name: pulumi.String("port2"),
    				},
    			},
    			SslSshProfile: pulumi.String("certificate-inspection"),
    			Status:        pulumi.String("enable"),
    			UtmStatus:     pulumi.String("enable"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Fortios = Pulumiverse.Fortios;
    
    return await Deployment.RunAsync(() => 
    {
        var trname = new Fortios.Firewall.Policy("trname", new()
        {
            Action = "accept",
            Dstaddrs = new[]
            {
                new Fortios.Firewall.Inputs.PolicyDstaddrArgs
                {
                    Name = "all",
                },
            },
            Dstintfs = new[]
            {
                new Fortios.Firewall.Inputs.PolicyDstintfArgs
                {
                    Name = "port4",
                },
            },
            Logtraffic = "utm",
            Policyid = 1,
            Schedule = "always",
            Services = new[]
            {
                new Fortios.Firewall.Inputs.PolicyServiceArgs
                {
                    Name = "HTTP",
                },
            },
            Srcaddrs = new[]
            {
                new Fortios.Firewall.Inputs.PolicySrcaddrArgs
                {
                    Name = "all",
                },
            },
            Srcintfs = new[]
            {
                new Fortios.Firewall.Inputs.PolicySrcintfArgs
                {
                    Name = "port3",
                },
            },
            Wanopt = "disable",
            WanoptDetection = "active",
            WanoptPassiveOpt = "default",
            Wccp = "disable",
            Webcache = "disable",
            WebcacheHttps = "disable",
            Wsso = "enable",
        });
    
        var myrule = new Fortios.Firewall.Policy("myrule", new()
        {
            Action = "accept",
            AntiReplay = "enable",
            AuthPath = "disable",
            AutoAsicOffload = "enable",
            AvProfile = "wifi-default",
            Dstintfs = new[]
            {
                new Fortios.Firewall.Inputs.PolicyDstintfArgs
                {
                    Name = "port1",
                },
            },
            InspectionMode = "flow",
            InternetService = "enable",
            InternetServiceNames = new[]
            {
                new Fortios.Firewall.Inputs.PolicyInternetServiceNameArgs
                {
                    Name = "Amazon-AWS",
                },
                new Fortios.Firewall.Inputs.PolicyInternetServiceNameArgs
                {
                    Name = "GitHub-GitHub",
                },
            },
            IpsSensor = "protect_email_server",
            Logtraffic = "utm",
            Policyid = 2,
            Schedule = "always",
            Srcaddrs = new[]
            {
                new Fortios.Firewall.Inputs.PolicySrcaddrArgs
                {
                    Name = "FABRIC_DEVICE",
                },
            },
            Srcintfs = new[]
            {
                new Fortios.Firewall.Inputs.PolicySrcintfArgs
                {
                    Name = "port2",
                },
            },
            SslSshProfile = "certificate-inspection",
            Status = "enable",
            UtmStatus = "enable",
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.fortios.firewall.Policy;
    import com.pulumi.fortios.firewall.PolicyArgs;
    import com.pulumi.fortios.firewall.inputs.PolicyDstaddrArgs;
    import com.pulumi.fortios.firewall.inputs.PolicyDstintfArgs;
    import com.pulumi.fortios.firewall.inputs.PolicyServiceArgs;
    import com.pulumi.fortios.firewall.inputs.PolicySrcaddrArgs;
    import com.pulumi.fortios.firewall.inputs.PolicySrcintfArgs;
    import com.pulumi.fortios.firewall.inputs.PolicyInternetServiceNameArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var trname = new Policy("trname", PolicyArgs.builder()
                .action("accept")
                .dstaddrs(PolicyDstaddrArgs.builder()
                    .name("all")
                    .build())
                .dstintfs(PolicyDstintfArgs.builder()
                    .name("port4")
                    .build())
                .logtraffic("utm")
                .policyid(1)
                .schedule("always")
                .services(PolicyServiceArgs.builder()
                    .name("HTTP")
                    .build())
                .srcaddrs(PolicySrcaddrArgs.builder()
                    .name("all")
                    .build())
                .srcintfs(PolicySrcintfArgs.builder()
                    .name("port3")
                    .build())
                .wanopt("disable")
                .wanoptDetection("active")
                .wanoptPassiveOpt("default")
                .wccp("disable")
                .webcache("disable")
                .webcacheHttps("disable")
                .wsso("enable")
                .build());
    
            var myrule = new Policy("myrule", PolicyArgs.builder()
                .action("accept")
                .antiReplay("enable")
                .authPath("disable")
                .autoAsicOffload("enable")
                .avProfile("wifi-default")
                .dstintfs(PolicyDstintfArgs.builder()
                    .name("port1")
                    .build())
                .inspectionMode("flow")
                .internetService("enable")
                .internetServiceNames(            
                    PolicyInternetServiceNameArgs.builder()
                        .name("Amazon-AWS")
                        .build(),
                    PolicyInternetServiceNameArgs.builder()
                        .name("GitHub-GitHub")
                        .build())
                .ipsSensor("protect_email_server")
                .logtraffic("utm")
                .policyid(2)
                .schedule("always")
                .srcaddrs(PolicySrcaddrArgs.builder()
                    .name("FABRIC_DEVICE")
                    .build())
                .srcintfs(PolicySrcintfArgs.builder()
                    .name("port2")
                    .build())
                .sslSshProfile("certificate-inspection")
                .status("enable")
                .utmStatus("enable")
                .build());
    
        }
    }
    
    resources:
      trname:
        type: fortios:firewall:Policy
        properties:
          action: accept
          dstaddrs:
            - name: all
          dstintfs:
            - name: port4
          logtraffic: utm
          policyid: 1
          schedule: always
          services:
            - name: HTTP
          srcaddrs:
            - name: all
          srcintfs:
            - name: port3
          wanopt: disable
          wanoptDetection: active
          wanoptPassiveOpt: default
          wccp: disable
          webcache: disable
          webcacheHttps: disable
          wsso: enable
      myrule:
        type: fortios:firewall:Policy
        properties:
          action: accept
          antiReplay: enable
          authPath: disable
          autoAsicOffload: enable
          avProfile: wifi-default
          dstintfs:
            - name: port1
          inspectionMode: flow
          internetService: enable
          internetServiceNames:
            - name: Amazon-AWS
            - name: GitHub-GitHub
          ipsSensor: protect_email_server
          logtraffic: utm
          policyid: 2
          schedule: always
          srcaddrs:
            - name: FABRIC_DEVICE
          srcintfs:
            - name: port2
          sslSshProfile: certificate-inspection
          status: enable
          utmStatus: enable
    

    Create Policy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               dstintfs: Optional[Sequence[PolicyDstintfArgs]] = None,
               srcintfs: Optional[Sequence[PolicySrcintfArgs]] = None,
               action: Optional[str] = None,
               anti_replay: Optional[str] = None,
               app_categories: Optional[Sequence[PolicyAppCategoryArgs]] = None,
               app_groups: Optional[Sequence[PolicyAppGroupArgs]] = None,
               application_list: Optional[str] = None,
               applications: Optional[Sequence[PolicyApplicationArgs]] = None,
               auth_cert: Optional[str] = None,
               auth_path: Optional[str] = None,
               auth_redirect_addr: Optional[str] = None,
               auto_asic_offload: Optional[str] = None,
               av_profile: Optional[str] = None,
               block_notification: Optional[str] = None,
               captive_portal_exempt: Optional[str] = None,
               capture_packet: Optional[str] = None,
               casb_profile: Optional[str] = None,
               cifs_profile: Optional[str] = None,
               comments: Optional[str] = None,
               custom_log_fields: Optional[Sequence[PolicyCustomLogFieldArgs]] = None,
               decrypted_traffic_mirror: Optional[str] = None,
               delay_tcp_npu_session: Optional[str] = None,
               devices: Optional[Sequence[PolicyDeviceArgs]] = None,
               diameter_filter_profile: Optional[str] = None,
               diffserv_copy: Optional[str] = None,
               diffserv_forward: Optional[str] = None,
               diffserv_reverse: Optional[str] = None,
               diffservcode_forward: Optional[str] = None,
               diffservcode_rev: Optional[str] = None,
               disclaimer: Optional[str] = None,
               dlp_profile: Optional[str] = None,
               dlp_sensor: Optional[str] = None,
               dnsfilter_profile: Optional[str] = None,
               dsri: Optional[str] = None,
               dstaddr6_negate: Optional[str] = None,
               dstaddr6s: Optional[Sequence[PolicyDstaddr6Args]] = None,
               dstaddr_negate: Optional[str] = None,
               dstaddrs: Optional[Sequence[PolicyDstaddrArgs]] = None,
               dynamic_shaping: Optional[str] = None,
               dynamic_sort_subtable: Optional[str] = None,
               email_collect: Optional[str] = None,
               emailfilter_profile: Optional[str] = None,
               fec: Optional[str] = None,
               file_filter_profile: Optional[str] = None,
               firewall_session_dirty: Optional[str] = None,
               fixedport: Optional[str] = None,
               fsso: Optional[str] = None,
               fsso_agent_for_ntlm: Optional[str] = None,
               fsso_groups: Optional[Sequence[PolicyFssoGroupArgs]] = None,
               geoip_anycast: Optional[str] = None,
               geoip_match: Optional[str] = None,
               get_all_tables: Optional[str] = None,
               global_label: Optional[str] = None,
               groups: Optional[Sequence[PolicyGroupArgs]] = None,
               http_policy_redirect: Optional[str] = None,
               icap_profile: Optional[str] = None,
               identity_based_route: Optional[str] = None,
               inbound: Optional[str] = None,
               inspection_mode: Optional[str] = None,
               internet_service: Optional[str] = None,
               internet_service6: Optional[str] = None,
               internet_service6_custom_groups: Optional[Sequence[PolicyInternetService6CustomGroupArgs]] = None,
               internet_service6_customs: Optional[Sequence[PolicyInternetService6CustomArgs]] = None,
               internet_service6_groups: Optional[Sequence[PolicyInternetService6GroupArgs]] = None,
               internet_service6_names: Optional[Sequence[PolicyInternetService6NameArgs]] = None,
               internet_service6_negate: Optional[str] = None,
               internet_service6_src: Optional[str] = None,
               internet_service6_src_custom_groups: Optional[Sequence[PolicyInternetService6SrcCustomGroupArgs]] = None,
               internet_service6_src_customs: Optional[Sequence[PolicyInternetService6SrcCustomArgs]] = None,
               internet_service6_src_groups: Optional[Sequence[PolicyInternetService6SrcGroupArgs]] = None,
               internet_service6_src_names: Optional[Sequence[PolicyInternetService6SrcNameArgs]] = None,
               internet_service6_src_negate: Optional[str] = None,
               internet_service_custom_groups: Optional[Sequence[PolicyInternetServiceCustomGroupArgs]] = None,
               internet_service_customs: Optional[Sequence[PolicyInternetServiceCustomArgs]] = None,
               internet_service_groups: Optional[Sequence[PolicyInternetServiceGroupArgs]] = None,
               internet_service_ids: Optional[Sequence[PolicyInternetServiceIdArgs]] = None,
               internet_service_names: Optional[Sequence[PolicyInternetServiceNameArgs]] = None,
               internet_service_negate: Optional[str] = None,
               internet_service_src: Optional[str] = None,
               internet_service_src_custom_groups: Optional[Sequence[PolicyInternetServiceSrcCustomGroupArgs]] = None,
               internet_service_src_customs: Optional[Sequence[PolicyInternetServiceSrcCustomArgs]] = None,
               internet_service_src_groups: Optional[Sequence[PolicyInternetServiceSrcGroupArgs]] = None,
               internet_service_src_ids: Optional[Sequence[PolicyInternetServiceSrcIdArgs]] = None,
               internet_service_src_names: Optional[Sequence[PolicyInternetServiceSrcNameArgs]] = None,
               internet_service_src_negate: Optional[str] = None,
               ippool: Optional[str] = None,
               ips_sensor: Optional[str] = None,
               ips_voip_filter: Optional[str] = None,
               label: Optional[str] = None,
               learning_mode: Optional[str] = None,
               logtraffic: Optional[str] = None,
               logtraffic_start: Optional[str] = None,
               match_vip: Optional[str] = None,
               match_vip_only: Optional[str] = None,
               name: Optional[str] = None,
               nat: Optional[str] = None,
               nat46: Optional[str] = None,
               nat64: Optional[str] = None,
               natinbound: Optional[str] = None,
               natip: Optional[str] = None,
               natoutbound: Optional[str] = None,
               network_service_dynamics: Optional[Sequence[PolicyNetworkServiceDynamicArgs]] = None,
               network_service_src_dynamics: Optional[Sequence[PolicyNetworkServiceSrcDynamicArgs]] = None,
               np_acceleration: Optional[str] = None,
               ntlm: Optional[str] = None,
               ntlm_enabled_browsers: Optional[Sequence[PolicyNtlmEnabledBrowserArgs]] = None,
               ntlm_guest: Optional[str] = None,
               outbound: Optional[str] = None,
               passive_wan_health_measurement: Optional[str] = None,
               pcp_inbound: Optional[str] = None,
               pcp_outbound: Optional[str] = None,
               pcp_poolnames: Optional[Sequence[PolicyPcpPoolnameArgs]] = None,
               per_ip_shaper: Optional[str] = None,
               permit_any_host: Optional[str] = None,
               permit_stun_host: Optional[str] = None,
               policy_expiry: Optional[str] = None,
               policy_expiry_date: Optional[str] = None,
               policy_expiry_date_utc: Optional[str] = None,
               policyid: Optional[int] = None,
               poolname6s: Optional[Sequence[PolicyPoolname6Args]] = None,
               poolnames: Optional[Sequence[PolicyPoolnameArgs]] = None,
               port_preserve: Optional[str] = None,
               profile_group: Optional[str] = None,
               profile_protocol_options: Optional[str] = None,
               profile_type: Optional[str] = None,
               radius_mac_auth_bypass: Optional[str] = None,
               redirect_url: Optional[str] = None,
               replacemsg_override_group: Optional[str] = None,
               reputation_direction: Optional[str] = None,
               reputation_direction6: Optional[str] = None,
               reputation_minimum: Optional[int] = None,
               reputation_minimum6: Optional[int] = None,
               rsso: Optional[str] = None,
               rtp_addrs: Optional[Sequence[PolicyRtpAddrArgs]] = None,
               rtp_nat: Optional[str] = None,
               scan_botnet_connections: Optional[str] = None,
               schedule: Optional[str] = None,
               schedule_timeout: Optional[str] = None,
               sctp_filter_profile: Optional[str] = None,
               send_deny_packet: Optional[str] = None,
               service_negate: Optional[str] = None,
               services: Optional[Sequence[PolicyServiceArgs]] = None,
               session_ttl: Optional[int] = None,
               sgt_check: Optional[str] = None,
               sgts: Optional[Sequence[PolicySgtArgs]] = None,
               spamfilter_profile: Optional[str] = None,
               src_vendor_macs: Optional[Sequence[PolicySrcVendorMacArgs]] = None,
               srcaddr6_negate: Optional[str] = None,
               srcaddr6s: Optional[Sequence[PolicySrcaddr6Args]] = None,
               srcaddr_negate: Optional[str] = None,
               srcaddrs: Optional[Sequence[PolicySrcaddrArgs]] = None,
               ssh_filter_profile: Optional[str] = None,
               ssh_policy_redirect: Optional[str] = None,
               ssl_mirror: Optional[str] = None,
               ssl_mirror_intfs: Optional[Sequence[PolicySslMirrorIntfArgs]] = None,
               ssl_ssh_profile: Optional[str] = None,
               status: Optional[str] = None,
               tcp_mss_receiver: Optional[int] = None,
               tcp_mss_sender: Optional[int] = None,
               tcp_session_without_syn: Optional[str] = None,
               timeout_send_rst: Optional[str] = None,
               tos: Optional[str] = None,
               tos_mask: Optional[str] = None,
               tos_negate: Optional[str] = None,
               traffic_shaper: Optional[str] = None,
               traffic_shaper_reverse: Optional[str] = None,
               url_categories: Optional[Sequence[PolicyUrlCategoryArgs]] = None,
               users: Optional[Sequence[PolicyUserArgs]] = None,
               utm_status: Optional[str] = None,
               uuid: Optional[str] = None,
               vdomparam: Optional[str] = None,
               videofilter_profile: Optional[str] = None,
               virtual_patch_profile: Optional[str] = None,
               vlan_cos_fwd: Optional[int] = None,
               vlan_cos_rev: Optional[int] = None,
               vlan_filter: Optional[str] = None,
               voip_profile: Optional[str] = None,
               vpntunnel: Optional[str] = None,
               waf_profile: Optional[str] = None,
               wanopt: Optional[str] = None,
               wanopt_detection: Optional[str] = None,
               wanopt_passive_opt: Optional[str] = None,
               wanopt_peer: Optional[str] = None,
               wanopt_profile: Optional[str] = None,
               wccp: Optional[str] = None,
               webcache: Optional[str] = None,
               webcache_https: Optional[str] = None,
               webfilter_profile: Optional[str] = None,
               webproxy_forward_server: Optional[str] = None,
               webproxy_profile: Optional[str] = None,
               wsso: Optional[str] = None,
               ztna_device_ownership: Optional[str] = None,
               ztna_ems_tag_secondaries: Optional[Sequence[PolicyZtnaEmsTagSecondaryArgs]] = None,
               ztna_ems_tags: Optional[Sequence[PolicyZtnaEmsTagArgs]] = None,
               ztna_geo_tags: Optional[Sequence[PolicyZtnaGeoTagArgs]] = None,
               ztna_policy_redirect: Optional[str] = None,
               ztna_status: Optional[str] = None,
               ztna_tags_match_logic: Optional[str] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: fortios:firewall:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var fortiosPolicyResource = new Fortios.Firewall.Policy("fortiosPolicyResource", new()
    {
        Dstintfs = new[]
        {
            new Fortios.Firewall.Inputs.PolicyDstintfArgs
            {
                Name = "string",
            },
        },
        Srcintfs = new[]
        {
            new Fortios.Firewall.Inputs.PolicySrcintfArgs
            {
                Name = "string",
            },
        },
        Action = "string",
        AntiReplay = "string",
        AppCategories = new[]
        {
            new Fortios.Firewall.Inputs.PolicyAppCategoryArgs
            {
                Id = 0,
            },
        },
        AppGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyAppGroupArgs
            {
                Name = "string",
            },
        },
        ApplicationList = "string",
        Applications = new[]
        {
            new Fortios.Firewall.Inputs.PolicyApplicationArgs
            {
                Id = 0,
            },
        },
        AuthCert = "string",
        AuthPath = "string",
        AuthRedirectAddr = "string",
        AutoAsicOffload = "string",
        AvProfile = "string",
        BlockNotification = "string",
        CaptivePortalExempt = "string",
        CapturePacket = "string",
        CasbProfile = "string",
        CifsProfile = "string",
        Comments = "string",
        CustomLogFields = new[]
        {
            new Fortios.Firewall.Inputs.PolicyCustomLogFieldArgs
            {
                FieldId = "string",
            },
        },
        DecryptedTrafficMirror = "string",
        DelayTcpNpuSession = "string",
        Devices = new[]
        {
            new Fortios.Firewall.Inputs.PolicyDeviceArgs
            {
                Name = "string",
            },
        },
        DiameterFilterProfile = "string",
        DiffservCopy = "string",
        DiffservForward = "string",
        DiffservReverse = "string",
        DiffservcodeForward = "string",
        DiffservcodeRev = "string",
        Disclaimer = "string",
        DlpProfile = "string",
        DlpSensor = "string",
        DnsfilterProfile = "string",
        Dsri = "string",
        Dstaddr6Negate = "string",
        Dstaddr6s = new[]
        {
            new Fortios.Firewall.Inputs.PolicyDstaddr6Args
            {
                Name = "string",
            },
        },
        DstaddrNegate = "string",
        Dstaddrs = new[]
        {
            new Fortios.Firewall.Inputs.PolicyDstaddrArgs
            {
                Name = "string",
            },
        },
        DynamicShaping = "string",
        DynamicSortSubtable = "string",
        EmailCollect = "string",
        EmailfilterProfile = "string",
        Fec = "string",
        FileFilterProfile = "string",
        FirewallSessionDirty = "string",
        Fixedport = "string",
        Fsso = "string",
        FssoAgentForNtlm = "string",
        FssoGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyFssoGroupArgs
            {
                Name = "string",
            },
        },
        GeoipAnycast = "string",
        GeoipMatch = "string",
        GetAllTables = "string",
        GlobalLabel = "string",
        Groups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyGroupArgs
            {
                Name = "string",
            },
        },
        HttpPolicyRedirect = "string",
        IcapProfile = "string",
        IdentityBasedRoute = "string",
        Inbound = "string",
        InspectionMode = "string",
        InternetService = "string",
        InternetService6 = "string",
        InternetService6CustomGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6CustomGroupArgs
            {
                Name = "string",
            },
        },
        InternetService6Customs = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6CustomArgs
            {
                Name = "string",
            },
        },
        InternetService6Groups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6GroupArgs
            {
                Name = "string",
            },
        },
        InternetService6Names = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6NameArgs
            {
                Name = "string",
            },
        },
        InternetService6Negate = "string",
        InternetService6Src = "string",
        InternetService6SrcCustomGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6SrcCustomGroupArgs
            {
                Name = "string",
            },
        },
        InternetService6SrcCustoms = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6SrcCustomArgs
            {
                Name = "string",
            },
        },
        InternetService6SrcGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6SrcGroupArgs
            {
                Name = "string",
            },
        },
        InternetService6SrcNames = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetService6SrcNameArgs
            {
                Name = "string",
            },
        },
        InternetService6SrcNegate = "string",
        InternetServiceCustomGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceCustomGroupArgs
            {
                Name = "string",
            },
        },
        InternetServiceCustoms = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceCustomArgs
            {
                Name = "string",
            },
        },
        InternetServiceGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceGroupArgs
            {
                Name = "string",
            },
        },
        InternetServiceIds = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceIdArgs
            {
                Id = 0,
            },
        },
        InternetServiceNames = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceNameArgs
            {
                Name = "string",
            },
        },
        InternetServiceNegate = "string",
        InternetServiceSrc = "string",
        InternetServiceSrcCustomGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustomGroupArgs
            {
                Name = "string",
            },
        },
        InternetServiceSrcCustoms = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustomArgs
            {
                Name = "string",
            },
        },
        InternetServiceSrcGroups = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceSrcGroupArgs
            {
                Name = "string",
            },
        },
        InternetServiceSrcIds = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceSrcIdArgs
            {
                Id = 0,
            },
        },
        InternetServiceSrcNames = new[]
        {
            new Fortios.Firewall.Inputs.PolicyInternetServiceSrcNameArgs
            {
                Name = "string",
            },
        },
        InternetServiceSrcNegate = "string",
        Ippool = "string",
        IpsSensor = "string",
        IpsVoipFilter = "string",
        Label = "string",
        LearningMode = "string",
        Logtraffic = "string",
        LogtrafficStart = "string",
        MatchVip = "string",
        MatchVipOnly = "string",
        Name = "string",
        Nat = "string",
        Nat46 = "string",
        Nat64 = "string",
        Natinbound = "string",
        Natip = "string",
        Natoutbound = "string",
        NetworkServiceDynamics = new[]
        {
            new Fortios.Firewall.Inputs.PolicyNetworkServiceDynamicArgs
            {
                Name = "string",
            },
        },
        NetworkServiceSrcDynamics = new[]
        {
            new Fortios.Firewall.Inputs.PolicyNetworkServiceSrcDynamicArgs
            {
                Name = "string",
            },
        },
        NpAcceleration = "string",
        Ntlm = "string",
        NtlmEnabledBrowsers = new[]
        {
            new Fortios.Firewall.Inputs.PolicyNtlmEnabledBrowserArgs
            {
                UserAgentString = "string",
            },
        },
        NtlmGuest = "string",
        Outbound = "string",
        PassiveWanHealthMeasurement = "string",
        PcpInbound = "string",
        PcpOutbound = "string",
        PcpPoolnames = new[]
        {
            new Fortios.Firewall.Inputs.PolicyPcpPoolnameArgs
            {
                Name = "string",
            },
        },
        PerIpShaper = "string",
        PermitAnyHost = "string",
        PermitStunHost = "string",
        PolicyExpiry = "string",
        PolicyExpiryDate = "string",
        PolicyExpiryDateUtc = "string",
        Policyid = 0,
        Poolname6s = new[]
        {
            new Fortios.Firewall.Inputs.PolicyPoolname6Args
            {
                Name = "string",
            },
        },
        Poolnames = new[]
        {
            new Fortios.Firewall.Inputs.PolicyPoolnameArgs
            {
                Name = "string",
            },
        },
        PortPreserve = "string",
        ProfileGroup = "string",
        ProfileProtocolOptions = "string",
        ProfileType = "string",
        RadiusMacAuthBypass = "string",
        RedirectUrl = "string",
        ReplacemsgOverrideGroup = "string",
        ReputationDirection = "string",
        ReputationDirection6 = "string",
        ReputationMinimum = 0,
        ReputationMinimum6 = 0,
        Rsso = "string",
        RtpAddrs = new[]
        {
            new Fortios.Firewall.Inputs.PolicyRtpAddrArgs
            {
                Name = "string",
            },
        },
        RtpNat = "string",
        ScanBotnetConnections = "string",
        Schedule = "string",
        ScheduleTimeout = "string",
        SctpFilterProfile = "string",
        SendDenyPacket = "string",
        ServiceNegate = "string",
        Services = new[]
        {
            new Fortios.Firewall.Inputs.PolicyServiceArgs
            {
                Name = "string",
            },
        },
        SessionTtl = 0,
        SgtCheck = "string",
        Sgts = new[]
        {
            new Fortios.Firewall.Inputs.PolicySgtArgs
            {
                Id = 0,
            },
        },
        SpamfilterProfile = "string",
        SrcVendorMacs = new[]
        {
            new Fortios.Firewall.Inputs.PolicySrcVendorMacArgs
            {
                Id = 0,
            },
        },
        Srcaddr6Negate = "string",
        Srcaddr6s = new[]
        {
            new Fortios.Firewall.Inputs.PolicySrcaddr6Args
            {
                Name = "string",
            },
        },
        SrcaddrNegate = "string",
        Srcaddrs = new[]
        {
            new Fortios.Firewall.Inputs.PolicySrcaddrArgs
            {
                Name = "string",
            },
        },
        SshFilterProfile = "string",
        SshPolicyRedirect = "string",
        SslMirror = "string",
        SslMirrorIntfs = new[]
        {
            new Fortios.Firewall.Inputs.PolicySslMirrorIntfArgs
            {
                Name = "string",
            },
        },
        SslSshProfile = "string",
        Status = "string",
        TcpMssReceiver = 0,
        TcpMssSender = 0,
        TcpSessionWithoutSyn = "string",
        TimeoutSendRst = "string",
        Tos = "string",
        TosMask = "string",
        TosNegate = "string",
        TrafficShaper = "string",
        TrafficShaperReverse = "string",
        UrlCategories = new[]
        {
            new Fortios.Firewall.Inputs.PolicyUrlCategoryArgs
            {
                Id = 0,
            },
        },
        Users = new[]
        {
            new Fortios.Firewall.Inputs.PolicyUserArgs
            {
                Name = "string",
            },
        },
        UtmStatus = "string",
        Uuid = "string",
        Vdomparam = "string",
        VideofilterProfile = "string",
        VirtualPatchProfile = "string",
        VlanCosFwd = 0,
        VlanCosRev = 0,
        VlanFilter = "string",
        VoipProfile = "string",
        Vpntunnel = "string",
        WafProfile = "string",
        Wanopt = "string",
        WanoptDetection = "string",
        WanoptPassiveOpt = "string",
        WanoptPeer = "string",
        WanoptProfile = "string",
        Wccp = "string",
        Webcache = "string",
        WebcacheHttps = "string",
        WebfilterProfile = "string",
        WebproxyForwardServer = "string",
        WebproxyProfile = "string",
        Wsso = "string",
        ZtnaDeviceOwnership = "string",
        ZtnaEmsTagSecondaries = new[]
        {
            new Fortios.Firewall.Inputs.PolicyZtnaEmsTagSecondaryArgs
            {
                Name = "string",
            },
        },
        ZtnaEmsTags = new[]
        {
            new Fortios.Firewall.Inputs.PolicyZtnaEmsTagArgs
            {
                Name = "string",
            },
        },
        ZtnaGeoTags = new[]
        {
            new Fortios.Firewall.Inputs.PolicyZtnaGeoTagArgs
            {
                Name = "string",
            },
        },
        ZtnaPolicyRedirect = "string",
        ZtnaStatus = "string",
        ZtnaTagsMatchLogic = "string",
    });
    
    example, err := firewall.NewPolicy(ctx, "fortiosPolicyResource", &firewall.PolicyArgs{
    	Dstintfs: firewall.PolicyDstintfArray{
    		&firewall.PolicyDstintfArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	Srcintfs: firewall.PolicySrcintfArray{
    		&firewall.PolicySrcintfArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	Action:     pulumi.String("string"),
    	AntiReplay: pulumi.String("string"),
    	AppCategories: firewall.PolicyAppCategoryArray{
    		&firewall.PolicyAppCategoryArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	AppGroups: firewall.PolicyAppGroupArray{
    		&firewall.PolicyAppGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	ApplicationList: pulumi.String("string"),
    	Applications: firewall.PolicyApplicationArray{
    		&firewall.PolicyApplicationArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	AuthCert:            pulumi.String("string"),
    	AuthPath:            pulumi.String("string"),
    	AuthRedirectAddr:    pulumi.String("string"),
    	AutoAsicOffload:     pulumi.String("string"),
    	AvProfile:           pulumi.String("string"),
    	BlockNotification:   pulumi.String("string"),
    	CaptivePortalExempt: pulumi.String("string"),
    	CapturePacket:       pulumi.String("string"),
    	CasbProfile:         pulumi.String("string"),
    	CifsProfile:         pulumi.String("string"),
    	Comments:            pulumi.String("string"),
    	CustomLogFields: firewall.PolicyCustomLogFieldArray{
    		&firewall.PolicyCustomLogFieldArgs{
    			FieldId: pulumi.String("string"),
    		},
    	},
    	DecryptedTrafficMirror: pulumi.String("string"),
    	DelayTcpNpuSession:     pulumi.String("string"),
    	Devices: firewall.PolicyDeviceArray{
    		&firewall.PolicyDeviceArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	DiameterFilterProfile: pulumi.String("string"),
    	DiffservCopy:          pulumi.String("string"),
    	DiffservForward:       pulumi.String("string"),
    	DiffservReverse:       pulumi.String("string"),
    	DiffservcodeForward:   pulumi.String("string"),
    	DiffservcodeRev:       pulumi.String("string"),
    	Disclaimer:            pulumi.String("string"),
    	DlpProfile:            pulumi.String("string"),
    	DlpSensor:             pulumi.String("string"),
    	DnsfilterProfile:      pulumi.String("string"),
    	Dsri:                  pulumi.String("string"),
    	Dstaddr6Negate:        pulumi.String("string"),
    	Dstaddr6s: firewall.PolicyDstaddr6Array{
    		&firewall.PolicyDstaddr6Args{
    			Name: pulumi.String("string"),
    		},
    	},
    	DstaddrNegate: pulumi.String("string"),
    	Dstaddrs: firewall.PolicyDstaddrArray{
    		&firewall.PolicyDstaddrArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	DynamicShaping:       pulumi.String("string"),
    	DynamicSortSubtable:  pulumi.String("string"),
    	EmailCollect:         pulumi.String("string"),
    	EmailfilterProfile:   pulumi.String("string"),
    	Fec:                  pulumi.String("string"),
    	FileFilterProfile:    pulumi.String("string"),
    	FirewallSessionDirty: pulumi.String("string"),
    	Fixedport:            pulumi.String("string"),
    	Fsso:                 pulumi.String("string"),
    	FssoAgentForNtlm:     pulumi.String("string"),
    	FssoGroups: firewall.PolicyFssoGroupArray{
    		&firewall.PolicyFssoGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	GeoipAnycast: pulumi.String("string"),
    	GeoipMatch:   pulumi.String("string"),
    	GetAllTables: pulumi.String("string"),
    	GlobalLabel:  pulumi.String("string"),
    	Groups: firewall.PolicyGroupArray{
    		&firewall.PolicyGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	HttpPolicyRedirect: pulumi.String("string"),
    	IcapProfile:        pulumi.String("string"),
    	IdentityBasedRoute: pulumi.String("string"),
    	Inbound:            pulumi.String("string"),
    	InspectionMode:     pulumi.String("string"),
    	InternetService:    pulumi.String("string"),
    	InternetService6:   pulumi.String("string"),
    	InternetService6CustomGroups: firewall.PolicyInternetService6CustomGroupArray{
    		&firewall.PolicyInternetService6CustomGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6Customs: firewall.PolicyInternetService6CustomArray{
    		&firewall.PolicyInternetService6CustomArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6Groups: firewall.PolicyInternetService6GroupArray{
    		&firewall.PolicyInternetService6GroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6Names: firewall.PolicyInternetService6NameArray{
    		&firewall.PolicyInternetService6NameArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6Negate: pulumi.String("string"),
    	InternetService6Src:    pulumi.String("string"),
    	InternetService6SrcCustomGroups: firewall.PolicyInternetService6SrcCustomGroupArray{
    		&firewall.PolicyInternetService6SrcCustomGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6SrcCustoms: firewall.PolicyInternetService6SrcCustomArray{
    		&firewall.PolicyInternetService6SrcCustomArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6SrcGroups: firewall.PolicyInternetService6SrcGroupArray{
    		&firewall.PolicyInternetService6SrcGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6SrcNames: firewall.PolicyInternetService6SrcNameArray{
    		&firewall.PolicyInternetService6SrcNameArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetService6SrcNegate: pulumi.String("string"),
    	InternetServiceCustomGroups: firewall.PolicyInternetServiceCustomGroupArray{
    		&firewall.PolicyInternetServiceCustomGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceCustoms: firewall.PolicyInternetServiceCustomArray{
    		&firewall.PolicyInternetServiceCustomArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceGroups: firewall.PolicyInternetServiceGroupArray{
    		&firewall.PolicyInternetServiceGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceIds: firewall.PolicyInternetServiceIdArray{
    		&firewall.PolicyInternetServiceIdArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	InternetServiceNames: firewall.PolicyInternetServiceNameArray{
    		&firewall.PolicyInternetServiceNameArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceNegate: pulumi.String("string"),
    	InternetServiceSrc:    pulumi.String("string"),
    	InternetServiceSrcCustomGroups: firewall.PolicyInternetServiceSrcCustomGroupArray{
    		&firewall.PolicyInternetServiceSrcCustomGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceSrcCustoms: firewall.PolicyInternetServiceSrcCustomArray{
    		&firewall.PolicyInternetServiceSrcCustomArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceSrcGroups: firewall.PolicyInternetServiceSrcGroupArray{
    		&firewall.PolicyInternetServiceSrcGroupArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceSrcIds: firewall.PolicyInternetServiceSrcIdArray{
    		&firewall.PolicyInternetServiceSrcIdArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	InternetServiceSrcNames: firewall.PolicyInternetServiceSrcNameArray{
    		&firewall.PolicyInternetServiceSrcNameArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	InternetServiceSrcNegate: pulumi.String("string"),
    	Ippool:                   pulumi.String("string"),
    	IpsSensor:                pulumi.String("string"),
    	IpsVoipFilter:            pulumi.String("string"),
    	Label:                    pulumi.String("string"),
    	LearningMode:             pulumi.String("string"),
    	Logtraffic:               pulumi.String("string"),
    	LogtrafficStart:          pulumi.String("string"),
    	MatchVip:                 pulumi.String("string"),
    	MatchVipOnly:             pulumi.String("string"),
    	Name:                     pulumi.String("string"),
    	Nat:                      pulumi.String("string"),
    	Nat46:                    pulumi.String("string"),
    	Nat64:                    pulumi.String("string"),
    	Natinbound:               pulumi.String("string"),
    	Natip:                    pulumi.String("string"),
    	Natoutbound:              pulumi.String("string"),
    	NetworkServiceDynamics: firewall.PolicyNetworkServiceDynamicArray{
    		&firewall.PolicyNetworkServiceDynamicArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	NetworkServiceSrcDynamics: firewall.PolicyNetworkServiceSrcDynamicArray{
    		&firewall.PolicyNetworkServiceSrcDynamicArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	NpAcceleration: pulumi.String("string"),
    	Ntlm:           pulumi.String("string"),
    	NtlmEnabledBrowsers: firewall.PolicyNtlmEnabledBrowserArray{
    		&firewall.PolicyNtlmEnabledBrowserArgs{
    			UserAgentString: pulumi.String("string"),
    		},
    	},
    	NtlmGuest:                   pulumi.String("string"),
    	Outbound:                    pulumi.String("string"),
    	PassiveWanHealthMeasurement: pulumi.String("string"),
    	PcpInbound:                  pulumi.String("string"),
    	PcpOutbound:                 pulumi.String("string"),
    	PcpPoolnames: firewall.PolicyPcpPoolnameArray{
    		&firewall.PolicyPcpPoolnameArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	PerIpShaper:         pulumi.String("string"),
    	PermitAnyHost:       pulumi.String("string"),
    	PermitStunHost:      pulumi.String("string"),
    	PolicyExpiry:        pulumi.String("string"),
    	PolicyExpiryDate:    pulumi.String("string"),
    	PolicyExpiryDateUtc: pulumi.String("string"),
    	Policyid:            pulumi.Int(0),
    	Poolname6s: firewall.PolicyPoolname6Array{
    		&firewall.PolicyPoolname6Args{
    			Name: pulumi.String("string"),
    		},
    	},
    	Poolnames: firewall.PolicyPoolnameArray{
    		&firewall.PolicyPoolnameArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	PortPreserve:            pulumi.String("string"),
    	ProfileGroup:            pulumi.String("string"),
    	ProfileProtocolOptions:  pulumi.String("string"),
    	ProfileType:             pulumi.String("string"),
    	RadiusMacAuthBypass:     pulumi.String("string"),
    	RedirectUrl:             pulumi.String("string"),
    	ReplacemsgOverrideGroup: pulumi.String("string"),
    	ReputationDirection:     pulumi.String("string"),
    	ReputationDirection6:    pulumi.String("string"),
    	ReputationMinimum:       pulumi.Int(0),
    	ReputationMinimum6:      pulumi.Int(0),
    	Rsso:                    pulumi.String("string"),
    	RtpAddrs: firewall.PolicyRtpAddrArray{
    		&firewall.PolicyRtpAddrArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	RtpNat:                pulumi.String("string"),
    	ScanBotnetConnections: pulumi.String("string"),
    	Schedule:              pulumi.String("string"),
    	ScheduleTimeout:       pulumi.String("string"),
    	SctpFilterProfile:     pulumi.String("string"),
    	SendDenyPacket:        pulumi.String("string"),
    	ServiceNegate:         pulumi.String("string"),
    	Services: firewall.PolicyServiceArray{
    		&firewall.PolicyServiceArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	SessionTtl: pulumi.Int(0),
    	SgtCheck:   pulumi.String("string"),
    	Sgts: firewall.PolicySgtArray{
    		&firewall.PolicySgtArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	SpamfilterProfile: pulumi.String("string"),
    	SrcVendorMacs: firewall.PolicySrcVendorMacArray{
    		&firewall.PolicySrcVendorMacArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	Srcaddr6Negate: pulumi.String("string"),
    	Srcaddr6s: firewall.PolicySrcaddr6Array{
    		&firewall.PolicySrcaddr6Args{
    			Name: pulumi.String("string"),
    		},
    	},
    	SrcaddrNegate: pulumi.String("string"),
    	Srcaddrs: firewall.PolicySrcaddrArray{
    		&firewall.PolicySrcaddrArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	SshFilterProfile:  pulumi.String("string"),
    	SshPolicyRedirect: pulumi.String("string"),
    	SslMirror:         pulumi.String("string"),
    	SslMirrorIntfs: firewall.PolicySslMirrorIntfArray{
    		&firewall.PolicySslMirrorIntfArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	SslSshProfile:        pulumi.String("string"),
    	Status:               pulumi.String("string"),
    	TcpMssReceiver:       pulumi.Int(0),
    	TcpMssSender:         pulumi.Int(0),
    	TcpSessionWithoutSyn: pulumi.String("string"),
    	TimeoutSendRst:       pulumi.String("string"),
    	Tos:                  pulumi.String("string"),
    	TosMask:              pulumi.String("string"),
    	TosNegate:            pulumi.String("string"),
    	TrafficShaper:        pulumi.String("string"),
    	TrafficShaperReverse: pulumi.String("string"),
    	UrlCategories: firewall.PolicyUrlCategoryArray{
    		&firewall.PolicyUrlCategoryArgs{
    			Id: pulumi.Int(0),
    		},
    	},
    	Users: firewall.PolicyUserArray{
    		&firewall.PolicyUserArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	UtmStatus:             pulumi.String("string"),
    	Uuid:                  pulumi.String("string"),
    	Vdomparam:             pulumi.String("string"),
    	VideofilterProfile:    pulumi.String("string"),
    	VirtualPatchProfile:   pulumi.String("string"),
    	VlanCosFwd:            pulumi.Int(0),
    	VlanCosRev:            pulumi.Int(0),
    	VlanFilter:            pulumi.String("string"),
    	VoipProfile:           pulumi.String("string"),
    	Vpntunnel:             pulumi.String("string"),
    	WafProfile:            pulumi.String("string"),
    	Wanopt:                pulumi.String("string"),
    	WanoptDetection:       pulumi.String("string"),
    	WanoptPassiveOpt:      pulumi.String("string"),
    	WanoptPeer:            pulumi.String("string"),
    	WanoptProfile:         pulumi.String("string"),
    	Wccp:                  pulumi.String("string"),
    	Webcache:              pulumi.String("string"),
    	WebcacheHttps:         pulumi.String("string"),
    	WebfilterProfile:      pulumi.String("string"),
    	WebproxyForwardServer: pulumi.String("string"),
    	WebproxyProfile:       pulumi.String("string"),
    	Wsso:                  pulumi.String("string"),
    	ZtnaDeviceOwnership:   pulumi.String("string"),
    	ZtnaEmsTagSecondaries: firewall.PolicyZtnaEmsTagSecondaryArray{
    		&firewall.PolicyZtnaEmsTagSecondaryArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	ZtnaEmsTags: firewall.PolicyZtnaEmsTagArray{
    		&firewall.PolicyZtnaEmsTagArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	ZtnaGeoTags: firewall.PolicyZtnaGeoTagArray{
    		&firewall.PolicyZtnaGeoTagArgs{
    			Name: pulumi.String("string"),
    		},
    	},
    	ZtnaPolicyRedirect: pulumi.String("string"),
    	ZtnaStatus:         pulumi.String("string"),
    	ZtnaTagsMatchLogic: pulumi.String("string"),
    })
    
    var fortiosPolicyResource = new Policy("fortiosPolicyResource", PolicyArgs.builder()
        .dstintfs(PolicyDstintfArgs.builder()
            .name("string")
            .build())
        .srcintfs(PolicySrcintfArgs.builder()
            .name("string")
            .build())
        .action("string")
        .antiReplay("string")
        .appCategories(PolicyAppCategoryArgs.builder()
            .id(0)
            .build())
        .appGroups(PolicyAppGroupArgs.builder()
            .name("string")
            .build())
        .applicationList("string")
        .applications(PolicyApplicationArgs.builder()
            .id(0)
            .build())
        .authCert("string")
        .authPath("string")
        .authRedirectAddr("string")
        .autoAsicOffload("string")
        .avProfile("string")
        .blockNotification("string")
        .captivePortalExempt("string")
        .capturePacket("string")
        .casbProfile("string")
        .cifsProfile("string")
        .comments("string")
        .customLogFields(PolicyCustomLogFieldArgs.builder()
            .fieldId("string")
            .build())
        .decryptedTrafficMirror("string")
        .delayTcpNpuSession("string")
        .devices(PolicyDeviceArgs.builder()
            .name("string")
            .build())
        .diameterFilterProfile("string")
        .diffservCopy("string")
        .diffservForward("string")
        .diffservReverse("string")
        .diffservcodeForward("string")
        .diffservcodeRev("string")
        .disclaimer("string")
        .dlpProfile("string")
        .dlpSensor("string")
        .dnsfilterProfile("string")
        .dsri("string")
        .dstaddr6Negate("string")
        .dstaddr6s(PolicyDstaddr6Args.builder()
            .name("string")
            .build())
        .dstaddrNegate("string")
        .dstaddrs(PolicyDstaddrArgs.builder()
            .name("string")
            .build())
        .dynamicShaping("string")
        .dynamicSortSubtable("string")
        .emailCollect("string")
        .emailfilterProfile("string")
        .fec("string")
        .fileFilterProfile("string")
        .firewallSessionDirty("string")
        .fixedport("string")
        .fsso("string")
        .fssoAgentForNtlm("string")
        .fssoGroups(PolicyFssoGroupArgs.builder()
            .name("string")
            .build())
        .geoipAnycast("string")
        .geoipMatch("string")
        .getAllTables("string")
        .globalLabel("string")
        .groups(PolicyGroupArgs.builder()
            .name("string")
            .build())
        .httpPolicyRedirect("string")
        .icapProfile("string")
        .identityBasedRoute("string")
        .inbound("string")
        .inspectionMode("string")
        .internetService("string")
        .internetService6("string")
        .internetService6CustomGroups(PolicyInternetService6CustomGroupArgs.builder()
            .name("string")
            .build())
        .internetService6Customs(PolicyInternetService6CustomArgs.builder()
            .name("string")
            .build())
        .internetService6Groups(PolicyInternetService6GroupArgs.builder()
            .name("string")
            .build())
        .internetService6Names(PolicyInternetService6NameArgs.builder()
            .name("string")
            .build())
        .internetService6Negate("string")
        .internetService6Src("string")
        .internetService6SrcCustomGroups(PolicyInternetService6SrcCustomGroupArgs.builder()
            .name("string")
            .build())
        .internetService6SrcCustoms(PolicyInternetService6SrcCustomArgs.builder()
            .name("string")
            .build())
        .internetService6SrcGroups(PolicyInternetService6SrcGroupArgs.builder()
            .name("string")
            .build())
        .internetService6SrcNames(PolicyInternetService6SrcNameArgs.builder()
            .name("string")
            .build())
        .internetService6SrcNegate("string")
        .internetServiceCustomGroups(PolicyInternetServiceCustomGroupArgs.builder()
            .name("string")
            .build())
        .internetServiceCustoms(PolicyInternetServiceCustomArgs.builder()
            .name("string")
            .build())
        .internetServiceGroups(PolicyInternetServiceGroupArgs.builder()
            .name("string")
            .build())
        .internetServiceIds(PolicyInternetServiceIdArgs.builder()
            .id(0)
            .build())
        .internetServiceNames(PolicyInternetServiceNameArgs.builder()
            .name("string")
            .build())
        .internetServiceNegate("string")
        .internetServiceSrc("string")
        .internetServiceSrcCustomGroups(PolicyInternetServiceSrcCustomGroupArgs.builder()
            .name("string")
            .build())
        .internetServiceSrcCustoms(PolicyInternetServiceSrcCustomArgs.builder()
            .name("string")
            .build())
        .internetServiceSrcGroups(PolicyInternetServiceSrcGroupArgs.builder()
            .name("string")
            .build())
        .internetServiceSrcIds(PolicyInternetServiceSrcIdArgs.builder()
            .id(0)
            .build())
        .internetServiceSrcNames(PolicyInternetServiceSrcNameArgs.builder()
            .name("string")
            .build())
        .internetServiceSrcNegate("string")
        .ippool("string")
        .ipsSensor("string")
        .ipsVoipFilter("string")
        .label("string")
        .learningMode("string")
        .logtraffic("string")
        .logtrafficStart("string")
        .matchVip("string")
        .matchVipOnly("string")
        .name("string")
        .nat("string")
        .nat46("string")
        .nat64("string")
        .natinbound("string")
        .natip("string")
        .natoutbound("string")
        .networkServiceDynamics(PolicyNetworkServiceDynamicArgs.builder()
            .name("string")
            .build())
        .networkServiceSrcDynamics(PolicyNetworkServiceSrcDynamicArgs.builder()
            .name("string")
            .build())
        .npAcceleration("string")
        .ntlm("string")
        .ntlmEnabledBrowsers(PolicyNtlmEnabledBrowserArgs.builder()
            .userAgentString("string")
            .build())
        .ntlmGuest("string")
        .outbound("string")
        .passiveWanHealthMeasurement("string")
        .pcpInbound("string")
        .pcpOutbound("string")
        .pcpPoolnames(PolicyPcpPoolnameArgs.builder()
            .name("string")
            .build())
        .perIpShaper("string")
        .permitAnyHost("string")
        .permitStunHost("string")
        .policyExpiry("string")
        .policyExpiryDate("string")
        .policyExpiryDateUtc("string")
        .policyid(0)
        .poolname6s(PolicyPoolname6Args.builder()
            .name("string")
            .build())
        .poolnames(PolicyPoolnameArgs.builder()
            .name("string")
            .build())
        .portPreserve("string")
        .profileGroup("string")
        .profileProtocolOptions("string")
        .profileType("string")
        .radiusMacAuthBypass("string")
        .redirectUrl("string")
        .replacemsgOverrideGroup("string")
        .reputationDirection("string")
        .reputationDirection6("string")
        .reputationMinimum(0)
        .reputationMinimum6(0)
        .rsso("string")
        .rtpAddrs(PolicyRtpAddrArgs.builder()
            .name("string")
            .build())
        .rtpNat("string")
        .scanBotnetConnections("string")
        .schedule("string")
        .scheduleTimeout("string")
        .sctpFilterProfile("string")
        .sendDenyPacket("string")
        .serviceNegate("string")
        .services(PolicyServiceArgs.builder()
            .name("string")
            .build())
        .sessionTtl(0)
        .sgtCheck("string")
        .sgts(PolicySgtArgs.builder()
            .id(0)
            .build())
        .spamfilterProfile("string")
        .srcVendorMacs(PolicySrcVendorMacArgs.builder()
            .id(0)
            .build())
        .srcaddr6Negate("string")
        .srcaddr6s(PolicySrcaddr6Args.builder()
            .name("string")
            .build())
        .srcaddrNegate("string")
        .srcaddrs(PolicySrcaddrArgs.builder()
            .name("string")
            .build())
        .sshFilterProfile("string")
        .sshPolicyRedirect("string")
        .sslMirror("string")
        .sslMirrorIntfs(PolicySslMirrorIntfArgs.builder()
            .name("string")
            .build())
        .sslSshProfile("string")
        .status("string")
        .tcpMssReceiver(0)
        .tcpMssSender(0)
        .tcpSessionWithoutSyn("string")
        .timeoutSendRst("string")
        .tos("string")
        .tosMask("string")
        .tosNegate("string")
        .trafficShaper("string")
        .trafficShaperReverse("string")
        .urlCategories(PolicyUrlCategoryArgs.builder()
            .id(0)
            .build())
        .users(PolicyUserArgs.builder()
            .name("string")
            .build())
        .utmStatus("string")
        .uuid("string")
        .vdomparam("string")
        .videofilterProfile("string")
        .virtualPatchProfile("string")
        .vlanCosFwd(0)
        .vlanCosRev(0)
        .vlanFilter("string")
        .voipProfile("string")
        .vpntunnel("string")
        .wafProfile("string")
        .wanopt("string")
        .wanoptDetection("string")
        .wanoptPassiveOpt("string")
        .wanoptPeer("string")
        .wanoptProfile("string")
        .wccp("string")
        .webcache("string")
        .webcacheHttps("string")
        .webfilterProfile("string")
        .webproxyForwardServer("string")
        .webproxyProfile("string")
        .wsso("string")
        .ztnaDeviceOwnership("string")
        .ztnaEmsTagSecondaries(PolicyZtnaEmsTagSecondaryArgs.builder()
            .name("string")
            .build())
        .ztnaEmsTags(PolicyZtnaEmsTagArgs.builder()
            .name("string")
            .build())
        .ztnaGeoTags(PolicyZtnaGeoTagArgs.builder()
            .name("string")
            .build())
        .ztnaPolicyRedirect("string")
        .ztnaStatus("string")
        .ztnaTagsMatchLogic("string")
        .build());
    
    fortios_policy_resource = fortios.firewall.Policy("fortiosPolicyResource",
        dstintfs=[fortios.firewall.PolicyDstintfArgs(
            name="string",
        )],
        srcintfs=[fortios.firewall.PolicySrcintfArgs(
            name="string",
        )],
        action="string",
        anti_replay="string",
        app_categories=[fortios.firewall.PolicyAppCategoryArgs(
            id=0,
        )],
        app_groups=[fortios.firewall.PolicyAppGroupArgs(
            name="string",
        )],
        application_list="string",
        applications=[fortios.firewall.PolicyApplicationArgs(
            id=0,
        )],
        auth_cert="string",
        auth_path="string",
        auth_redirect_addr="string",
        auto_asic_offload="string",
        av_profile="string",
        block_notification="string",
        captive_portal_exempt="string",
        capture_packet="string",
        casb_profile="string",
        cifs_profile="string",
        comments="string",
        custom_log_fields=[fortios.firewall.PolicyCustomLogFieldArgs(
            field_id="string",
        )],
        decrypted_traffic_mirror="string",
        delay_tcp_npu_session="string",
        devices=[fortios.firewall.PolicyDeviceArgs(
            name="string",
        )],
        diameter_filter_profile="string",
        diffserv_copy="string",
        diffserv_forward="string",
        diffserv_reverse="string",
        diffservcode_forward="string",
        diffservcode_rev="string",
        disclaimer="string",
        dlp_profile="string",
        dlp_sensor="string",
        dnsfilter_profile="string",
        dsri="string",
        dstaddr6_negate="string",
        dstaddr6s=[fortios.firewall.PolicyDstaddr6Args(
            name="string",
        )],
        dstaddr_negate="string",
        dstaddrs=[fortios.firewall.PolicyDstaddrArgs(
            name="string",
        )],
        dynamic_shaping="string",
        dynamic_sort_subtable="string",
        email_collect="string",
        emailfilter_profile="string",
        fec="string",
        file_filter_profile="string",
        firewall_session_dirty="string",
        fixedport="string",
        fsso="string",
        fsso_agent_for_ntlm="string",
        fsso_groups=[fortios.firewall.PolicyFssoGroupArgs(
            name="string",
        )],
        geoip_anycast="string",
        geoip_match="string",
        get_all_tables="string",
        global_label="string",
        groups=[fortios.firewall.PolicyGroupArgs(
            name="string",
        )],
        http_policy_redirect="string",
        icap_profile="string",
        identity_based_route="string",
        inbound="string",
        inspection_mode="string",
        internet_service="string",
        internet_service6="string",
        internet_service6_custom_groups=[fortios.firewall.PolicyInternetService6CustomGroupArgs(
            name="string",
        )],
        internet_service6_customs=[fortios.firewall.PolicyInternetService6CustomArgs(
            name="string",
        )],
        internet_service6_groups=[fortios.firewall.PolicyInternetService6GroupArgs(
            name="string",
        )],
        internet_service6_names=[fortios.firewall.PolicyInternetService6NameArgs(
            name="string",
        )],
        internet_service6_negate="string",
        internet_service6_src="string",
        internet_service6_src_custom_groups=[fortios.firewall.PolicyInternetService6SrcCustomGroupArgs(
            name="string",
        )],
        internet_service6_src_customs=[fortios.firewall.PolicyInternetService6SrcCustomArgs(
            name="string",
        )],
        internet_service6_src_groups=[fortios.firewall.PolicyInternetService6SrcGroupArgs(
            name="string",
        )],
        internet_service6_src_names=[fortios.firewall.PolicyInternetService6SrcNameArgs(
            name="string",
        )],
        internet_service6_src_negate="string",
        internet_service_custom_groups=[fortios.firewall.PolicyInternetServiceCustomGroupArgs(
            name="string",
        )],
        internet_service_customs=[fortios.firewall.PolicyInternetServiceCustomArgs(
            name="string",
        )],
        internet_service_groups=[fortios.firewall.PolicyInternetServiceGroupArgs(
            name="string",
        )],
        internet_service_ids=[fortios.firewall.PolicyInternetServiceIdArgs(
            id=0,
        )],
        internet_service_names=[fortios.firewall.PolicyInternetServiceNameArgs(
            name="string",
        )],
        internet_service_negate="string",
        internet_service_src="string",
        internet_service_src_custom_groups=[fortios.firewall.PolicyInternetServiceSrcCustomGroupArgs(
            name="string",
        )],
        internet_service_src_customs=[fortios.firewall.PolicyInternetServiceSrcCustomArgs(
            name="string",
        )],
        internet_service_src_groups=[fortios.firewall.PolicyInternetServiceSrcGroupArgs(
            name="string",
        )],
        internet_service_src_ids=[fortios.firewall.PolicyInternetServiceSrcIdArgs(
            id=0,
        )],
        internet_service_src_names=[fortios.firewall.PolicyInternetServiceSrcNameArgs(
            name="string",
        )],
        internet_service_src_negate="string",
        ippool="string",
        ips_sensor="string",
        ips_voip_filter="string",
        label="string",
        learning_mode="string",
        logtraffic="string",
        logtraffic_start="string",
        match_vip="string",
        match_vip_only="string",
        name="string",
        nat="string",
        nat46="string",
        nat64="string",
        natinbound="string",
        natip="string",
        natoutbound="string",
        network_service_dynamics=[fortios.firewall.PolicyNetworkServiceDynamicArgs(
            name="string",
        )],
        network_service_src_dynamics=[fortios.firewall.PolicyNetworkServiceSrcDynamicArgs(
            name="string",
        )],
        np_acceleration="string",
        ntlm="string",
        ntlm_enabled_browsers=[fortios.firewall.PolicyNtlmEnabledBrowserArgs(
            user_agent_string="string",
        )],
        ntlm_guest="string",
        outbound="string",
        passive_wan_health_measurement="string",
        pcp_inbound="string",
        pcp_outbound="string",
        pcp_poolnames=[fortios.firewall.PolicyPcpPoolnameArgs(
            name="string",
        )],
        per_ip_shaper="string",
        permit_any_host="string",
        permit_stun_host="string",
        policy_expiry="string",
        policy_expiry_date="string",
        policy_expiry_date_utc="string",
        policyid=0,
        poolname6s=[fortios.firewall.PolicyPoolname6Args(
            name="string",
        )],
        poolnames=[fortios.firewall.PolicyPoolnameArgs(
            name="string",
        )],
        port_preserve="string",
        profile_group="string",
        profile_protocol_options="string",
        profile_type="string",
        radius_mac_auth_bypass="string",
        redirect_url="string",
        replacemsg_override_group="string",
        reputation_direction="string",
        reputation_direction6="string",
        reputation_minimum=0,
        reputation_minimum6=0,
        rsso="string",
        rtp_addrs=[fortios.firewall.PolicyRtpAddrArgs(
            name="string",
        )],
        rtp_nat="string",
        scan_botnet_connections="string",
        schedule="string",
        schedule_timeout="string",
        sctp_filter_profile="string",
        send_deny_packet="string",
        service_negate="string",
        services=[fortios.firewall.PolicyServiceArgs(
            name="string",
        )],
        session_ttl=0,
        sgt_check="string",
        sgts=[fortios.firewall.PolicySgtArgs(
            id=0,
        )],
        spamfilter_profile="string",
        src_vendor_macs=[fortios.firewall.PolicySrcVendorMacArgs(
            id=0,
        )],
        srcaddr6_negate="string",
        srcaddr6s=[fortios.firewall.PolicySrcaddr6Args(
            name="string",
        )],
        srcaddr_negate="string",
        srcaddrs=[fortios.firewall.PolicySrcaddrArgs(
            name="string",
        )],
        ssh_filter_profile="string",
        ssh_policy_redirect="string",
        ssl_mirror="string",
        ssl_mirror_intfs=[fortios.firewall.PolicySslMirrorIntfArgs(
            name="string",
        )],
        ssl_ssh_profile="string",
        status="string",
        tcp_mss_receiver=0,
        tcp_mss_sender=0,
        tcp_session_without_syn="string",
        timeout_send_rst="string",
        tos="string",
        tos_mask="string",
        tos_negate="string",
        traffic_shaper="string",
        traffic_shaper_reverse="string",
        url_categories=[fortios.firewall.PolicyUrlCategoryArgs(
            id=0,
        )],
        users=[fortios.firewall.PolicyUserArgs(
            name="string",
        )],
        utm_status="string",
        uuid="string",
        vdomparam="string",
        videofilter_profile="string",
        virtual_patch_profile="string",
        vlan_cos_fwd=0,
        vlan_cos_rev=0,
        vlan_filter="string",
        voip_profile="string",
        vpntunnel="string",
        waf_profile="string",
        wanopt="string",
        wanopt_detection="string",
        wanopt_passive_opt="string",
        wanopt_peer="string",
        wanopt_profile="string",
        wccp="string",
        webcache="string",
        webcache_https="string",
        webfilter_profile="string",
        webproxy_forward_server="string",
        webproxy_profile="string",
        wsso="string",
        ztna_device_ownership="string",
        ztna_ems_tag_secondaries=[fortios.firewall.PolicyZtnaEmsTagSecondaryArgs(
            name="string",
        )],
        ztna_ems_tags=[fortios.firewall.PolicyZtnaEmsTagArgs(
            name="string",
        )],
        ztna_geo_tags=[fortios.firewall.PolicyZtnaGeoTagArgs(
            name="string",
        )],
        ztna_policy_redirect="string",
        ztna_status="string",
        ztna_tags_match_logic="string")
    
    const fortiosPolicyResource = new fortios.firewall.Policy("fortiosPolicyResource", {
        dstintfs: [{
            name: "string",
        }],
        srcintfs: [{
            name: "string",
        }],
        action: "string",
        antiReplay: "string",
        appCategories: [{
            id: 0,
        }],
        appGroups: [{
            name: "string",
        }],
        applicationList: "string",
        applications: [{
            id: 0,
        }],
        authCert: "string",
        authPath: "string",
        authRedirectAddr: "string",
        autoAsicOffload: "string",
        avProfile: "string",
        blockNotification: "string",
        captivePortalExempt: "string",
        capturePacket: "string",
        casbProfile: "string",
        cifsProfile: "string",
        comments: "string",
        customLogFields: [{
            fieldId: "string",
        }],
        decryptedTrafficMirror: "string",
        delayTcpNpuSession: "string",
        devices: [{
            name: "string",
        }],
        diameterFilterProfile: "string",
        diffservCopy: "string",
        diffservForward: "string",
        diffservReverse: "string",
        diffservcodeForward: "string",
        diffservcodeRev: "string",
        disclaimer: "string",
        dlpProfile: "string",
        dlpSensor: "string",
        dnsfilterProfile: "string",
        dsri: "string",
        dstaddr6Negate: "string",
        dstaddr6s: [{
            name: "string",
        }],
        dstaddrNegate: "string",
        dstaddrs: [{
            name: "string",
        }],
        dynamicShaping: "string",
        dynamicSortSubtable: "string",
        emailCollect: "string",
        emailfilterProfile: "string",
        fec: "string",
        fileFilterProfile: "string",
        firewallSessionDirty: "string",
        fixedport: "string",
        fsso: "string",
        fssoAgentForNtlm: "string",
        fssoGroups: [{
            name: "string",
        }],
        geoipAnycast: "string",
        geoipMatch: "string",
        getAllTables: "string",
        globalLabel: "string",
        groups: [{
            name: "string",
        }],
        httpPolicyRedirect: "string",
        icapProfile: "string",
        identityBasedRoute: "string",
        inbound: "string",
        inspectionMode: "string",
        internetService: "string",
        internetService6: "string",
        internetService6CustomGroups: [{
            name: "string",
        }],
        internetService6Customs: [{
            name: "string",
        }],
        internetService6Groups: [{
            name: "string",
        }],
        internetService6Names: [{
            name: "string",
        }],
        internetService6Negate: "string",
        internetService6Src: "string",
        internetService6SrcCustomGroups: [{
            name: "string",
        }],
        internetService6SrcCustoms: [{
            name: "string",
        }],
        internetService6SrcGroups: [{
            name: "string",
        }],
        internetService6SrcNames: [{
            name: "string",
        }],
        internetService6SrcNegate: "string",
        internetServiceCustomGroups: [{
            name: "string",
        }],
        internetServiceCustoms: [{
            name: "string",
        }],
        internetServiceGroups: [{
            name: "string",
        }],
        internetServiceIds: [{
            id: 0,
        }],
        internetServiceNames: [{
            name: "string",
        }],
        internetServiceNegate: "string",
        internetServiceSrc: "string",
        internetServiceSrcCustomGroups: [{
            name: "string",
        }],
        internetServiceSrcCustoms: [{
            name: "string",
        }],
        internetServiceSrcGroups: [{
            name: "string",
        }],
        internetServiceSrcIds: [{
            id: 0,
        }],
        internetServiceSrcNames: [{
            name: "string",
        }],
        internetServiceSrcNegate: "string",
        ippool: "string",
        ipsSensor: "string",
        ipsVoipFilter: "string",
        label: "string",
        learningMode: "string",
        logtraffic: "string",
        logtrafficStart: "string",
        matchVip: "string",
        matchVipOnly: "string",
        name: "string",
        nat: "string",
        nat46: "string",
        nat64: "string",
        natinbound: "string",
        natip: "string",
        natoutbound: "string",
        networkServiceDynamics: [{
            name: "string",
        }],
        networkServiceSrcDynamics: [{
            name: "string",
        }],
        npAcceleration: "string",
        ntlm: "string",
        ntlmEnabledBrowsers: [{
            userAgentString: "string",
        }],
        ntlmGuest: "string",
        outbound: "string",
        passiveWanHealthMeasurement: "string",
        pcpInbound: "string",
        pcpOutbound: "string",
        pcpPoolnames: [{
            name: "string",
        }],
        perIpShaper: "string",
        permitAnyHost: "string",
        permitStunHost: "string",
        policyExpiry: "string",
        policyExpiryDate: "string",
        policyExpiryDateUtc: "string",
        policyid: 0,
        poolname6s: [{
            name: "string",
        }],
        poolnames: [{
            name: "string",
        }],
        portPreserve: "string",
        profileGroup: "string",
        profileProtocolOptions: "string",
        profileType: "string",
        radiusMacAuthBypass: "string",
        redirectUrl: "string",
        replacemsgOverrideGroup: "string",
        reputationDirection: "string",
        reputationDirection6: "string",
        reputationMinimum: 0,
        reputationMinimum6: 0,
        rsso: "string",
        rtpAddrs: [{
            name: "string",
        }],
        rtpNat: "string",
        scanBotnetConnections: "string",
        schedule: "string",
        scheduleTimeout: "string",
        sctpFilterProfile: "string",
        sendDenyPacket: "string",
        serviceNegate: "string",
        services: [{
            name: "string",
        }],
        sessionTtl: 0,
        sgtCheck: "string",
        sgts: [{
            id: 0,
        }],
        spamfilterProfile: "string",
        srcVendorMacs: [{
            id: 0,
        }],
        srcaddr6Negate: "string",
        srcaddr6s: [{
            name: "string",
        }],
        srcaddrNegate: "string",
        srcaddrs: [{
            name: "string",
        }],
        sshFilterProfile: "string",
        sshPolicyRedirect: "string",
        sslMirror: "string",
        sslMirrorIntfs: [{
            name: "string",
        }],
        sslSshProfile: "string",
        status: "string",
        tcpMssReceiver: 0,
        tcpMssSender: 0,
        tcpSessionWithoutSyn: "string",
        timeoutSendRst: "string",
        tos: "string",
        tosMask: "string",
        tosNegate: "string",
        trafficShaper: "string",
        trafficShaperReverse: "string",
        urlCategories: [{
            id: 0,
        }],
        users: [{
            name: "string",
        }],
        utmStatus: "string",
        uuid: "string",
        vdomparam: "string",
        videofilterProfile: "string",
        virtualPatchProfile: "string",
        vlanCosFwd: 0,
        vlanCosRev: 0,
        vlanFilter: "string",
        voipProfile: "string",
        vpntunnel: "string",
        wafProfile: "string",
        wanopt: "string",
        wanoptDetection: "string",
        wanoptPassiveOpt: "string",
        wanoptPeer: "string",
        wanoptProfile: "string",
        wccp: "string",
        webcache: "string",
        webcacheHttps: "string",
        webfilterProfile: "string",
        webproxyForwardServer: "string",
        webproxyProfile: "string",
        wsso: "string",
        ztnaDeviceOwnership: "string",
        ztnaEmsTagSecondaries: [{
            name: "string",
        }],
        ztnaEmsTags: [{
            name: "string",
        }],
        ztnaGeoTags: [{
            name: "string",
        }],
        ztnaPolicyRedirect: "string",
        ztnaStatus: "string",
        ztnaTagsMatchLogic: "string",
    });
    
    type: fortios:firewall:Policy
    properties:
        action: string
        antiReplay: string
        appCategories:
            - id: 0
        appGroups:
            - name: string
        applicationList: string
        applications:
            - id: 0
        authCert: string
        authPath: string
        authRedirectAddr: string
        autoAsicOffload: string
        avProfile: string
        blockNotification: string
        captivePortalExempt: string
        capturePacket: string
        casbProfile: string
        cifsProfile: string
        comments: string
        customLogFields:
            - fieldId: string
        decryptedTrafficMirror: string
        delayTcpNpuSession: string
        devices:
            - name: string
        diameterFilterProfile: string
        diffservCopy: string
        diffservForward: string
        diffservReverse: string
        diffservcodeForward: string
        diffservcodeRev: string
        disclaimer: string
        dlpProfile: string
        dlpSensor: string
        dnsfilterProfile: string
        dsri: string
        dstaddr6Negate: string
        dstaddr6s:
            - name: string
        dstaddrNegate: string
        dstaddrs:
            - name: string
        dstintfs:
            - name: string
        dynamicShaping: string
        dynamicSortSubtable: string
        emailCollect: string
        emailfilterProfile: string
        fec: string
        fileFilterProfile: string
        firewallSessionDirty: string
        fixedport: string
        fsso: string
        fssoAgentForNtlm: string
        fssoGroups:
            - name: string
        geoipAnycast: string
        geoipMatch: string
        getAllTables: string
        globalLabel: string
        groups:
            - name: string
        httpPolicyRedirect: string
        icapProfile: string
        identityBasedRoute: string
        inbound: string
        inspectionMode: string
        internetService: string
        internetService6: string
        internetService6CustomGroups:
            - name: string
        internetService6Customs:
            - name: string
        internetService6Groups:
            - name: string
        internetService6Names:
            - name: string
        internetService6Negate: string
        internetService6Src: string
        internetService6SrcCustomGroups:
            - name: string
        internetService6SrcCustoms:
            - name: string
        internetService6SrcGroups:
            - name: string
        internetService6SrcNames:
            - name: string
        internetService6SrcNegate: string
        internetServiceCustomGroups:
            - name: string
        internetServiceCustoms:
            - name: string
        internetServiceGroups:
            - name: string
        internetServiceIds:
            - id: 0
        internetServiceNames:
            - name: string
        internetServiceNegate: string
        internetServiceSrc: string
        internetServiceSrcCustomGroups:
            - name: string
        internetServiceSrcCustoms:
            - name: string
        internetServiceSrcGroups:
            - name: string
        internetServiceSrcIds:
            - id: 0
        internetServiceSrcNames:
            - name: string
        internetServiceSrcNegate: string
        ippool: string
        ipsSensor: string
        ipsVoipFilter: string
        label: string
        learningMode: string
        logtraffic: string
        logtrafficStart: string
        matchVip: string
        matchVipOnly: string
        name: string
        nat: string
        nat46: string
        nat64: string
        natinbound: string
        natip: string
        natoutbound: string
        networkServiceDynamics:
            - name: string
        networkServiceSrcDynamics:
            - name: string
        npAcceleration: string
        ntlm: string
        ntlmEnabledBrowsers:
            - userAgentString: string
        ntlmGuest: string
        outbound: string
        passiveWanHealthMeasurement: string
        pcpInbound: string
        pcpOutbound: string
        pcpPoolnames:
            - name: string
        perIpShaper: string
        permitAnyHost: string
        permitStunHost: string
        policyExpiry: string
        policyExpiryDate: string
        policyExpiryDateUtc: string
        policyid: 0
        poolname6s:
            - name: string
        poolnames:
            - name: string
        portPreserve: string
        profileGroup: string
        profileProtocolOptions: string
        profileType: string
        radiusMacAuthBypass: string
        redirectUrl: string
        replacemsgOverrideGroup: string
        reputationDirection: string
        reputationDirection6: string
        reputationMinimum: 0
        reputationMinimum6: 0
        rsso: string
        rtpAddrs:
            - name: string
        rtpNat: string
        scanBotnetConnections: string
        schedule: string
        scheduleTimeout: string
        sctpFilterProfile: string
        sendDenyPacket: string
        serviceNegate: string
        services:
            - name: string
        sessionTtl: 0
        sgtCheck: string
        sgts:
            - id: 0
        spamfilterProfile: string
        srcVendorMacs:
            - id: 0
        srcaddr6Negate: string
        srcaddr6s:
            - name: string
        srcaddrNegate: string
        srcaddrs:
            - name: string
        srcintfs:
            - name: string
        sshFilterProfile: string
        sshPolicyRedirect: string
        sslMirror: string
        sslMirrorIntfs:
            - name: string
        sslSshProfile: string
        status: string
        tcpMssReceiver: 0
        tcpMssSender: 0
        tcpSessionWithoutSyn: string
        timeoutSendRst: string
        tos: string
        tosMask: string
        tosNegate: string
        trafficShaper: string
        trafficShaperReverse: string
        urlCategories:
            - id: 0
        users:
            - name: string
        utmStatus: string
        uuid: string
        vdomparam: string
        videofilterProfile: string
        virtualPatchProfile: string
        vlanCosFwd: 0
        vlanCosRev: 0
        vlanFilter: string
        voipProfile: string
        vpntunnel: string
        wafProfile: string
        wanopt: string
        wanoptDetection: string
        wanoptPassiveOpt: string
        wanoptPeer: string
        wanoptProfile: string
        wccp: string
        webcache: string
        webcacheHttps: string
        webfilterProfile: string
        webproxyForwardServer: string
        webproxyProfile: string
        wsso: string
        ztnaDeviceOwnership: string
        ztnaEmsTagSecondaries:
            - name: string
        ztnaEmsTags:
            - name: string
        ztnaGeoTags:
            - name: string
        ztnaPolicyRedirect: string
        ztnaStatus: string
        ztnaTagsMatchLogic: string
    

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Policy resource accepts the following input properties:

    Dstintfs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDstintf>
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    Srcintfs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcintf>
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    Action string
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    AntiReplay string
    Enable/disable anti-replay check. Valid values: enable, disable.
    AppCategories List<Pulumiverse.Fortios.Firewall.Inputs.PolicyAppCategory>
    Application category ID list. The structure of app_category block is documented below.
    AppGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyAppGroup>
    Application group names. The structure of app_group block is documented below.
    ApplicationList string
    Name of an existing Application list.
    Applications List<Pulumiverse.Fortios.Firewall.Inputs.PolicyApplication>
    Application ID list. The structure of application block is documented below.
    AuthCert string
    HTTPS server certificate for policy authentication.
    AuthPath string
    Enable/disable authentication-based routing. Valid values: enable, disable.
    AuthRedirectAddr string
    HTTP-to-HTTPS redirect address for firewall authentication.
    AutoAsicOffload string
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    AvProfile string
    Name of an existing Antivirus profile.
    BlockNotification string
    Enable/disable block notification. Valid values: enable, disable.
    CaptivePortalExempt string
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    CapturePacket string
    Enable/disable capture packets. Valid values: enable, disable.
    CasbProfile string
    Name of an existing CASB profile.
    CifsProfile string
    Name of an existing CIFS profile.
    Comments string
    Comment.
    CustomLogFields List<Pulumiverse.Fortios.Firewall.Inputs.PolicyCustomLogField>
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    DecryptedTrafficMirror string
    Decrypted traffic mirror.
    DelayTcpNpuSession string
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    Devices List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDevice>
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    DiameterFilterProfile string
    Name of an existing Diameter filter profile.
    DiffservCopy string
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    DiffservForward string
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    DiffservReverse string
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    DiffservcodeForward string
    Change packet's DiffServ to this value.
    DiffservcodeRev string
    Change packet's reverse (reply) DiffServ to this value.
    Disclaimer string
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    DlpProfile string
    Name of an existing DLP profile.
    DlpSensor string
    Name of an existing DLP sensor.
    DnsfilterProfile string
    Name of an existing DNS filter profile.
    Dsri string
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    Dstaddr6Negate string
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddr6s List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDstaddr6>
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    DstaddrNegate string
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddrs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDstaddr>
    Destination address and address group names. The structure of dstaddr block is documented below.
    DynamicShaping string
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    EmailCollect string
    Enable/disable email collection. Valid values: enable, disable.
    EmailfilterProfile string
    Name of an existing email filter profile.
    Fec string
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    FileFilterProfile string
    Name of an existing file-filter profile.
    FirewallSessionDirty string
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    Fixedport string
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    Fsso string
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    FssoAgentForNtlm string
    FSSO agent to use for NTLM authentication.
    FssoGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyFssoGroup>
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    GeoipAnycast string
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    GeoipMatch string
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GlobalLabel string
    Label for the policy that appears when the GUI is in Global View mode.
    Groups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyGroup>
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    HttpPolicyRedirect string
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    IcapProfile string
    Name of an existing ICAP profile.
    IdentityBasedRoute string
    Name of identity-based routing rule.
    Inbound string
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    InspectionMode string
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    InternetService string
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6 string
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6CustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6CustomGroup>
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    InternetService6Customs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6Custom>
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    InternetService6Groups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6Group>
    Internet Service group name. The structure of internet_service6_group block is documented below.
    InternetService6Names List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6Name>
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    InternetService6Negate string
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    InternetService6Src string
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetService6SrcCustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcCustomGroup>
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    InternetService6SrcCustoms List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcCustom>
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    InternetService6SrcGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcGroup>
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    InternetService6SrcNames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcName>
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    InternetService6SrcNegate string
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceCustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceCustomGroup>
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    InternetServiceCustoms List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceCustom>
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    InternetServiceGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceGroup>
    Internet Service group name. The structure of internet_service_group block is documented below.
    InternetServiceIds List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceId>
    Internet Service ID. The structure of internet_service_id block is documented below.
    InternetServiceNames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceName>
    Internet Service name. The structure of internet_service_name block is documented below.
    InternetServiceNegate string
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceSrc string
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetServiceSrcCustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustomGroup>
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    InternetServiceSrcCustoms List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustom>
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    InternetServiceSrcGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcGroup>
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    InternetServiceSrcIds List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcId>
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    InternetServiceSrcNames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcName>
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    InternetServiceSrcNegate string
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    Ippool string
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    IpsSensor string
    Name of an existing IPS sensor.
    IpsVoipFilter string
    Name of an existing VoIP (ips) profile.
    Label string
    Label for the policy that appears when the GUI is in Section View mode.
    LearningMode string
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    Logtraffic string
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    LogtrafficStart string
    Record logs when a session starts. Valid values: enable, disable.
    MatchVip string
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    MatchVipOnly string
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    Name string
    Policy name.
    Nat string
    Enable/disable source NAT. Valid values: enable, disable.
    Nat46 string
    Enable/disable NAT46. Valid values: enable, disable.
    Nat64 string
    Enable/disable NAT64. Valid values: enable, disable.
    Natinbound string
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    Natip string
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    Natoutbound string
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    NetworkServiceDynamics List<Pulumiverse.Fortios.Firewall.Inputs.PolicyNetworkServiceDynamic>
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    NetworkServiceSrcDynamics List<Pulumiverse.Fortios.Firewall.Inputs.PolicyNetworkServiceSrcDynamic>
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    NpAcceleration string
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    Ntlm string
    Enable/disable NTLM authentication. Valid values: enable, disable.
    NtlmEnabledBrowsers List<Pulumiverse.Fortios.Firewall.Inputs.PolicyNtlmEnabledBrowser>
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    NtlmGuest string
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    Outbound string
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    PassiveWanHealthMeasurement string
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    PcpInbound string
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    PcpOutbound string
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    PcpPoolnames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyPcpPoolname>
    PCP pool names. The structure of pcp_poolname block is documented below.
    PerIpShaper string
    Per-IP traffic shaper.
    PermitAnyHost string
    Accept UDP packets from any host. Valid values: enable, disable.
    PermitStunHost string
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    PolicyExpiry string
    Enable/disable policy expiry. Valid values: enable, disable.
    PolicyExpiryDate string
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    PolicyExpiryDateUtc string
    Policy expiry date and time, in epoch format.
    Policyid int
    Policy ID.
    Poolname6s List<Pulumiverse.Fortios.Firewall.Inputs.PolicyPoolname6>
    IPv6 pool names. The structure of poolname6 block is documented below.
    Poolnames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyPoolname>
    IP Pool names. The structure of poolname block is documented below.
    PortPreserve string
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    ProfileGroup string
    Name of profile group.
    ProfileProtocolOptions string
    Name of an existing Protocol options profile.
    ProfileType string
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    RadiusMacAuthBypass string
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    RedirectUrl string
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    ReplacemsgOverrideGroup string
    Override the default replacement message group for this policy.
    ReputationDirection string
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    ReputationDirection6 string
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    ReputationMinimum int
    Minimum Reputation to take action.
    ReputationMinimum6 int
    IPv6 Minimum Reputation to take action.
    Rsso string
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    RtpAddrs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyRtpAddr>
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    RtpNat string
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    ScanBotnetConnections string
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    Schedule string
    Schedule name.(Default is always)
    ScheduleTimeout string
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    SctpFilterProfile string
    Name of an existing SCTP filter profile.
    SendDenyPacket string
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    ServiceNegate string
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    Services List<Pulumiverse.Fortios.Firewall.Inputs.PolicyService>
    Service and service group names. The structure of service block is documented below.
    SessionTtl int
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    SgtCheck string
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    Sgts List<Pulumiverse.Fortios.Firewall.Inputs.PolicySgt>
    Security group tags. The structure of sgt block is documented below.
    SpamfilterProfile string
    Name of an existing Spam filter profile.
    SrcVendorMacs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcVendorMac>
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    Srcaddr6Negate string
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddr6s List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcaddr6>
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    SrcaddrNegate string
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddrs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcaddr>
    Source address and address group names. The structure of srcaddr block is documented below.
    SshFilterProfile string
    Name of an existing SSH filter profile.
    SshPolicyRedirect string
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    SslMirror string
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    SslMirrorIntfs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySslMirrorIntf>
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    SslSshProfile string
    Name of an existing SSL SSH profile.
    Status string
    Enable or disable this policy. Valid values: enable, disable.
    TcpMssReceiver int
    Receiver TCP maximum segment size (MSS).
    TcpMssSender int
    Sender TCP maximum segment size (MSS).
    TcpSessionWithoutSyn string
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    TimeoutSendRst string
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    Tos string
    ToS (Type of Service) value used for comparison.
    TosMask string
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    TosNegate string
    Enable negated TOS match. Valid values: enable, disable.
    TrafficShaper string
    Traffic shaper.
    TrafficShaperReverse string
    Reverse traffic shaper.
    UrlCategories List<Pulumiverse.Fortios.Firewall.Inputs.PolicyUrlCategory>
    URL category ID list. The structure of url_category block is documented below.
    Users List<Pulumiverse.Fortios.Firewall.Inputs.PolicyUser>
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    UtmStatus string
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    Uuid string
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    VideofilterProfile string
    Name of an existing VideoFilter profile.
    VirtualPatchProfile string
    Name of an existing virtual-patch profile.
    VlanCosFwd int
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanCosRev int
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanFilter string
    Set VLAN filters.
    VoipProfile string
    Name of an existing VoIP (voipd) profile.
    Vpntunnel string
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    WafProfile string
    Name of an existing Web application firewall profile.
    Wanopt string
    Enable/disable WAN optimization. Valid values: enable, disable.
    WanoptDetection string
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    WanoptPassiveOpt string
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    WanoptPeer string
    WAN optimization peer.
    WanoptProfile string
    WAN optimization profile.
    Wccp string
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    Webcache string
    Enable/disable web cache. Valid values: enable, disable.
    WebcacheHttps string
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    WebfilterProfile string
    Name of an existing Web filter profile.
    WebproxyForwardServer string
    Web proxy forward server name.
    WebproxyProfile string
    Webproxy profile name.
    Wsso string
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ZtnaDeviceOwnership string
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ZtnaEmsTagSecondaries List<Pulumiverse.Fortios.Firewall.Inputs.PolicyZtnaEmsTagSecondary>
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ZtnaEmsTags List<Pulumiverse.Fortios.Firewall.Inputs.PolicyZtnaEmsTag>
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ZtnaGeoTags List<Pulumiverse.Fortios.Firewall.Inputs.PolicyZtnaGeoTag>
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ZtnaPolicyRedirect string
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ZtnaStatus string
    Enable/disable zero trust access. Valid values: enable, disable.
    ZtnaTagsMatchLogic string
    ZTNA tag matching logic. Valid values: or, and.
    Dstintfs []PolicyDstintfArgs
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    Srcintfs []PolicySrcintfArgs
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    Action string
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    AntiReplay string
    Enable/disable anti-replay check. Valid values: enable, disable.
    AppCategories []PolicyAppCategoryArgs
    Application category ID list. The structure of app_category block is documented below.
    AppGroups []PolicyAppGroupArgs
    Application group names. The structure of app_group block is documented below.
    ApplicationList string
    Name of an existing Application list.
    Applications []PolicyApplicationArgs
    Application ID list. The structure of application block is documented below.
    AuthCert string
    HTTPS server certificate for policy authentication.
    AuthPath string
    Enable/disable authentication-based routing. Valid values: enable, disable.
    AuthRedirectAddr string
    HTTP-to-HTTPS redirect address for firewall authentication.
    AutoAsicOffload string
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    AvProfile string
    Name of an existing Antivirus profile.
    BlockNotification string
    Enable/disable block notification. Valid values: enable, disable.
    CaptivePortalExempt string
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    CapturePacket string
    Enable/disable capture packets. Valid values: enable, disable.
    CasbProfile string
    Name of an existing CASB profile.
    CifsProfile string
    Name of an existing CIFS profile.
    Comments string
    Comment.
    CustomLogFields []PolicyCustomLogFieldArgs
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    DecryptedTrafficMirror string
    Decrypted traffic mirror.
    DelayTcpNpuSession string
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    Devices []PolicyDeviceArgs
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    DiameterFilterProfile string
    Name of an existing Diameter filter profile.
    DiffservCopy string
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    DiffservForward string
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    DiffservReverse string
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    DiffservcodeForward string
    Change packet's DiffServ to this value.
    DiffservcodeRev string
    Change packet's reverse (reply) DiffServ to this value.
    Disclaimer string
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    DlpProfile string
    Name of an existing DLP profile.
    DlpSensor string
    Name of an existing DLP sensor.
    DnsfilterProfile string
    Name of an existing DNS filter profile.
    Dsri string
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    Dstaddr6Negate string
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddr6s []PolicyDstaddr6Args
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    DstaddrNegate string
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddrs []PolicyDstaddrArgs
    Destination address and address group names. The structure of dstaddr block is documented below.
    DynamicShaping string
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    EmailCollect string
    Enable/disable email collection. Valid values: enable, disable.
    EmailfilterProfile string
    Name of an existing email filter profile.
    Fec string
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    FileFilterProfile string
    Name of an existing file-filter profile.
    FirewallSessionDirty string
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    Fixedport string
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    Fsso string
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    FssoAgentForNtlm string
    FSSO agent to use for NTLM authentication.
    FssoGroups []PolicyFssoGroupArgs
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    GeoipAnycast string
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    GeoipMatch string
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GlobalLabel string
    Label for the policy that appears when the GUI is in Global View mode.
    Groups []PolicyGroupArgs
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    HttpPolicyRedirect string
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    IcapProfile string
    Name of an existing ICAP profile.
    IdentityBasedRoute string
    Name of identity-based routing rule.
    Inbound string
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    InspectionMode string
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    InternetService string
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6 string
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6CustomGroups []PolicyInternetService6CustomGroupArgs
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    InternetService6Customs []PolicyInternetService6CustomArgs
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    InternetService6Groups []PolicyInternetService6GroupArgs
    Internet Service group name. The structure of internet_service6_group block is documented below.
    InternetService6Names []PolicyInternetService6NameArgs
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    InternetService6Negate string
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    InternetService6Src string
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetService6SrcCustomGroups []PolicyInternetService6SrcCustomGroupArgs
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    InternetService6SrcCustoms []PolicyInternetService6SrcCustomArgs
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    InternetService6SrcGroups []PolicyInternetService6SrcGroupArgs
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    InternetService6SrcNames []PolicyInternetService6SrcNameArgs
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    InternetService6SrcNegate string
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceCustomGroups []PolicyInternetServiceCustomGroupArgs
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    InternetServiceCustoms []PolicyInternetServiceCustomArgs
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    InternetServiceGroups []PolicyInternetServiceGroupArgs
    Internet Service group name. The structure of internet_service_group block is documented below.
    InternetServiceIds []PolicyInternetServiceIdArgs
    Internet Service ID. The structure of internet_service_id block is documented below.
    InternetServiceNames []PolicyInternetServiceNameArgs
    Internet Service name. The structure of internet_service_name block is documented below.
    InternetServiceNegate string
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceSrc string
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetServiceSrcCustomGroups []PolicyInternetServiceSrcCustomGroupArgs
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    InternetServiceSrcCustoms []PolicyInternetServiceSrcCustomArgs
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    InternetServiceSrcGroups []PolicyInternetServiceSrcGroupArgs
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    InternetServiceSrcIds []PolicyInternetServiceSrcIdArgs
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    InternetServiceSrcNames []PolicyInternetServiceSrcNameArgs
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    InternetServiceSrcNegate string
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    Ippool string
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    IpsSensor string
    Name of an existing IPS sensor.
    IpsVoipFilter string
    Name of an existing VoIP (ips) profile.
    Label string
    Label for the policy that appears when the GUI is in Section View mode.
    LearningMode string
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    Logtraffic string
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    LogtrafficStart string
    Record logs when a session starts. Valid values: enable, disable.
    MatchVip string
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    MatchVipOnly string
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    Name string
    Policy name.
    Nat string
    Enable/disable source NAT. Valid values: enable, disable.
    Nat46 string
    Enable/disable NAT46. Valid values: enable, disable.
    Nat64 string
    Enable/disable NAT64. Valid values: enable, disable.
    Natinbound string
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    Natip string
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    Natoutbound string
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    NetworkServiceDynamics []PolicyNetworkServiceDynamicArgs
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    NetworkServiceSrcDynamics []PolicyNetworkServiceSrcDynamicArgs
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    NpAcceleration string
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    Ntlm string
    Enable/disable NTLM authentication. Valid values: enable, disable.
    NtlmEnabledBrowsers []PolicyNtlmEnabledBrowserArgs
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    NtlmGuest string
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    Outbound string
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    PassiveWanHealthMeasurement string
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    PcpInbound string
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    PcpOutbound string
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    PcpPoolnames []PolicyPcpPoolnameArgs
    PCP pool names. The structure of pcp_poolname block is documented below.
    PerIpShaper string
    Per-IP traffic shaper.
    PermitAnyHost string
    Accept UDP packets from any host. Valid values: enable, disable.
    PermitStunHost string
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    PolicyExpiry string
    Enable/disable policy expiry. Valid values: enable, disable.
    PolicyExpiryDate string
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    PolicyExpiryDateUtc string
    Policy expiry date and time, in epoch format.
    Policyid int
    Policy ID.
    Poolname6s []PolicyPoolname6Args
    IPv6 pool names. The structure of poolname6 block is documented below.
    Poolnames []PolicyPoolnameArgs
    IP Pool names. The structure of poolname block is documented below.
    PortPreserve string
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    ProfileGroup string
    Name of profile group.
    ProfileProtocolOptions string
    Name of an existing Protocol options profile.
    ProfileType string
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    RadiusMacAuthBypass string
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    RedirectUrl string
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    ReplacemsgOverrideGroup string
    Override the default replacement message group for this policy.
    ReputationDirection string
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    ReputationDirection6 string
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    ReputationMinimum int
    Minimum Reputation to take action.
    ReputationMinimum6 int
    IPv6 Minimum Reputation to take action.
    Rsso string
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    RtpAddrs []PolicyRtpAddrArgs
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    RtpNat string
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    ScanBotnetConnections string
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    Schedule string
    Schedule name.(Default is always)
    ScheduleTimeout string
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    SctpFilterProfile string
    Name of an existing SCTP filter profile.
    SendDenyPacket string
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    ServiceNegate string
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    Services []PolicyServiceArgs
    Service and service group names. The structure of service block is documented below.
    SessionTtl int
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    SgtCheck string
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    Sgts []PolicySgtArgs
    Security group tags. The structure of sgt block is documented below.
    SpamfilterProfile string
    Name of an existing Spam filter profile.
    SrcVendorMacs []PolicySrcVendorMacArgs
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    Srcaddr6Negate string
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddr6s []PolicySrcaddr6Args
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    SrcaddrNegate string
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddrs []PolicySrcaddrArgs
    Source address and address group names. The structure of srcaddr block is documented below.
    SshFilterProfile string
    Name of an existing SSH filter profile.
    SshPolicyRedirect string
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    SslMirror string
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    SslMirrorIntfs []PolicySslMirrorIntfArgs
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    SslSshProfile string
    Name of an existing SSL SSH profile.
    Status string
    Enable or disable this policy. Valid values: enable, disable.
    TcpMssReceiver int
    Receiver TCP maximum segment size (MSS).
    TcpMssSender int
    Sender TCP maximum segment size (MSS).
    TcpSessionWithoutSyn string
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    TimeoutSendRst string
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    Tos string
    ToS (Type of Service) value used for comparison.
    TosMask string
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    TosNegate string
    Enable negated TOS match. Valid values: enable, disable.
    TrafficShaper string
    Traffic shaper.
    TrafficShaperReverse string
    Reverse traffic shaper.
    UrlCategories []PolicyUrlCategoryArgs
    URL category ID list. The structure of url_category block is documented below.
    Users []PolicyUserArgs
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    UtmStatus string
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    Uuid string
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    VideofilterProfile string
    Name of an existing VideoFilter profile.
    VirtualPatchProfile string
    Name of an existing virtual-patch profile.
    VlanCosFwd int
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanCosRev int
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanFilter string
    Set VLAN filters.
    VoipProfile string
    Name of an existing VoIP (voipd) profile.
    Vpntunnel string
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    WafProfile string
    Name of an existing Web application firewall profile.
    Wanopt string
    Enable/disable WAN optimization. Valid values: enable, disable.
    WanoptDetection string
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    WanoptPassiveOpt string
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    WanoptPeer string
    WAN optimization peer.
    WanoptProfile string
    WAN optimization profile.
    Wccp string
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    Webcache string
    Enable/disable web cache. Valid values: enable, disable.
    WebcacheHttps string
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    WebfilterProfile string
    Name of an existing Web filter profile.
    WebproxyForwardServer string
    Web proxy forward server name.
    WebproxyProfile string
    Webproxy profile name.
    Wsso string
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ZtnaDeviceOwnership string
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ZtnaEmsTagSecondaries []PolicyZtnaEmsTagSecondaryArgs
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ZtnaEmsTags []PolicyZtnaEmsTagArgs
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ZtnaGeoTags []PolicyZtnaGeoTagArgs
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ZtnaPolicyRedirect string
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ZtnaStatus string
    Enable/disable zero trust access. Valid values: enable, disable.
    ZtnaTagsMatchLogic string
    ZTNA tag matching logic. Valid values: or, and.
    dstintfs List<PolicyDstintf>
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    srcintfs List<PolicySrcintf>
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    action String
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    antiReplay String
    Enable/disable anti-replay check. Valid values: enable, disable.
    appCategories List<PolicyAppCategory>
    Application category ID list. The structure of app_category block is documented below.
    appGroups List<PolicyAppGroup>
    Application group names. The structure of app_group block is documented below.
    applicationList String
    Name of an existing Application list.
    applications List<PolicyApplication>
    Application ID list. The structure of application block is documented below.
    authCert String
    HTTPS server certificate for policy authentication.
    authPath String
    Enable/disable authentication-based routing. Valid values: enable, disable.
    authRedirectAddr String
    HTTP-to-HTTPS redirect address for firewall authentication.
    autoAsicOffload String
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    avProfile String
    Name of an existing Antivirus profile.
    blockNotification String
    Enable/disable block notification. Valid values: enable, disable.
    captivePortalExempt String
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capturePacket String
    Enable/disable capture packets. Valid values: enable, disable.
    casbProfile String
    Name of an existing CASB profile.
    cifsProfile String
    Name of an existing CIFS profile.
    comments String
    Comment.
    customLogFields List<PolicyCustomLogField>
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decryptedTrafficMirror String
    Decrypted traffic mirror.
    delayTcpNpuSession String
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices List<PolicyDevice>
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameterFilterProfile String
    Name of an existing Diameter filter profile.
    diffservCopy String
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffservForward String
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffservReverse String
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcodeForward String
    Change packet's DiffServ to this value.
    diffservcodeRev String
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer String
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlpProfile String
    Name of an existing DLP profile.
    dlpSensor String
    Name of an existing DLP sensor.
    dnsfilterProfile String
    Name of an existing DNS filter profile.
    dsri String
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6Negate String
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s List<PolicyDstaddr6>
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddrNegate String
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs List<PolicyDstaddr>
    Destination address and address group names. The structure of dstaddr block is documented below.
    dynamicShaping String
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    emailCollect String
    Enable/disable email collection. Valid values: enable, disable.
    emailfilterProfile String
    Name of an existing email filter profile.
    fec String
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    fileFilterProfile String
    Name of an existing file-filter profile.
    firewallSessionDirty String
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport String
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso String
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fssoAgentForNtlm String
    FSSO agent to use for NTLM authentication.
    fssoGroups List<PolicyFssoGroup>
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoipAnycast String
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoipMatch String
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    globalLabel String
    Label for the policy that appears when the GUI is in Global View mode.
    groups List<PolicyGroup>
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    httpPolicyRedirect String
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icapProfile String
    Name of an existing ICAP profile.
    identityBasedRoute String
    Name of identity-based routing rule.
    inbound String
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspectionMode String
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internetService String
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6 String
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6CustomGroups List<PolicyInternetService6CustomGroup>
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internetService6Customs List<PolicyInternetService6Custom>
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internetService6Groups List<PolicyInternetService6Group>
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internetService6Names List<PolicyInternetService6Name>
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internetService6Negate String
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internetService6Src String
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetService6SrcCustomGroups List<PolicyInternetService6SrcCustomGroup>
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internetService6SrcCustoms List<PolicyInternetService6SrcCustom>
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internetService6SrcGroups List<PolicyInternetService6SrcGroup>
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internetService6SrcNames List<PolicyInternetService6SrcName>
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internetService6SrcNegate String
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceCustomGroups List<PolicyInternetServiceCustomGroup>
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internetServiceCustoms List<PolicyInternetServiceCustom>
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internetServiceGroups List<PolicyInternetServiceGroup>
    Internet Service group name. The structure of internet_service_group block is documented below.
    internetServiceIds List<PolicyInternetServiceId>
    Internet Service ID. The structure of internet_service_id block is documented below.
    internetServiceNames List<PolicyInternetServiceName>
    Internet Service name. The structure of internet_service_name block is documented below.
    internetServiceNegate String
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceSrc String
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetServiceSrcCustomGroups List<PolicyInternetServiceSrcCustomGroup>
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internetServiceSrcCustoms List<PolicyInternetServiceSrcCustom>
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internetServiceSrcGroups List<PolicyInternetServiceSrcGroup>
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internetServiceSrcIds List<PolicyInternetServiceSrcId>
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internetServiceSrcNames List<PolicyInternetServiceSrcName>
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internetServiceSrcNegate String
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool String
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ipsSensor String
    Name of an existing IPS sensor.
    ipsVoipFilter String
    Name of an existing VoIP (ips) profile.
    label String
    Label for the policy that appears when the GUI is in Section View mode.
    learningMode String
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic String
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtrafficStart String
    Record logs when a session starts. Valid values: enable, disable.
    matchVip String
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    matchVipOnly String
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name String
    Policy name.
    nat String
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 String
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 String
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound String
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip String
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound String
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    networkServiceDynamics List<PolicyNetworkServiceDynamic>
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    networkServiceSrcDynamics List<PolicyNetworkServiceSrcDynamic>
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    npAcceleration String
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm String
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlmEnabledBrowsers List<PolicyNtlmEnabledBrowser>
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlmGuest String
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound String
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passiveWanHealthMeasurement String
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcpInbound String
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcpOutbound String
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcpPoolnames List<PolicyPcpPoolname>
    PCP pool names. The structure of pcp_poolname block is documented below.
    perIpShaper String
    Per-IP traffic shaper.
    permitAnyHost String
    Accept UDP packets from any host. Valid values: enable, disable.
    permitStunHost String
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policyExpiry String
    Enable/disable policy expiry. Valid values: enable, disable.
    policyExpiryDate String
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policyExpiryDateUtc String
    Policy expiry date and time, in epoch format.
    policyid Integer
    Policy ID.
    poolname6s List<PolicyPoolname6>
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames List<PolicyPoolname>
    IP Pool names. The structure of poolname block is documented below.
    portPreserve String
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profileGroup String
    Name of profile group.
    profileProtocolOptions String
    Name of an existing Protocol options profile.
    profileType String
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radiusMacAuthBypass String
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirectUrl String
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsgOverrideGroup String
    Override the default replacement message group for this policy.
    reputationDirection String
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputationDirection6 String
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputationMinimum Integer
    Minimum Reputation to take action.
    reputationMinimum6 Integer
    IPv6 Minimum Reputation to take action.
    rsso String
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtpAddrs List<PolicyRtpAddr>
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtpNat String
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scanBotnetConnections String
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule String
    Schedule name.(Default is always)
    scheduleTimeout String
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctpFilterProfile String
    Name of an existing SCTP filter profile.
    sendDenyPacket String
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    serviceNegate String
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services List<PolicyService>
    Service and service group names. The structure of service block is documented below.
    sessionTtl Integer
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgtCheck String
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts List<PolicySgt>
    Security group tags. The structure of sgt block is documented below.
    spamfilterProfile String
    Name of an existing Spam filter profile.
    srcVendorMacs List<PolicySrcVendorMac>
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6Negate String
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s List<PolicySrcaddr6>
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddrNegate String
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs List<PolicySrcaddr>
    Source address and address group names. The structure of srcaddr block is documented below.
    sshFilterProfile String
    Name of an existing SSH filter profile.
    sshPolicyRedirect String
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    sslMirror String
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    sslMirrorIntfs List<PolicySslMirrorIntf>
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    sslSshProfile String
    Name of an existing SSL SSH profile.
    status String
    Enable or disable this policy. Valid values: enable, disable.
    tcpMssReceiver Integer
    Receiver TCP maximum segment size (MSS).
    tcpMssSender Integer
    Sender TCP maximum segment size (MSS).
    tcpSessionWithoutSyn String
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeoutSendRst String
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos String
    ToS (Type of Service) value used for comparison.
    tosMask String
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tosNegate String
    Enable negated TOS match. Valid values: enable, disable.
    trafficShaper String
    Traffic shaper.
    trafficShaperReverse String
    Reverse traffic shaper.
    urlCategories List<PolicyUrlCategory>
    URL category ID list. The structure of url_category block is documented below.
    users List<PolicyUser>
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utmStatus String
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid String
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilterProfile String
    Name of an existing VideoFilter profile.
    virtualPatchProfile String
    Name of an existing virtual-patch profile.
    vlanCosFwd Integer
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanCosRev Integer
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanFilter String
    Set VLAN filters.
    voipProfile String
    Name of an existing VoIP (voipd) profile.
    vpntunnel String
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    wafProfile String
    Name of an existing Web application firewall profile.
    wanopt String
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanoptDetection String
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanoptPassiveOpt String
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanoptPeer String
    WAN optimization peer.
    wanoptProfile String
    WAN optimization profile.
    wccp String
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache String
    Enable/disable web cache. Valid values: enable, disable.
    webcacheHttps String
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilterProfile String
    Name of an existing Web filter profile.
    webproxyForwardServer String
    Web proxy forward server name.
    webproxyProfile String
    Webproxy profile name.
    wsso String
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztnaDeviceOwnership String
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztnaEmsTagSecondaries List<PolicyZtnaEmsTagSecondary>
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztnaEmsTags List<PolicyZtnaEmsTag>
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztnaGeoTags List<PolicyZtnaGeoTag>
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztnaPolicyRedirect String
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztnaStatus String
    Enable/disable zero trust access. Valid values: enable, disable.
    ztnaTagsMatchLogic String
    ZTNA tag matching logic. Valid values: or, and.
    dstintfs PolicyDstintf[]
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    srcintfs PolicySrcintf[]
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    action string
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    antiReplay string
    Enable/disable anti-replay check. Valid values: enable, disable.
    appCategories PolicyAppCategory[]
    Application category ID list. The structure of app_category block is documented below.
    appGroups PolicyAppGroup[]
    Application group names. The structure of app_group block is documented below.
    applicationList string
    Name of an existing Application list.
    applications PolicyApplication[]
    Application ID list. The structure of application block is documented below.
    authCert string
    HTTPS server certificate for policy authentication.
    authPath string
    Enable/disable authentication-based routing. Valid values: enable, disable.
    authRedirectAddr string
    HTTP-to-HTTPS redirect address for firewall authentication.
    autoAsicOffload string
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    avProfile string
    Name of an existing Antivirus profile.
    blockNotification string
    Enable/disable block notification. Valid values: enable, disable.
    captivePortalExempt string
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capturePacket string
    Enable/disable capture packets. Valid values: enable, disable.
    casbProfile string
    Name of an existing CASB profile.
    cifsProfile string
    Name of an existing CIFS profile.
    comments string
    Comment.
    customLogFields PolicyCustomLogField[]
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decryptedTrafficMirror string
    Decrypted traffic mirror.
    delayTcpNpuSession string
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices PolicyDevice[]
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameterFilterProfile string
    Name of an existing Diameter filter profile.
    diffservCopy string
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffservForward string
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffservReverse string
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcodeForward string
    Change packet's DiffServ to this value.
    diffservcodeRev string
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer string
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlpProfile string
    Name of an existing DLP profile.
    dlpSensor string
    Name of an existing DLP sensor.
    dnsfilterProfile string
    Name of an existing DNS filter profile.
    dsri string
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6Negate string
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s PolicyDstaddr6[]
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddrNegate string
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs PolicyDstaddr[]
    Destination address and address group names. The structure of dstaddr block is documented below.
    dynamicShaping string
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    emailCollect string
    Enable/disable email collection. Valid values: enable, disable.
    emailfilterProfile string
    Name of an existing email filter profile.
    fec string
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    fileFilterProfile string
    Name of an existing file-filter profile.
    firewallSessionDirty string
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport string
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso string
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fssoAgentForNtlm string
    FSSO agent to use for NTLM authentication.
    fssoGroups PolicyFssoGroup[]
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoipAnycast string
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoipMatch string
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    getAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    globalLabel string
    Label for the policy that appears when the GUI is in Global View mode.
    groups PolicyGroup[]
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    httpPolicyRedirect string
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icapProfile string
    Name of an existing ICAP profile.
    identityBasedRoute string
    Name of identity-based routing rule.
    inbound string
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspectionMode string
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internetService string
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6 string
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6CustomGroups PolicyInternetService6CustomGroup[]
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internetService6Customs PolicyInternetService6Custom[]
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internetService6Groups PolicyInternetService6Group[]
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internetService6Names PolicyInternetService6Name[]
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internetService6Negate string
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internetService6Src string
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetService6SrcCustomGroups PolicyInternetService6SrcCustomGroup[]
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internetService6SrcCustoms PolicyInternetService6SrcCustom[]
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internetService6SrcGroups PolicyInternetService6SrcGroup[]
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internetService6SrcNames PolicyInternetService6SrcName[]
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internetService6SrcNegate string
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceCustomGroups PolicyInternetServiceCustomGroup[]
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internetServiceCustoms PolicyInternetServiceCustom[]
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internetServiceGroups PolicyInternetServiceGroup[]
    Internet Service group name. The structure of internet_service_group block is documented below.
    internetServiceIds PolicyInternetServiceId[]
    Internet Service ID. The structure of internet_service_id block is documented below.
    internetServiceNames PolicyInternetServiceName[]
    Internet Service name. The structure of internet_service_name block is documented below.
    internetServiceNegate string
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceSrc string
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetServiceSrcCustomGroups PolicyInternetServiceSrcCustomGroup[]
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internetServiceSrcCustoms PolicyInternetServiceSrcCustom[]
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internetServiceSrcGroups PolicyInternetServiceSrcGroup[]
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internetServiceSrcIds PolicyInternetServiceSrcId[]
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internetServiceSrcNames PolicyInternetServiceSrcName[]
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internetServiceSrcNegate string
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool string
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ipsSensor string
    Name of an existing IPS sensor.
    ipsVoipFilter string
    Name of an existing VoIP (ips) profile.
    label string
    Label for the policy that appears when the GUI is in Section View mode.
    learningMode string
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic string
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtrafficStart string
    Record logs when a session starts. Valid values: enable, disable.
    matchVip string
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    matchVipOnly string
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name string
    Policy name.
    nat string
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 string
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 string
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound string
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip string
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound string
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    networkServiceDynamics PolicyNetworkServiceDynamic[]
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    networkServiceSrcDynamics PolicyNetworkServiceSrcDynamic[]
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    npAcceleration string
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm string
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlmEnabledBrowsers PolicyNtlmEnabledBrowser[]
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlmGuest string
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound string
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passiveWanHealthMeasurement string
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcpInbound string
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcpOutbound string
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcpPoolnames PolicyPcpPoolname[]
    PCP pool names. The structure of pcp_poolname block is documented below.
    perIpShaper string
    Per-IP traffic shaper.
    permitAnyHost string
    Accept UDP packets from any host. Valid values: enable, disable.
    permitStunHost string
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policyExpiry string
    Enable/disable policy expiry. Valid values: enable, disable.
    policyExpiryDate string
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policyExpiryDateUtc string
    Policy expiry date and time, in epoch format.
    policyid number
    Policy ID.
    poolname6s PolicyPoolname6[]
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames PolicyPoolname[]
    IP Pool names. The structure of poolname block is documented below.
    portPreserve string
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profileGroup string
    Name of profile group.
    profileProtocolOptions string
    Name of an existing Protocol options profile.
    profileType string
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radiusMacAuthBypass string
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirectUrl string
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsgOverrideGroup string
    Override the default replacement message group for this policy.
    reputationDirection string
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputationDirection6 string
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputationMinimum number
    Minimum Reputation to take action.
    reputationMinimum6 number
    IPv6 Minimum Reputation to take action.
    rsso string
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtpAddrs PolicyRtpAddr[]
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtpNat string
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scanBotnetConnections string
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule string
    Schedule name.(Default is always)
    scheduleTimeout string
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctpFilterProfile string
    Name of an existing SCTP filter profile.
    sendDenyPacket string
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    serviceNegate string
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services PolicyService[]
    Service and service group names. The structure of service block is documented below.
    sessionTtl number
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgtCheck string
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts PolicySgt[]
    Security group tags. The structure of sgt block is documented below.
    spamfilterProfile string
    Name of an existing Spam filter profile.
    srcVendorMacs PolicySrcVendorMac[]
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6Negate string
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s PolicySrcaddr6[]
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddrNegate string
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs PolicySrcaddr[]
    Source address and address group names. The structure of srcaddr block is documented below.
    sshFilterProfile string
    Name of an existing SSH filter profile.
    sshPolicyRedirect string
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    sslMirror string
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    sslMirrorIntfs PolicySslMirrorIntf[]
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    sslSshProfile string
    Name of an existing SSL SSH profile.
    status string
    Enable or disable this policy. Valid values: enable, disable.
    tcpMssReceiver number
    Receiver TCP maximum segment size (MSS).
    tcpMssSender number
    Sender TCP maximum segment size (MSS).
    tcpSessionWithoutSyn string
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeoutSendRst string
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos string
    ToS (Type of Service) value used for comparison.
    tosMask string
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tosNegate string
    Enable negated TOS match. Valid values: enable, disable.
    trafficShaper string
    Traffic shaper.
    trafficShaperReverse string
    Reverse traffic shaper.
    urlCategories PolicyUrlCategory[]
    URL category ID list. The structure of url_category block is documented below.
    users PolicyUser[]
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utmStatus string
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid string
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilterProfile string
    Name of an existing VideoFilter profile.
    virtualPatchProfile string
    Name of an existing virtual-patch profile.
    vlanCosFwd number
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanCosRev number
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanFilter string
    Set VLAN filters.
    voipProfile string
    Name of an existing VoIP (voipd) profile.
    vpntunnel string
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    wafProfile string
    Name of an existing Web application firewall profile.
    wanopt string
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanoptDetection string
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanoptPassiveOpt string
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanoptPeer string
    WAN optimization peer.
    wanoptProfile string
    WAN optimization profile.
    wccp string
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache string
    Enable/disable web cache. Valid values: enable, disable.
    webcacheHttps string
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilterProfile string
    Name of an existing Web filter profile.
    webproxyForwardServer string
    Web proxy forward server name.
    webproxyProfile string
    Webproxy profile name.
    wsso string
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztnaDeviceOwnership string
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztnaEmsTagSecondaries PolicyZtnaEmsTagSecondary[]
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztnaEmsTags PolicyZtnaEmsTag[]
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztnaGeoTags PolicyZtnaGeoTag[]
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztnaPolicyRedirect string
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztnaStatus string
    Enable/disable zero trust access. Valid values: enable, disable.
    ztnaTagsMatchLogic string
    ZTNA tag matching logic. Valid values: or, and.
    dstintfs Sequence[PolicyDstintfArgs]
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    srcintfs Sequence[PolicySrcintfArgs]
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    action str
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    anti_replay str
    Enable/disable anti-replay check. Valid values: enable, disable.
    app_categories Sequence[PolicyAppCategoryArgs]
    Application category ID list. The structure of app_category block is documented below.
    app_groups Sequence[PolicyAppGroupArgs]
    Application group names. The structure of app_group block is documented below.
    application_list str
    Name of an existing Application list.
    applications Sequence[PolicyApplicationArgs]
    Application ID list. The structure of application block is documented below.
    auth_cert str
    HTTPS server certificate for policy authentication.
    auth_path str
    Enable/disable authentication-based routing. Valid values: enable, disable.
    auth_redirect_addr str
    HTTP-to-HTTPS redirect address for firewall authentication.
    auto_asic_offload str
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    av_profile str
    Name of an existing Antivirus profile.
    block_notification str
    Enable/disable block notification. Valid values: enable, disable.
    captive_portal_exempt str
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capture_packet str
    Enable/disable capture packets. Valid values: enable, disable.
    casb_profile str
    Name of an existing CASB profile.
    cifs_profile str
    Name of an existing CIFS profile.
    comments str
    Comment.
    custom_log_fields Sequence[PolicyCustomLogFieldArgs]
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decrypted_traffic_mirror str
    Decrypted traffic mirror.
    delay_tcp_npu_session str
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices Sequence[PolicyDeviceArgs]
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameter_filter_profile str
    Name of an existing Diameter filter profile.
    diffserv_copy str
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffserv_forward str
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffserv_reverse str
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcode_forward str
    Change packet's DiffServ to this value.
    diffservcode_rev str
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer str
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlp_profile str
    Name of an existing DLP profile.
    dlp_sensor str
    Name of an existing DLP sensor.
    dnsfilter_profile str
    Name of an existing DNS filter profile.
    dsri str
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6_negate str
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s Sequence[PolicyDstaddr6Args]
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddr_negate str
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs Sequence[PolicyDstaddrArgs]
    Destination address and address group names. The structure of dstaddr block is documented below.
    dynamic_shaping str
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamic_sort_subtable str
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    email_collect str
    Enable/disable email collection. Valid values: enable, disable.
    emailfilter_profile str
    Name of an existing email filter profile.
    fec str
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    file_filter_profile str
    Name of an existing file-filter profile.
    firewall_session_dirty str
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport str
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso str
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fsso_agent_for_ntlm str
    FSSO agent to use for NTLM authentication.
    fsso_groups Sequence[PolicyFssoGroupArgs]
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoip_anycast str
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoip_match str
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    get_all_tables str
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    global_label str
    Label for the policy that appears when the GUI is in Global View mode.
    groups Sequence[PolicyGroupArgs]
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    http_policy_redirect str
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icap_profile str
    Name of an existing ICAP profile.
    identity_based_route str
    Name of identity-based routing rule.
    inbound str
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspection_mode str
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internet_service str
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internet_service6 str
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internet_service6_custom_groups Sequence[PolicyInternetService6CustomGroupArgs]
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internet_service6_customs Sequence[PolicyInternetService6CustomArgs]
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internet_service6_groups Sequence[PolicyInternetService6GroupArgs]
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internet_service6_names Sequence[PolicyInternetService6NameArgs]
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internet_service6_negate str
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internet_service6_src str
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internet_service6_src_custom_groups Sequence[PolicyInternetService6SrcCustomGroupArgs]
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internet_service6_src_customs Sequence[PolicyInternetService6SrcCustomArgs]
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internet_service6_src_groups Sequence[PolicyInternetService6SrcGroupArgs]
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internet_service6_src_names Sequence[PolicyInternetService6SrcNameArgs]
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internet_service6_src_negate str
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internet_service_custom_groups Sequence[PolicyInternetServiceCustomGroupArgs]
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internet_service_customs Sequence[PolicyInternetServiceCustomArgs]
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internet_service_groups Sequence[PolicyInternetServiceGroupArgs]
    Internet Service group name. The structure of internet_service_group block is documented below.
    internet_service_ids Sequence[PolicyInternetServiceIdArgs]
    Internet Service ID. The structure of internet_service_id block is documented below.
    internet_service_names Sequence[PolicyInternetServiceNameArgs]
    Internet Service name. The structure of internet_service_name block is documented below.
    internet_service_negate str
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internet_service_src str
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internet_service_src_custom_groups Sequence[PolicyInternetServiceSrcCustomGroupArgs]
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internet_service_src_customs Sequence[PolicyInternetServiceSrcCustomArgs]
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internet_service_src_groups Sequence[PolicyInternetServiceSrcGroupArgs]
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internet_service_src_ids Sequence[PolicyInternetServiceSrcIdArgs]
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internet_service_src_names Sequence[PolicyInternetServiceSrcNameArgs]
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internet_service_src_negate str
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool str
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ips_sensor str
    Name of an existing IPS sensor.
    ips_voip_filter str
    Name of an existing VoIP (ips) profile.
    label str
    Label for the policy that appears when the GUI is in Section View mode.
    learning_mode str
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic str
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtraffic_start str
    Record logs when a session starts. Valid values: enable, disable.
    match_vip str
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    match_vip_only str
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name str
    Policy name.
    nat str
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 str
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 str
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound str
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip str
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound str
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    network_service_dynamics Sequence[PolicyNetworkServiceDynamicArgs]
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    network_service_src_dynamics Sequence[PolicyNetworkServiceSrcDynamicArgs]
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    np_acceleration str
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm str
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlm_enabled_browsers Sequence[PolicyNtlmEnabledBrowserArgs]
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlm_guest str
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound str
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passive_wan_health_measurement str
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcp_inbound str
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcp_outbound str
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcp_poolnames Sequence[PolicyPcpPoolnameArgs]
    PCP pool names. The structure of pcp_poolname block is documented below.
    per_ip_shaper str
    Per-IP traffic shaper.
    permit_any_host str
    Accept UDP packets from any host. Valid values: enable, disable.
    permit_stun_host str
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policy_expiry str
    Enable/disable policy expiry. Valid values: enable, disable.
    policy_expiry_date str
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policy_expiry_date_utc str
    Policy expiry date and time, in epoch format.
    policyid int
    Policy ID.
    poolname6s Sequence[PolicyPoolname6Args]
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames Sequence[PolicyPoolnameArgs]
    IP Pool names. The structure of poolname block is documented below.
    port_preserve str
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profile_group str
    Name of profile group.
    profile_protocol_options str
    Name of an existing Protocol options profile.
    profile_type str
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radius_mac_auth_bypass str
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirect_url str
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsg_override_group str
    Override the default replacement message group for this policy.
    reputation_direction str
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputation_direction6 str
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputation_minimum int
    Minimum Reputation to take action.
    reputation_minimum6 int
    IPv6 Minimum Reputation to take action.
    rsso str
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtp_addrs Sequence[PolicyRtpAddrArgs]
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtp_nat str
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scan_botnet_connections str
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule str
    Schedule name.(Default is always)
    schedule_timeout str
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctp_filter_profile str
    Name of an existing SCTP filter profile.
    send_deny_packet str
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    service_negate str
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services Sequence[PolicyServiceArgs]
    Service and service group names. The structure of service block is documented below.
    session_ttl int
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgt_check str
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts Sequence[PolicySgtArgs]
    Security group tags. The structure of sgt block is documented below.
    spamfilter_profile str
    Name of an existing Spam filter profile.
    src_vendor_macs Sequence[PolicySrcVendorMacArgs]
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6_negate str
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s Sequence[PolicySrcaddr6Args]
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddr_negate str
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs Sequence[PolicySrcaddrArgs]
    Source address and address group names. The structure of srcaddr block is documented below.
    ssh_filter_profile str
    Name of an existing SSH filter profile.
    ssh_policy_redirect str
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    ssl_mirror str
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    ssl_mirror_intfs Sequence[PolicySslMirrorIntfArgs]
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    ssl_ssh_profile str
    Name of an existing SSL SSH profile.
    status str
    Enable or disable this policy. Valid values: enable, disable.
    tcp_mss_receiver int
    Receiver TCP maximum segment size (MSS).
    tcp_mss_sender int
    Sender TCP maximum segment size (MSS).
    tcp_session_without_syn str
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeout_send_rst str
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos str
    ToS (Type of Service) value used for comparison.
    tos_mask str
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tos_negate str
    Enable negated TOS match. Valid values: enable, disable.
    traffic_shaper str
    Traffic shaper.
    traffic_shaper_reverse str
    Reverse traffic shaper.
    url_categories Sequence[PolicyUrlCategoryArgs]
    URL category ID list. The structure of url_category block is documented below.
    users Sequence[PolicyUserArgs]
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utm_status str
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid str
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam str
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilter_profile str
    Name of an existing VideoFilter profile.
    virtual_patch_profile str
    Name of an existing virtual-patch profile.
    vlan_cos_fwd int
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlan_cos_rev int
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlan_filter str
    Set VLAN filters.
    voip_profile str
    Name of an existing VoIP (voipd) profile.
    vpntunnel str
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    waf_profile str
    Name of an existing Web application firewall profile.
    wanopt str
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanopt_detection str
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanopt_passive_opt str
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanopt_peer str
    WAN optimization peer.
    wanopt_profile str
    WAN optimization profile.
    wccp str
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache str
    Enable/disable web cache. Valid values: enable, disable.
    webcache_https str
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilter_profile str
    Name of an existing Web filter profile.
    webproxy_forward_server str
    Web proxy forward server name.
    webproxy_profile str
    Webproxy profile name.
    wsso str
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztna_device_ownership str
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztna_ems_tag_secondaries Sequence[PolicyZtnaEmsTagSecondaryArgs]
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztna_ems_tags Sequence[PolicyZtnaEmsTagArgs]
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztna_geo_tags Sequence[PolicyZtnaGeoTagArgs]
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztna_policy_redirect str
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztna_status str
    Enable/disable zero trust access. Valid values: enable, disable.
    ztna_tags_match_logic str
    ZTNA tag matching logic. Valid values: or, and.
    dstintfs List<Property Map>
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    srcintfs List<Property Map>
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    action String
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    antiReplay String
    Enable/disable anti-replay check. Valid values: enable, disable.
    appCategories List<Property Map>
    Application category ID list. The structure of app_category block is documented below.
    appGroups List<Property Map>
    Application group names. The structure of app_group block is documented below.
    applicationList String
    Name of an existing Application list.
    applications List<Property Map>
    Application ID list. The structure of application block is documented below.
    authCert String
    HTTPS server certificate for policy authentication.
    authPath String
    Enable/disable authentication-based routing. Valid values: enable, disable.
    authRedirectAddr String
    HTTP-to-HTTPS redirect address for firewall authentication.
    autoAsicOffload String
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    avProfile String
    Name of an existing Antivirus profile.
    blockNotification String
    Enable/disable block notification. Valid values: enable, disable.
    captivePortalExempt String
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capturePacket String
    Enable/disable capture packets. Valid values: enable, disable.
    casbProfile String
    Name of an existing CASB profile.
    cifsProfile String
    Name of an existing CIFS profile.
    comments String
    Comment.
    customLogFields List<Property Map>
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decryptedTrafficMirror String
    Decrypted traffic mirror.
    delayTcpNpuSession String
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices List<Property Map>
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameterFilterProfile String
    Name of an existing Diameter filter profile.
    diffservCopy String
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffservForward String
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffservReverse String
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcodeForward String
    Change packet's DiffServ to this value.
    diffservcodeRev String
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer String
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlpProfile String
    Name of an existing DLP profile.
    dlpSensor String
    Name of an existing DLP sensor.
    dnsfilterProfile String
    Name of an existing DNS filter profile.
    dsri String
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6Negate String
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s List<Property Map>
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddrNegate String
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs List<Property Map>
    Destination address and address group names. The structure of dstaddr block is documented below.
    dynamicShaping String
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    emailCollect String
    Enable/disable email collection. Valid values: enable, disable.
    emailfilterProfile String
    Name of an existing email filter profile.
    fec String
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    fileFilterProfile String
    Name of an existing file-filter profile.
    firewallSessionDirty String
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport String
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso String
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fssoAgentForNtlm String
    FSSO agent to use for NTLM authentication.
    fssoGroups List<Property Map>
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoipAnycast String
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoipMatch String
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    globalLabel String
    Label for the policy that appears when the GUI is in Global View mode.
    groups List<Property Map>
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    httpPolicyRedirect String
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icapProfile String
    Name of an existing ICAP profile.
    identityBasedRoute String
    Name of identity-based routing rule.
    inbound String
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspectionMode String
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internetService String
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6 String
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6CustomGroups List<Property Map>
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internetService6Customs List<Property Map>
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internetService6Groups List<Property Map>
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internetService6Names List<Property Map>
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internetService6Negate String
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internetService6Src String
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetService6SrcCustomGroups List<Property Map>
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internetService6SrcCustoms List<Property Map>
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internetService6SrcGroups List<Property Map>
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internetService6SrcNames List<Property Map>
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internetService6SrcNegate String
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceCustomGroups List<Property Map>
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internetServiceCustoms List<Property Map>
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internetServiceGroups List<Property Map>
    Internet Service group name. The structure of internet_service_group block is documented below.
    internetServiceIds List<Property Map>
    Internet Service ID. The structure of internet_service_id block is documented below.
    internetServiceNames List<Property Map>
    Internet Service name. The structure of internet_service_name block is documented below.
    internetServiceNegate String
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceSrc String
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetServiceSrcCustomGroups List<Property Map>
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internetServiceSrcCustoms List<Property Map>
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internetServiceSrcGroups List<Property Map>
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internetServiceSrcIds List<Property Map>
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internetServiceSrcNames List<Property Map>
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internetServiceSrcNegate String
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool String
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ipsSensor String
    Name of an existing IPS sensor.
    ipsVoipFilter String
    Name of an existing VoIP (ips) profile.
    label String
    Label for the policy that appears when the GUI is in Section View mode.
    learningMode String
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic String
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtrafficStart String
    Record logs when a session starts. Valid values: enable, disable.
    matchVip String
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    matchVipOnly String
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name String
    Policy name.
    nat String
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 String
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 String
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound String
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip String
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound String
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    networkServiceDynamics List<Property Map>
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    networkServiceSrcDynamics List<Property Map>
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    npAcceleration String
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm String
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlmEnabledBrowsers List<Property Map>
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlmGuest String
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound String
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passiveWanHealthMeasurement String
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcpInbound String
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcpOutbound String
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcpPoolnames List<Property Map>
    PCP pool names. The structure of pcp_poolname block is documented below.
    perIpShaper String
    Per-IP traffic shaper.
    permitAnyHost String
    Accept UDP packets from any host. Valid values: enable, disable.
    permitStunHost String
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policyExpiry String
    Enable/disable policy expiry. Valid values: enable, disable.
    policyExpiryDate String
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policyExpiryDateUtc String
    Policy expiry date and time, in epoch format.
    policyid Number
    Policy ID.
    poolname6s List<Property Map>
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames List<Property Map>
    IP Pool names. The structure of poolname block is documented below.
    portPreserve String
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profileGroup String
    Name of profile group.
    profileProtocolOptions String
    Name of an existing Protocol options profile.
    profileType String
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radiusMacAuthBypass String
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirectUrl String
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsgOverrideGroup String
    Override the default replacement message group for this policy.
    reputationDirection String
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputationDirection6 String
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputationMinimum Number
    Minimum Reputation to take action.
    reputationMinimum6 Number
    IPv6 Minimum Reputation to take action.
    rsso String
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtpAddrs List<Property Map>
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtpNat String
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scanBotnetConnections String
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule String
    Schedule name.(Default is always)
    scheduleTimeout String
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctpFilterProfile String
    Name of an existing SCTP filter profile.
    sendDenyPacket String
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    serviceNegate String
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services List<Property Map>
    Service and service group names. The structure of service block is documented below.
    sessionTtl Number
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgtCheck String
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts List<Property Map>
    Security group tags. The structure of sgt block is documented below.
    spamfilterProfile String
    Name of an existing Spam filter profile.
    srcVendorMacs List<Property Map>
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6Negate String
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s List<Property Map>
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddrNegate String
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs List<Property Map>
    Source address and address group names. The structure of srcaddr block is documented below.
    sshFilterProfile String
    Name of an existing SSH filter profile.
    sshPolicyRedirect String
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    sslMirror String
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    sslMirrorIntfs List<Property Map>
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    sslSshProfile String
    Name of an existing SSL SSH profile.
    status String
    Enable or disable this policy. Valid values: enable, disable.
    tcpMssReceiver Number
    Receiver TCP maximum segment size (MSS).
    tcpMssSender Number
    Sender TCP maximum segment size (MSS).
    tcpSessionWithoutSyn String
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeoutSendRst String
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos String
    ToS (Type of Service) value used for comparison.
    tosMask String
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tosNegate String
    Enable negated TOS match. Valid values: enable, disable.
    trafficShaper String
    Traffic shaper.
    trafficShaperReverse String
    Reverse traffic shaper.
    urlCategories List<Property Map>
    URL category ID list. The structure of url_category block is documented below.
    users List<Property Map>
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utmStatus String
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid String
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilterProfile String
    Name of an existing VideoFilter profile.
    virtualPatchProfile String
    Name of an existing virtual-patch profile.
    vlanCosFwd Number
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanCosRev Number
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanFilter String
    Set VLAN filters.
    voipProfile String
    Name of an existing VoIP (voipd) profile.
    vpntunnel String
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    wafProfile String
    Name of an existing Web application firewall profile.
    wanopt String
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanoptDetection String
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanoptPassiveOpt String
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanoptPeer String
    WAN optimization peer.
    wanoptProfile String
    WAN optimization profile.
    wccp String
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache String
    Enable/disable web cache. Valid values: enable, disable.
    webcacheHttps String
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilterProfile String
    Name of an existing Web filter profile.
    webproxyForwardServer String
    Web proxy forward server name.
    webproxyProfile String
    Webproxy profile name.
    wsso String
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztnaDeviceOwnership String
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztnaEmsTagSecondaries List<Property Map>
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztnaEmsTags List<Property Map>
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztnaGeoTags List<Property Map>
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztnaPolicyRedirect String
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztnaStatus String
    Enable/disable zero trust access. Valid values: enable, disable.
    ztnaTagsMatchLogic String
    ZTNA tag matching logic. Valid values: or, and.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Policy Resource

    Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            action: Optional[str] = None,
            anti_replay: Optional[str] = None,
            app_categories: Optional[Sequence[PolicyAppCategoryArgs]] = None,
            app_groups: Optional[Sequence[PolicyAppGroupArgs]] = None,
            application_list: Optional[str] = None,
            applications: Optional[Sequence[PolicyApplicationArgs]] = None,
            auth_cert: Optional[str] = None,
            auth_path: Optional[str] = None,
            auth_redirect_addr: Optional[str] = None,
            auto_asic_offload: Optional[str] = None,
            av_profile: Optional[str] = None,
            block_notification: Optional[str] = None,
            captive_portal_exempt: Optional[str] = None,
            capture_packet: Optional[str] = None,
            casb_profile: Optional[str] = None,
            cifs_profile: Optional[str] = None,
            comments: Optional[str] = None,
            custom_log_fields: Optional[Sequence[PolicyCustomLogFieldArgs]] = None,
            decrypted_traffic_mirror: Optional[str] = None,
            delay_tcp_npu_session: Optional[str] = None,
            devices: Optional[Sequence[PolicyDeviceArgs]] = None,
            diameter_filter_profile: Optional[str] = None,
            diffserv_copy: Optional[str] = None,
            diffserv_forward: Optional[str] = None,
            diffserv_reverse: Optional[str] = None,
            diffservcode_forward: Optional[str] = None,
            diffservcode_rev: Optional[str] = None,
            disclaimer: Optional[str] = None,
            dlp_profile: Optional[str] = None,
            dlp_sensor: Optional[str] = None,
            dnsfilter_profile: Optional[str] = None,
            dsri: Optional[str] = None,
            dstaddr6_negate: Optional[str] = None,
            dstaddr6s: Optional[Sequence[PolicyDstaddr6Args]] = None,
            dstaddr_negate: Optional[str] = None,
            dstaddrs: Optional[Sequence[PolicyDstaddrArgs]] = None,
            dstintfs: Optional[Sequence[PolicyDstintfArgs]] = None,
            dynamic_shaping: Optional[str] = None,
            dynamic_sort_subtable: Optional[str] = None,
            email_collect: Optional[str] = None,
            emailfilter_profile: Optional[str] = None,
            fec: Optional[str] = None,
            file_filter_profile: Optional[str] = None,
            firewall_session_dirty: Optional[str] = None,
            fixedport: Optional[str] = None,
            fsso: Optional[str] = None,
            fsso_agent_for_ntlm: Optional[str] = None,
            fsso_groups: Optional[Sequence[PolicyFssoGroupArgs]] = None,
            geoip_anycast: Optional[str] = None,
            geoip_match: Optional[str] = None,
            get_all_tables: Optional[str] = None,
            global_label: Optional[str] = None,
            groups: Optional[Sequence[PolicyGroupArgs]] = None,
            http_policy_redirect: Optional[str] = None,
            icap_profile: Optional[str] = None,
            identity_based_route: Optional[str] = None,
            inbound: Optional[str] = None,
            inspection_mode: Optional[str] = None,
            internet_service: Optional[str] = None,
            internet_service6: Optional[str] = None,
            internet_service6_custom_groups: Optional[Sequence[PolicyInternetService6CustomGroupArgs]] = None,
            internet_service6_customs: Optional[Sequence[PolicyInternetService6CustomArgs]] = None,
            internet_service6_groups: Optional[Sequence[PolicyInternetService6GroupArgs]] = None,
            internet_service6_names: Optional[Sequence[PolicyInternetService6NameArgs]] = None,
            internet_service6_negate: Optional[str] = None,
            internet_service6_src: Optional[str] = None,
            internet_service6_src_custom_groups: Optional[Sequence[PolicyInternetService6SrcCustomGroupArgs]] = None,
            internet_service6_src_customs: Optional[Sequence[PolicyInternetService6SrcCustomArgs]] = None,
            internet_service6_src_groups: Optional[Sequence[PolicyInternetService6SrcGroupArgs]] = None,
            internet_service6_src_names: Optional[Sequence[PolicyInternetService6SrcNameArgs]] = None,
            internet_service6_src_negate: Optional[str] = None,
            internet_service_custom_groups: Optional[Sequence[PolicyInternetServiceCustomGroupArgs]] = None,
            internet_service_customs: Optional[Sequence[PolicyInternetServiceCustomArgs]] = None,
            internet_service_groups: Optional[Sequence[PolicyInternetServiceGroupArgs]] = None,
            internet_service_ids: Optional[Sequence[PolicyInternetServiceIdArgs]] = None,
            internet_service_names: Optional[Sequence[PolicyInternetServiceNameArgs]] = None,
            internet_service_negate: Optional[str] = None,
            internet_service_src: Optional[str] = None,
            internet_service_src_custom_groups: Optional[Sequence[PolicyInternetServiceSrcCustomGroupArgs]] = None,
            internet_service_src_customs: Optional[Sequence[PolicyInternetServiceSrcCustomArgs]] = None,
            internet_service_src_groups: Optional[Sequence[PolicyInternetServiceSrcGroupArgs]] = None,
            internet_service_src_ids: Optional[Sequence[PolicyInternetServiceSrcIdArgs]] = None,
            internet_service_src_names: Optional[Sequence[PolicyInternetServiceSrcNameArgs]] = None,
            internet_service_src_negate: Optional[str] = None,
            ippool: Optional[str] = None,
            ips_sensor: Optional[str] = None,
            ips_voip_filter: Optional[str] = None,
            label: Optional[str] = None,
            learning_mode: Optional[str] = None,
            logtraffic: Optional[str] = None,
            logtraffic_start: Optional[str] = None,
            match_vip: Optional[str] = None,
            match_vip_only: Optional[str] = None,
            name: Optional[str] = None,
            nat: Optional[str] = None,
            nat46: Optional[str] = None,
            nat64: Optional[str] = None,
            natinbound: Optional[str] = None,
            natip: Optional[str] = None,
            natoutbound: Optional[str] = None,
            network_service_dynamics: Optional[Sequence[PolicyNetworkServiceDynamicArgs]] = None,
            network_service_src_dynamics: Optional[Sequence[PolicyNetworkServiceSrcDynamicArgs]] = None,
            np_acceleration: Optional[str] = None,
            ntlm: Optional[str] = None,
            ntlm_enabled_browsers: Optional[Sequence[PolicyNtlmEnabledBrowserArgs]] = None,
            ntlm_guest: Optional[str] = None,
            outbound: Optional[str] = None,
            passive_wan_health_measurement: Optional[str] = None,
            pcp_inbound: Optional[str] = None,
            pcp_outbound: Optional[str] = None,
            pcp_poolnames: Optional[Sequence[PolicyPcpPoolnameArgs]] = None,
            per_ip_shaper: Optional[str] = None,
            permit_any_host: Optional[str] = None,
            permit_stun_host: Optional[str] = None,
            policy_expiry: Optional[str] = None,
            policy_expiry_date: Optional[str] = None,
            policy_expiry_date_utc: Optional[str] = None,
            policyid: Optional[int] = None,
            poolname6s: Optional[Sequence[PolicyPoolname6Args]] = None,
            poolnames: Optional[Sequence[PolicyPoolnameArgs]] = None,
            port_preserve: Optional[str] = None,
            profile_group: Optional[str] = None,
            profile_protocol_options: Optional[str] = None,
            profile_type: Optional[str] = None,
            radius_mac_auth_bypass: Optional[str] = None,
            redirect_url: Optional[str] = None,
            replacemsg_override_group: Optional[str] = None,
            reputation_direction: Optional[str] = None,
            reputation_direction6: Optional[str] = None,
            reputation_minimum: Optional[int] = None,
            reputation_minimum6: Optional[int] = None,
            rsso: Optional[str] = None,
            rtp_addrs: Optional[Sequence[PolicyRtpAddrArgs]] = None,
            rtp_nat: Optional[str] = None,
            scan_botnet_connections: Optional[str] = None,
            schedule: Optional[str] = None,
            schedule_timeout: Optional[str] = None,
            sctp_filter_profile: Optional[str] = None,
            send_deny_packet: Optional[str] = None,
            service_negate: Optional[str] = None,
            services: Optional[Sequence[PolicyServiceArgs]] = None,
            session_ttl: Optional[int] = None,
            sgt_check: Optional[str] = None,
            sgts: Optional[Sequence[PolicySgtArgs]] = None,
            spamfilter_profile: Optional[str] = None,
            src_vendor_macs: Optional[Sequence[PolicySrcVendorMacArgs]] = None,
            srcaddr6_negate: Optional[str] = None,
            srcaddr6s: Optional[Sequence[PolicySrcaddr6Args]] = None,
            srcaddr_negate: Optional[str] = None,
            srcaddrs: Optional[Sequence[PolicySrcaddrArgs]] = None,
            srcintfs: Optional[Sequence[PolicySrcintfArgs]] = None,
            ssh_filter_profile: Optional[str] = None,
            ssh_policy_redirect: Optional[str] = None,
            ssl_mirror: Optional[str] = None,
            ssl_mirror_intfs: Optional[Sequence[PolicySslMirrorIntfArgs]] = None,
            ssl_ssh_profile: Optional[str] = None,
            status: Optional[str] = None,
            tcp_mss_receiver: Optional[int] = None,
            tcp_mss_sender: Optional[int] = None,
            tcp_session_without_syn: Optional[str] = None,
            timeout_send_rst: Optional[str] = None,
            tos: Optional[str] = None,
            tos_mask: Optional[str] = None,
            tos_negate: Optional[str] = None,
            traffic_shaper: Optional[str] = None,
            traffic_shaper_reverse: Optional[str] = None,
            url_categories: Optional[Sequence[PolicyUrlCategoryArgs]] = None,
            users: Optional[Sequence[PolicyUserArgs]] = None,
            utm_status: Optional[str] = None,
            uuid: Optional[str] = None,
            vdomparam: Optional[str] = None,
            videofilter_profile: Optional[str] = None,
            virtual_patch_profile: Optional[str] = None,
            vlan_cos_fwd: Optional[int] = None,
            vlan_cos_rev: Optional[int] = None,
            vlan_filter: Optional[str] = None,
            voip_profile: Optional[str] = None,
            vpntunnel: Optional[str] = None,
            waf_profile: Optional[str] = None,
            wanopt: Optional[str] = None,
            wanopt_detection: Optional[str] = None,
            wanopt_passive_opt: Optional[str] = None,
            wanopt_peer: Optional[str] = None,
            wanopt_profile: Optional[str] = None,
            wccp: Optional[str] = None,
            webcache: Optional[str] = None,
            webcache_https: Optional[str] = None,
            webfilter_profile: Optional[str] = None,
            webproxy_forward_server: Optional[str] = None,
            webproxy_profile: Optional[str] = None,
            wsso: Optional[str] = None,
            ztna_device_ownership: Optional[str] = None,
            ztna_ems_tag_secondaries: Optional[Sequence[PolicyZtnaEmsTagSecondaryArgs]] = None,
            ztna_ems_tags: Optional[Sequence[PolicyZtnaEmsTagArgs]] = None,
            ztna_geo_tags: Optional[Sequence[PolicyZtnaGeoTagArgs]] = None,
            ztna_policy_redirect: Optional[str] = None,
            ztna_status: Optional[str] = None,
            ztna_tags_match_logic: Optional[str] = None) -> Policy
    func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
    public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
    public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Action string
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    AntiReplay string
    Enable/disable anti-replay check. Valid values: enable, disable.
    AppCategories List<Pulumiverse.Fortios.Firewall.Inputs.PolicyAppCategory>
    Application category ID list. The structure of app_category block is documented below.
    AppGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyAppGroup>
    Application group names. The structure of app_group block is documented below.
    ApplicationList string
    Name of an existing Application list.
    Applications List<Pulumiverse.Fortios.Firewall.Inputs.PolicyApplication>
    Application ID list. The structure of application block is documented below.
    AuthCert string
    HTTPS server certificate for policy authentication.
    AuthPath string
    Enable/disable authentication-based routing. Valid values: enable, disable.
    AuthRedirectAddr string
    HTTP-to-HTTPS redirect address for firewall authentication.
    AutoAsicOffload string
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    AvProfile string
    Name of an existing Antivirus profile.
    BlockNotification string
    Enable/disable block notification. Valid values: enable, disable.
    CaptivePortalExempt string
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    CapturePacket string
    Enable/disable capture packets. Valid values: enable, disable.
    CasbProfile string
    Name of an existing CASB profile.
    CifsProfile string
    Name of an existing CIFS profile.
    Comments string
    Comment.
    CustomLogFields List<Pulumiverse.Fortios.Firewall.Inputs.PolicyCustomLogField>
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    DecryptedTrafficMirror string
    Decrypted traffic mirror.
    DelayTcpNpuSession string
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    Devices List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDevice>
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    DiameterFilterProfile string
    Name of an existing Diameter filter profile.
    DiffservCopy string
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    DiffservForward string
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    DiffservReverse string
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    DiffservcodeForward string
    Change packet's DiffServ to this value.
    DiffservcodeRev string
    Change packet's reverse (reply) DiffServ to this value.
    Disclaimer string
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    DlpProfile string
    Name of an existing DLP profile.
    DlpSensor string
    Name of an existing DLP sensor.
    DnsfilterProfile string
    Name of an existing DNS filter profile.
    Dsri string
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    Dstaddr6Negate string
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddr6s List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDstaddr6>
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    DstaddrNegate string
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddrs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDstaddr>
    Destination address and address group names. The structure of dstaddr block is documented below.
    Dstintfs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyDstintf>
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    DynamicShaping string
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    EmailCollect string
    Enable/disable email collection. Valid values: enable, disable.
    EmailfilterProfile string
    Name of an existing email filter profile.
    Fec string
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    FileFilterProfile string
    Name of an existing file-filter profile.
    FirewallSessionDirty string
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    Fixedport string
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    Fsso string
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    FssoAgentForNtlm string
    FSSO agent to use for NTLM authentication.
    FssoGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyFssoGroup>
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    GeoipAnycast string
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    GeoipMatch string
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GlobalLabel string
    Label for the policy that appears when the GUI is in Global View mode.
    Groups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyGroup>
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    HttpPolicyRedirect string
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    IcapProfile string
    Name of an existing ICAP profile.
    IdentityBasedRoute string
    Name of identity-based routing rule.
    Inbound string
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    InspectionMode string
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    InternetService string
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6 string
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6CustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6CustomGroup>
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    InternetService6Customs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6Custom>
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    InternetService6Groups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6Group>
    Internet Service group name. The structure of internet_service6_group block is documented below.
    InternetService6Names List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6Name>
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    InternetService6Negate string
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    InternetService6Src string
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetService6SrcCustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcCustomGroup>
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    InternetService6SrcCustoms List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcCustom>
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    InternetService6SrcGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcGroup>
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    InternetService6SrcNames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetService6SrcName>
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    InternetService6SrcNegate string
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceCustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceCustomGroup>
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    InternetServiceCustoms List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceCustom>
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    InternetServiceGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceGroup>
    Internet Service group name. The structure of internet_service_group block is documented below.
    InternetServiceIds List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceId>
    Internet Service ID. The structure of internet_service_id block is documented below.
    InternetServiceNames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceName>
    Internet Service name. The structure of internet_service_name block is documented below.
    InternetServiceNegate string
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceSrc string
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetServiceSrcCustomGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustomGroup>
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    InternetServiceSrcCustoms List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcCustom>
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    InternetServiceSrcGroups List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcGroup>
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    InternetServiceSrcIds List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcId>
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    InternetServiceSrcNames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyInternetServiceSrcName>
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    InternetServiceSrcNegate string
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    Ippool string
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    IpsSensor string
    Name of an existing IPS sensor.
    IpsVoipFilter string
    Name of an existing VoIP (ips) profile.
    Label string
    Label for the policy that appears when the GUI is in Section View mode.
    LearningMode string
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    Logtraffic string
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    LogtrafficStart string
    Record logs when a session starts. Valid values: enable, disable.
    MatchVip string
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    MatchVipOnly string
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    Name string
    Policy name.
    Nat string
    Enable/disable source NAT. Valid values: enable, disable.
    Nat46 string
    Enable/disable NAT46. Valid values: enable, disable.
    Nat64 string
    Enable/disable NAT64. Valid values: enable, disable.
    Natinbound string
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    Natip string
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    Natoutbound string
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    NetworkServiceDynamics List<Pulumiverse.Fortios.Firewall.Inputs.PolicyNetworkServiceDynamic>
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    NetworkServiceSrcDynamics List<Pulumiverse.Fortios.Firewall.Inputs.PolicyNetworkServiceSrcDynamic>
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    NpAcceleration string
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    Ntlm string
    Enable/disable NTLM authentication. Valid values: enable, disable.
    NtlmEnabledBrowsers List<Pulumiverse.Fortios.Firewall.Inputs.PolicyNtlmEnabledBrowser>
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    NtlmGuest string
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    Outbound string
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    PassiveWanHealthMeasurement string
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    PcpInbound string
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    PcpOutbound string
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    PcpPoolnames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyPcpPoolname>
    PCP pool names. The structure of pcp_poolname block is documented below.
    PerIpShaper string
    Per-IP traffic shaper.
    PermitAnyHost string
    Accept UDP packets from any host. Valid values: enable, disable.
    PermitStunHost string
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    PolicyExpiry string
    Enable/disable policy expiry. Valid values: enable, disable.
    PolicyExpiryDate string
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    PolicyExpiryDateUtc string
    Policy expiry date and time, in epoch format.
    Policyid int
    Policy ID.
    Poolname6s List<Pulumiverse.Fortios.Firewall.Inputs.PolicyPoolname6>
    IPv6 pool names. The structure of poolname6 block is documented below.
    Poolnames List<Pulumiverse.Fortios.Firewall.Inputs.PolicyPoolname>
    IP Pool names. The structure of poolname block is documented below.
    PortPreserve string
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    ProfileGroup string
    Name of profile group.
    ProfileProtocolOptions string
    Name of an existing Protocol options profile.
    ProfileType string
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    RadiusMacAuthBypass string
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    RedirectUrl string
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    ReplacemsgOverrideGroup string
    Override the default replacement message group for this policy.
    ReputationDirection string
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    ReputationDirection6 string
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    ReputationMinimum int
    Minimum Reputation to take action.
    ReputationMinimum6 int
    IPv6 Minimum Reputation to take action.
    Rsso string
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    RtpAddrs List<Pulumiverse.Fortios.Firewall.Inputs.PolicyRtpAddr>
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    RtpNat string
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    ScanBotnetConnections string
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    Schedule string
    Schedule name.(Default is always)
    ScheduleTimeout string
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    SctpFilterProfile string
    Name of an existing SCTP filter profile.
    SendDenyPacket string
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    ServiceNegate string
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    Services List<Pulumiverse.Fortios.Firewall.Inputs.PolicyService>
    Service and service group names. The structure of service block is documented below.
    SessionTtl int
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    SgtCheck string
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    Sgts List<Pulumiverse.Fortios.Firewall.Inputs.PolicySgt>
    Security group tags. The structure of sgt block is documented below.
    SpamfilterProfile string
    Name of an existing Spam filter profile.
    SrcVendorMacs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcVendorMac>
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    Srcaddr6Negate string
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddr6s List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcaddr6>
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    SrcaddrNegate string
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddrs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcaddr>
    Source address and address group names. The structure of srcaddr block is documented below.
    Srcintfs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySrcintf>
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    SshFilterProfile string
    Name of an existing SSH filter profile.
    SshPolicyRedirect string
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    SslMirror string
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    SslMirrorIntfs List<Pulumiverse.Fortios.Firewall.Inputs.PolicySslMirrorIntf>
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    SslSshProfile string
    Name of an existing SSL SSH profile.
    Status string
    Enable or disable this policy. Valid values: enable, disable.
    TcpMssReceiver int
    Receiver TCP maximum segment size (MSS).
    TcpMssSender int
    Sender TCP maximum segment size (MSS).
    TcpSessionWithoutSyn string
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    TimeoutSendRst string
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    Tos string
    ToS (Type of Service) value used for comparison.
    TosMask string
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    TosNegate string
    Enable negated TOS match. Valid values: enable, disable.
    TrafficShaper string
    Traffic shaper.
    TrafficShaperReverse string
    Reverse traffic shaper.
    UrlCategories List<Pulumiverse.Fortios.Firewall.Inputs.PolicyUrlCategory>
    URL category ID list. The structure of url_category block is documented below.
    Users List<Pulumiverse.Fortios.Firewall.Inputs.PolicyUser>
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    UtmStatus string
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    Uuid string
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    VideofilterProfile string
    Name of an existing VideoFilter profile.
    VirtualPatchProfile string
    Name of an existing virtual-patch profile.
    VlanCosFwd int
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanCosRev int
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanFilter string
    Set VLAN filters.
    VoipProfile string
    Name of an existing VoIP (voipd) profile.
    Vpntunnel string
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    WafProfile string
    Name of an existing Web application firewall profile.
    Wanopt string
    Enable/disable WAN optimization. Valid values: enable, disable.
    WanoptDetection string
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    WanoptPassiveOpt string
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    WanoptPeer string
    WAN optimization peer.
    WanoptProfile string
    WAN optimization profile.
    Wccp string
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    Webcache string
    Enable/disable web cache. Valid values: enable, disable.
    WebcacheHttps string
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    WebfilterProfile string
    Name of an existing Web filter profile.
    WebproxyForwardServer string
    Web proxy forward server name.
    WebproxyProfile string
    Webproxy profile name.
    Wsso string
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ZtnaDeviceOwnership string
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ZtnaEmsTagSecondaries List<Pulumiverse.Fortios.Firewall.Inputs.PolicyZtnaEmsTagSecondary>
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ZtnaEmsTags List<Pulumiverse.Fortios.Firewall.Inputs.PolicyZtnaEmsTag>
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ZtnaGeoTags List<Pulumiverse.Fortios.Firewall.Inputs.PolicyZtnaGeoTag>
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ZtnaPolicyRedirect string
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ZtnaStatus string
    Enable/disable zero trust access. Valid values: enable, disable.
    ZtnaTagsMatchLogic string
    ZTNA tag matching logic. Valid values: or, and.
    Action string
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    AntiReplay string
    Enable/disable anti-replay check. Valid values: enable, disable.
    AppCategories []PolicyAppCategoryArgs
    Application category ID list. The structure of app_category block is documented below.
    AppGroups []PolicyAppGroupArgs
    Application group names. The structure of app_group block is documented below.
    ApplicationList string
    Name of an existing Application list.
    Applications []PolicyApplicationArgs
    Application ID list. The structure of application block is documented below.
    AuthCert string
    HTTPS server certificate for policy authentication.
    AuthPath string
    Enable/disable authentication-based routing. Valid values: enable, disable.
    AuthRedirectAddr string
    HTTP-to-HTTPS redirect address for firewall authentication.
    AutoAsicOffload string
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    AvProfile string
    Name of an existing Antivirus profile.
    BlockNotification string
    Enable/disable block notification. Valid values: enable, disable.
    CaptivePortalExempt string
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    CapturePacket string
    Enable/disable capture packets. Valid values: enable, disable.
    CasbProfile string
    Name of an existing CASB profile.
    CifsProfile string
    Name of an existing CIFS profile.
    Comments string
    Comment.
    CustomLogFields []PolicyCustomLogFieldArgs
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    DecryptedTrafficMirror string
    Decrypted traffic mirror.
    DelayTcpNpuSession string
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    Devices []PolicyDeviceArgs
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    DiameterFilterProfile string
    Name of an existing Diameter filter profile.
    DiffservCopy string
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    DiffservForward string
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    DiffservReverse string
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    DiffservcodeForward string
    Change packet's DiffServ to this value.
    DiffservcodeRev string
    Change packet's reverse (reply) DiffServ to this value.
    Disclaimer string
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    DlpProfile string
    Name of an existing DLP profile.
    DlpSensor string
    Name of an existing DLP sensor.
    DnsfilterProfile string
    Name of an existing DNS filter profile.
    Dsri string
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    Dstaddr6Negate string
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddr6s []PolicyDstaddr6Args
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    DstaddrNegate string
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    Dstaddrs []PolicyDstaddrArgs
    Destination address and address group names. The structure of dstaddr block is documented below.
    Dstintfs []PolicyDstintfArgs
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    DynamicShaping string
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    DynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    EmailCollect string
    Enable/disable email collection. Valid values: enable, disable.
    EmailfilterProfile string
    Name of an existing email filter profile.
    Fec string
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    FileFilterProfile string
    Name of an existing file-filter profile.
    FirewallSessionDirty string
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    Fixedport string
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    Fsso string
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    FssoAgentForNtlm string
    FSSO agent to use for NTLM authentication.
    FssoGroups []PolicyFssoGroupArgs
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    GeoipAnycast string
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    GeoipMatch string
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    GetAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    GlobalLabel string
    Label for the policy that appears when the GUI is in Global View mode.
    Groups []PolicyGroupArgs
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    HttpPolicyRedirect string
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    IcapProfile string
    Name of an existing ICAP profile.
    IdentityBasedRoute string
    Name of identity-based routing rule.
    Inbound string
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    InspectionMode string
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    InternetService string
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6 string
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    InternetService6CustomGroups []PolicyInternetService6CustomGroupArgs
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    InternetService6Customs []PolicyInternetService6CustomArgs
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    InternetService6Groups []PolicyInternetService6GroupArgs
    Internet Service group name. The structure of internet_service6_group block is documented below.
    InternetService6Names []PolicyInternetService6NameArgs
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    InternetService6Negate string
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    InternetService6Src string
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetService6SrcCustomGroups []PolicyInternetService6SrcCustomGroupArgs
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    InternetService6SrcCustoms []PolicyInternetService6SrcCustomArgs
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    InternetService6SrcGroups []PolicyInternetService6SrcGroupArgs
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    InternetService6SrcNames []PolicyInternetService6SrcNameArgs
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    InternetService6SrcNegate string
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceCustomGroups []PolicyInternetServiceCustomGroupArgs
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    InternetServiceCustoms []PolicyInternetServiceCustomArgs
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    InternetServiceGroups []PolicyInternetServiceGroupArgs
    Internet Service group name. The structure of internet_service_group block is documented below.
    InternetServiceIds []PolicyInternetServiceIdArgs
    Internet Service ID. The structure of internet_service_id block is documented below.
    InternetServiceNames []PolicyInternetServiceNameArgs
    Internet Service name. The structure of internet_service_name block is documented below.
    InternetServiceNegate string
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    InternetServiceSrc string
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    InternetServiceSrcCustomGroups []PolicyInternetServiceSrcCustomGroupArgs
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    InternetServiceSrcCustoms []PolicyInternetServiceSrcCustomArgs
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    InternetServiceSrcGroups []PolicyInternetServiceSrcGroupArgs
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    InternetServiceSrcIds []PolicyInternetServiceSrcIdArgs
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    InternetServiceSrcNames []PolicyInternetServiceSrcNameArgs
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    InternetServiceSrcNegate string
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    Ippool string
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    IpsSensor string
    Name of an existing IPS sensor.
    IpsVoipFilter string
    Name of an existing VoIP (ips) profile.
    Label string
    Label for the policy that appears when the GUI is in Section View mode.
    LearningMode string
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    Logtraffic string
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    LogtrafficStart string
    Record logs when a session starts. Valid values: enable, disable.
    MatchVip string
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    MatchVipOnly string
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    Name string
    Policy name.
    Nat string
    Enable/disable source NAT. Valid values: enable, disable.
    Nat46 string
    Enable/disable NAT46. Valid values: enable, disable.
    Nat64 string
    Enable/disable NAT64. Valid values: enable, disable.
    Natinbound string
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    Natip string
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    Natoutbound string
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    NetworkServiceDynamics []PolicyNetworkServiceDynamicArgs
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    NetworkServiceSrcDynamics []PolicyNetworkServiceSrcDynamicArgs
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    NpAcceleration string
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    Ntlm string
    Enable/disable NTLM authentication. Valid values: enable, disable.
    NtlmEnabledBrowsers []PolicyNtlmEnabledBrowserArgs
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    NtlmGuest string
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    Outbound string
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    PassiveWanHealthMeasurement string
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    PcpInbound string
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    PcpOutbound string
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    PcpPoolnames []PolicyPcpPoolnameArgs
    PCP pool names. The structure of pcp_poolname block is documented below.
    PerIpShaper string
    Per-IP traffic shaper.
    PermitAnyHost string
    Accept UDP packets from any host. Valid values: enable, disable.
    PermitStunHost string
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    PolicyExpiry string
    Enable/disable policy expiry. Valid values: enable, disable.
    PolicyExpiryDate string
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    PolicyExpiryDateUtc string
    Policy expiry date and time, in epoch format.
    Policyid int
    Policy ID.
    Poolname6s []PolicyPoolname6Args
    IPv6 pool names. The structure of poolname6 block is documented below.
    Poolnames []PolicyPoolnameArgs
    IP Pool names. The structure of poolname block is documented below.
    PortPreserve string
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    ProfileGroup string
    Name of profile group.
    ProfileProtocolOptions string
    Name of an existing Protocol options profile.
    ProfileType string
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    RadiusMacAuthBypass string
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    RedirectUrl string
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    ReplacemsgOverrideGroup string
    Override the default replacement message group for this policy.
    ReputationDirection string
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    ReputationDirection6 string
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    ReputationMinimum int
    Minimum Reputation to take action.
    ReputationMinimum6 int
    IPv6 Minimum Reputation to take action.
    Rsso string
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    RtpAddrs []PolicyRtpAddrArgs
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    RtpNat string
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    ScanBotnetConnections string
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    Schedule string
    Schedule name.(Default is always)
    ScheduleTimeout string
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    SctpFilterProfile string
    Name of an existing SCTP filter profile.
    SendDenyPacket string
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    ServiceNegate string
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    Services []PolicyServiceArgs
    Service and service group names. The structure of service block is documented below.
    SessionTtl int
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    SgtCheck string
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    Sgts []PolicySgtArgs
    Security group tags. The structure of sgt block is documented below.
    SpamfilterProfile string
    Name of an existing Spam filter profile.
    SrcVendorMacs []PolicySrcVendorMacArgs
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    Srcaddr6Negate string
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddr6s []PolicySrcaddr6Args
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    SrcaddrNegate string
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    Srcaddrs []PolicySrcaddrArgs
    Source address and address group names. The structure of srcaddr block is documented below.
    Srcintfs []PolicySrcintfArgs
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    SshFilterProfile string
    Name of an existing SSH filter profile.
    SshPolicyRedirect string
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    SslMirror string
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    SslMirrorIntfs []PolicySslMirrorIntfArgs
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    SslSshProfile string
    Name of an existing SSL SSH profile.
    Status string
    Enable or disable this policy. Valid values: enable, disable.
    TcpMssReceiver int
    Receiver TCP maximum segment size (MSS).
    TcpMssSender int
    Sender TCP maximum segment size (MSS).
    TcpSessionWithoutSyn string
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    TimeoutSendRst string
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    Tos string
    ToS (Type of Service) value used for comparison.
    TosMask string
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    TosNegate string
    Enable negated TOS match. Valid values: enable, disable.
    TrafficShaper string
    Traffic shaper.
    TrafficShaperReverse string
    Reverse traffic shaper.
    UrlCategories []PolicyUrlCategoryArgs
    URL category ID list. The structure of url_category block is documented below.
    Users []PolicyUserArgs
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    UtmStatus string
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    Uuid string
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    Vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    VideofilterProfile string
    Name of an existing VideoFilter profile.
    VirtualPatchProfile string
    Name of an existing virtual-patch profile.
    VlanCosFwd int
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanCosRev int
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    VlanFilter string
    Set VLAN filters.
    VoipProfile string
    Name of an existing VoIP (voipd) profile.
    Vpntunnel string
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    WafProfile string
    Name of an existing Web application firewall profile.
    Wanopt string
    Enable/disable WAN optimization. Valid values: enable, disable.
    WanoptDetection string
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    WanoptPassiveOpt string
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    WanoptPeer string
    WAN optimization peer.
    WanoptProfile string
    WAN optimization profile.
    Wccp string
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    Webcache string
    Enable/disable web cache. Valid values: enable, disable.
    WebcacheHttps string
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    WebfilterProfile string
    Name of an existing Web filter profile.
    WebproxyForwardServer string
    Web proxy forward server name.
    WebproxyProfile string
    Webproxy profile name.
    Wsso string
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ZtnaDeviceOwnership string
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ZtnaEmsTagSecondaries []PolicyZtnaEmsTagSecondaryArgs
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ZtnaEmsTags []PolicyZtnaEmsTagArgs
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ZtnaGeoTags []PolicyZtnaGeoTagArgs
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ZtnaPolicyRedirect string
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ZtnaStatus string
    Enable/disable zero trust access. Valid values: enable, disable.
    ZtnaTagsMatchLogic string
    ZTNA tag matching logic. Valid values: or, and.
    action String
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    antiReplay String
    Enable/disable anti-replay check. Valid values: enable, disable.
    appCategories List<PolicyAppCategory>
    Application category ID list. The structure of app_category block is documented below.
    appGroups List<PolicyAppGroup>
    Application group names. The structure of app_group block is documented below.
    applicationList String
    Name of an existing Application list.
    applications List<PolicyApplication>
    Application ID list. The structure of application block is documented below.
    authCert String
    HTTPS server certificate for policy authentication.
    authPath String
    Enable/disable authentication-based routing. Valid values: enable, disable.
    authRedirectAddr String
    HTTP-to-HTTPS redirect address for firewall authentication.
    autoAsicOffload String
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    avProfile String
    Name of an existing Antivirus profile.
    blockNotification String
    Enable/disable block notification. Valid values: enable, disable.
    captivePortalExempt String
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capturePacket String
    Enable/disable capture packets. Valid values: enable, disable.
    casbProfile String
    Name of an existing CASB profile.
    cifsProfile String
    Name of an existing CIFS profile.
    comments String
    Comment.
    customLogFields List<PolicyCustomLogField>
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decryptedTrafficMirror String
    Decrypted traffic mirror.
    delayTcpNpuSession String
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices List<PolicyDevice>
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameterFilterProfile String
    Name of an existing Diameter filter profile.
    diffservCopy String
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffservForward String
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffservReverse String
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcodeForward String
    Change packet's DiffServ to this value.
    diffservcodeRev String
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer String
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlpProfile String
    Name of an existing DLP profile.
    dlpSensor String
    Name of an existing DLP sensor.
    dnsfilterProfile String
    Name of an existing DNS filter profile.
    dsri String
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6Negate String
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s List<PolicyDstaddr6>
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddrNegate String
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs List<PolicyDstaddr>
    Destination address and address group names. The structure of dstaddr block is documented below.
    dstintfs List<PolicyDstintf>
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    dynamicShaping String
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    emailCollect String
    Enable/disable email collection. Valid values: enable, disable.
    emailfilterProfile String
    Name of an existing email filter profile.
    fec String
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    fileFilterProfile String
    Name of an existing file-filter profile.
    firewallSessionDirty String
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport String
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso String
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fssoAgentForNtlm String
    FSSO agent to use for NTLM authentication.
    fssoGroups List<PolicyFssoGroup>
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoipAnycast String
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoipMatch String
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    globalLabel String
    Label for the policy that appears when the GUI is in Global View mode.
    groups List<PolicyGroup>
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    httpPolicyRedirect String
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icapProfile String
    Name of an existing ICAP profile.
    identityBasedRoute String
    Name of identity-based routing rule.
    inbound String
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspectionMode String
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internetService String
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6 String
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6CustomGroups List<PolicyInternetService6CustomGroup>
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internetService6Customs List<PolicyInternetService6Custom>
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internetService6Groups List<PolicyInternetService6Group>
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internetService6Names List<PolicyInternetService6Name>
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internetService6Negate String
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internetService6Src String
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetService6SrcCustomGroups List<PolicyInternetService6SrcCustomGroup>
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internetService6SrcCustoms List<PolicyInternetService6SrcCustom>
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internetService6SrcGroups List<PolicyInternetService6SrcGroup>
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internetService6SrcNames List<PolicyInternetService6SrcName>
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internetService6SrcNegate String
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceCustomGroups List<PolicyInternetServiceCustomGroup>
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internetServiceCustoms List<PolicyInternetServiceCustom>
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internetServiceGroups List<PolicyInternetServiceGroup>
    Internet Service group name. The structure of internet_service_group block is documented below.
    internetServiceIds List<PolicyInternetServiceId>
    Internet Service ID. The structure of internet_service_id block is documented below.
    internetServiceNames List<PolicyInternetServiceName>
    Internet Service name. The structure of internet_service_name block is documented below.
    internetServiceNegate String
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceSrc String
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetServiceSrcCustomGroups List<PolicyInternetServiceSrcCustomGroup>
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internetServiceSrcCustoms List<PolicyInternetServiceSrcCustom>
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internetServiceSrcGroups List<PolicyInternetServiceSrcGroup>
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internetServiceSrcIds List<PolicyInternetServiceSrcId>
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internetServiceSrcNames List<PolicyInternetServiceSrcName>
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internetServiceSrcNegate String
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool String
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ipsSensor String
    Name of an existing IPS sensor.
    ipsVoipFilter String
    Name of an existing VoIP (ips) profile.
    label String
    Label for the policy that appears when the GUI is in Section View mode.
    learningMode String
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic String
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtrafficStart String
    Record logs when a session starts. Valid values: enable, disable.
    matchVip String
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    matchVipOnly String
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name String
    Policy name.
    nat String
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 String
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 String
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound String
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip String
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound String
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    networkServiceDynamics List<PolicyNetworkServiceDynamic>
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    networkServiceSrcDynamics List<PolicyNetworkServiceSrcDynamic>
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    npAcceleration String
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm String
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlmEnabledBrowsers List<PolicyNtlmEnabledBrowser>
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlmGuest String
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound String
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passiveWanHealthMeasurement String
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcpInbound String
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcpOutbound String
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcpPoolnames List<PolicyPcpPoolname>
    PCP pool names. The structure of pcp_poolname block is documented below.
    perIpShaper String
    Per-IP traffic shaper.
    permitAnyHost String
    Accept UDP packets from any host. Valid values: enable, disable.
    permitStunHost String
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policyExpiry String
    Enable/disable policy expiry. Valid values: enable, disable.
    policyExpiryDate String
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policyExpiryDateUtc String
    Policy expiry date and time, in epoch format.
    policyid Integer
    Policy ID.
    poolname6s List<PolicyPoolname6>
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames List<PolicyPoolname>
    IP Pool names. The structure of poolname block is documented below.
    portPreserve String
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profileGroup String
    Name of profile group.
    profileProtocolOptions String
    Name of an existing Protocol options profile.
    profileType String
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radiusMacAuthBypass String
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirectUrl String
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsgOverrideGroup String
    Override the default replacement message group for this policy.
    reputationDirection String
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputationDirection6 String
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputationMinimum Integer
    Minimum Reputation to take action.
    reputationMinimum6 Integer
    IPv6 Minimum Reputation to take action.
    rsso String
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtpAddrs List<PolicyRtpAddr>
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtpNat String
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scanBotnetConnections String
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule String
    Schedule name.(Default is always)
    scheduleTimeout String
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctpFilterProfile String
    Name of an existing SCTP filter profile.
    sendDenyPacket String
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    serviceNegate String
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services List<PolicyService>
    Service and service group names. The structure of service block is documented below.
    sessionTtl Integer
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgtCheck String
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts List<PolicySgt>
    Security group tags. The structure of sgt block is documented below.
    spamfilterProfile String
    Name of an existing Spam filter profile.
    srcVendorMacs List<PolicySrcVendorMac>
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6Negate String
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s List<PolicySrcaddr6>
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddrNegate String
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs List<PolicySrcaddr>
    Source address and address group names. The structure of srcaddr block is documented below.
    srcintfs List<PolicySrcintf>
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    sshFilterProfile String
    Name of an existing SSH filter profile.
    sshPolicyRedirect String
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    sslMirror String
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    sslMirrorIntfs List<PolicySslMirrorIntf>
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    sslSshProfile String
    Name of an existing SSL SSH profile.
    status String
    Enable or disable this policy. Valid values: enable, disable.
    tcpMssReceiver Integer
    Receiver TCP maximum segment size (MSS).
    tcpMssSender Integer
    Sender TCP maximum segment size (MSS).
    tcpSessionWithoutSyn String
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeoutSendRst String
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos String
    ToS (Type of Service) value used for comparison.
    tosMask String
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tosNegate String
    Enable negated TOS match. Valid values: enable, disable.
    trafficShaper String
    Traffic shaper.
    trafficShaperReverse String
    Reverse traffic shaper.
    urlCategories List<PolicyUrlCategory>
    URL category ID list. The structure of url_category block is documented below.
    users List<PolicyUser>
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utmStatus String
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid String
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilterProfile String
    Name of an existing VideoFilter profile.
    virtualPatchProfile String
    Name of an existing virtual-patch profile.
    vlanCosFwd Integer
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanCosRev Integer
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanFilter String
    Set VLAN filters.
    voipProfile String
    Name of an existing VoIP (voipd) profile.
    vpntunnel String
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    wafProfile String
    Name of an existing Web application firewall profile.
    wanopt String
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanoptDetection String
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanoptPassiveOpt String
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanoptPeer String
    WAN optimization peer.
    wanoptProfile String
    WAN optimization profile.
    wccp String
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache String
    Enable/disable web cache. Valid values: enable, disable.
    webcacheHttps String
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilterProfile String
    Name of an existing Web filter profile.
    webproxyForwardServer String
    Web proxy forward server name.
    webproxyProfile String
    Webproxy profile name.
    wsso String
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztnaDeviceOwnership String
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztnaEmsTagSecondaries List<PolicyZtnaEmsTagSecondary>
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztnaEmsTags List<PolicyZtnaEmsTag>
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztnaGeoTags List<PolicyZtnaGeoTag>
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztnaPolicyRedirect String
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztnaStatus String
    Enable/disable zero trust access. Valid values: enable, disable.
    ztnaTagsMatchLogic String
    ZTNA tag matching logic. Valid values: or, and.
    action string
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    antiReplay string
    Enable/disable anti-replay check. Valid values: enable, disable.
    appCategories PolicyAppCategory[]
    Application category ID list. The structure of app_category block is documented below.
    appGroups PolicyAppGroup[]
    Application group names. The structure of app_group block is documented below.
    applicationList string
    Name of an existing Application list.
    applications PolicyApplication[]
    Application ID list. The structure of application block is documented below.
    authCert string
    HTTPS server certificate for policy authentication.
    authPath string
    Enable/disable authentication-based routing. Valid values: enable, disable.
    authRedirectAddr string
    HTTP-to-HTTPS redirect address for firewall authentication.
    autoAsicOffload string
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    avProfile string
    Name of an existing Antivirus profile.
    blockNotification string
    Enable/disable block notification. Valid values: enable, disable.
    captivePortalExempt string
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capturePacket string
    Enable/disable capture packets. Valid values: enable, disable.
    casbProfile string
    Name of an existing CASB profile.
    cifsProfile string
    Name of an existing CIFS profile.
    comments string
    Comment.
    customLogFields PolicyCustomLogField[]
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decryptedTrafficMirror string
    Decrypted traffic mirror.
    delayTcpNpuSession string
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices PolicyDevice[]
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameterFilterProfile string
    Name of an existing Diameter filter profile.
    diffservCopy string
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffservForward string
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffservReverse string
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcodeForward string
    Change packet's DiffServ to this value.
    diffservcodeRev string
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer string
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlpProfile string
    Name of an existing DLP profile.
    dlpSensor string
    Name of an existing DLP sensor.
    dnsfilterProfile string
    Name of an existing DNS filter profile.
    dsri string
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6Negate string
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s PolicyDstaddr6[]
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddrNegate string
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs PolicyDstaddr[]
    Destination address and address group names. The structure of dstaddr block is documented below.
    dstintfs PolicyDstintf[]
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    dynamicShaping string
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamicSortSubtable string
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    emailCollect string
    Enable/disable email collection. Valid values: enable, disable.
    emailfilterProfile string
    Name of an existing email filter profile.
    fec string
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    fileFilterProfile string
    Name of an existing file-filter profile.
    firewallSessionDirty string
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport string
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso string
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fssoAgentForNtlm string
    FSSO agent to use for NTLM authentication.
    fssoGroups PolicyFssoGroup[]
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoipAnycast string
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoipMatch string
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    getAllTables string
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    globalLabel string
    Label for the policy that appears when the GUI is in Global View mode.
    groups PolicyGroup[]
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    httpPolicyRedirect string
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icapProfile string
    Name of an existing ICAP profile.
    identityBasedRoute string
    Name of identity-based routing rule.
    inbound string
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspectionMode string
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internetService string
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6 string
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6CustomGroups PolicyInternetService6CustomGroup[]
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internetService6Customs PolicyInternetService6Custom[]
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internetService6Groups PolicyInternetService6Group[]
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internetService6Names PolicyInternetService6Name[]
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internetService6Negate string
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internetService6Src string
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetService6SrcCustomGroups PolicyInternetService6SrcCustomGroup[]
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internetService6SrcCustoms PolicyInternetService6SrcCustom[]
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internetService6SrcGroups PolicyInternetService6SrcGroup[]
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internetService6SrcNames PolicyInternetService6SrcName[]
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internetService6SrcNegate string
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceCustomGroups PolicyInternetServiceCustomGroup[]
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internetServiceCustoms PolicyInternetServiceCustom[]
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internetServiceGroups PolicyInternetServiceGroup[]
    Internet Service group name. The structure of internet_service_group block is documented below.
    internetServiceIds PolicyInternetServiceId[]
    Internet Service ID. The structure of internet_service_id block is documented below.
    internetServiceNames PolicyInternetServiceName[]
    Internet Service name. The structure of internet_service_name block is documented below.
    internetServiceNegate string
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceSrc string
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetServiceSrcCustomGroups PolicyInternetServiceSrcCustomGroup[]
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internetServiceSrcCustoms PolicyInternetServiceSrcCustom[]
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internetServiceSrcGroups PolicyInternetServiceSrcGroup[]
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internetServiceSrcIds PolicyInternetServiceSrcId[]
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internetServiceSrcNames PolicyInternetServiceSrcName[]
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internetServiceSrcNegate string
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool string
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ipsSensor string
    Name of an existing IPS sensor.
    ipsVoipFilter string
    Name of an existing VoIP (ips) profile.
    label string
    Label for the policy that appears when the GUI is in Section View mode.
    learningMode string
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic string
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtrafficStart string
    Record logs when a session starts. Valid values: enable, disable.
    matchVip string
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    matchVipOnly string
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name string
    Policy name.
    nat string
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 string
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 string
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound string
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip string
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound string
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    networkServiceDynamics PolicyNetworkServiceDynamic[]
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    networkServiceSrcDynamics PolicyNetworkServiceSrcDynamic[]
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    npAcceleration string
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm string
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlmEnabledBrowsers PolicyNtlmEnabledBrowser[]
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlmGuest string
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound string
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passiveWanHealthMeasurement string
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcpInbound string
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcpOutbound string
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcpPoolnames PolicyPcpPoolname[]
    PCP pool names. The structure of pcp_poolname block is documented below.
    perIpShaper string
    Per-IP traffic shaper.
    permitAnyHost string
    Accept UDP packets from any host. Valid values: enable, disable.
    permitStunHost string
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policyExpiry string
    Enable/disable policy expiry. Valid values: enable, disable.
    policyExpiryDate string
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policyExpiryDateUtc string
    Policy expiry date and time, in epoch format.
    policyid number
    Policy ID.
    poolname6s PolicyPoolname6[]
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames PolicyPoolname[]
    IP Pool names. The structure of poolname block is documented below.
    portPreserve string
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profileGroup string
    Name of profile group.
    profileProtocolOptions string
    Name of an existing Protocol options profile.
    profileType string
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radiusMacAuthBypass string
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirectUrl string
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsgOverrideGroup string
    Override the default replacement message group for this policy.
    reputationDirection string
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputationDirection6 string
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputationMinimum number
    Minimum Reputation to take action.
    reputationMinimum6 number
    IPv6 Minimum Reputation to take action.
    rsso string
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtpAddrs PolicyRtpAddr[]
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtpNat string
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scanBotnetConnections string
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule string
    Schedule name.(Default is always)
    scheduleTimeout string
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctpFilterProfile string
    Name of an existing SCTP filter profile.
    sendDenyPacket string
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    serviceNegate string
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services PolicyService[]
    Service and service group names. The structure of service block is documented below.
    sessionTtl number
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgtCheck string
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts PolicySgt[]
    Security group tags. The structure of sgt block is documented below.
    spamfilterProfile string
    Name of an existing Spam filter profile.
    srcVendorMacs PolicySrcVendorMac[]
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6Negate string
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s PolicySrcaddr6[]
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddrNegate string
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs PolicySrcaddr[]
    Source address and address group names. The structure of srcaddr block is documented below.
    srcintfs PolicySrcintf[]
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    sshFilterProfile string
    Name of an existing SSH filter profile.
    sshPolicyRedirect string
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    sslMirror string
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    sslMirrorIntfs PolicySslMirrorIntf[]
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    sslSshProfile string
    Name of an existing SSL SSH profile.
    status string
    Enable or disable this policy. Valid values: enable, disable.
    tcpMssReceiver number
    Receiver TCP maximum segment size (MSS).
    tcpMssSender number
    Sender TCP maximum segment size (MSS).
    tcpSessionWithoutSyn string
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeoutSendRst string
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos string
    ToS (Type of Service) value used for comparison.
    tosMask string
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tosNegate string
    Enable negated TOS match. Valid values: enable, disable.
    trafficShaper string
    Traffic shaper.
    trafficShaperReverse string
    Reverse traffic shaper.
    urlCategories PolicyUrlCategory[]
    URL category ID list. The structure of url_category block is documented below.
    users PolicyUser[]
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utmStatus string
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid string
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam string
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilterProfile string
    Name of an existing VideoFilter profile.
    virtualPatchProfile string
    Name of an existing virtual-patch profile.
    vlanCosFwd number
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanCosRev number
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanFilter string
    Set VLAN filters.
    voipProfile string
    Name of an existing VoIP (voipd) profile.
    vpntunnel string
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    wafProfile string
    Name of an existing Web application firewall profile.
    wanopt string
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanoptDetection string
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanoptPassiveOpt string
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanoptPeer string
    WAN optimization peer.
    wanoptProfile string
    WAN optimization profile.
    wccp string
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache string
    Enable/disable web cache. Valid values: enable, disable.
    webcacheHttps string
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilterProfile string
    Name of an existing Web filter profile.
    webproxyForwardServer string
    Web proxy forward server name.
    webproxyProfile string
    Webproxy profile name.
    wsso string
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztnaDeviceOwnership string
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztnaEmsTagSecondaries PolicyZtnaEmsTagSecondary[]
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztnaEmsTags PolicyZtnaEmsTag[]
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztnaGeoTags PolicyZtnaGeoTag[]
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztnaPolicyRedirect string
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztnaStatus string
    Enable/disable zero trust access. Valid values: enable, disable.
    ztnaTagsMatchLogic string
    ZTNA tag matching logic. Valid values: or, and.
    action str
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    anti_replay str
    Enable/disable anti-replay check. Valid values: enable, disable.
    app_categories Sequence[PolicyAppCategoryArgs]
    Application category ID list. The structure of app_category block is documented below.
    app_groups Sequence[PolicyAppGroupArgs]
    Application group names. The structure of app_group block is documented below.
    application_list str
    Name of an existing Application list.
    applications Sequence[PolicyApplicationArgs]
    Application ID list. The structure of application block is documented below.
    auth_cert str
    HTTPS server certificate for policy authentication.
    auth_path str
    Enable/disable authentication-based routing. Valid values: enable, disable.
    auth_redirect_addr str
    HTTP-to-HTTPS redirect address for firewall authentication.
    auto_asic_offload str
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    av_profile str
    Name of an existing Antivirus profile.
    block_notification str
    Enable/disable block notification. Valid values: enable, disable.
    captive_portal_exempt str
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capture_packet str
    Enable/disable capture packets. Valid values: enable, disable.
    casb_profile str
    Name of an existing CASB profile.
    cifs_profile str
    Name of an existing CIFS profile.
    comments str
    Comment.
    custom_log_fields Sequence[PolicyCustomLogFieldArgs]
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decrypted_traffic_mirror str
    Decrypted traffic mirror.
    delay_tcp_npu_session str
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices Sequence[PolicyDeviceArgs]
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameter_filter_profile str
    Name of an existing Diameter filter profile.
    diffserv_copy str
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffserv_forward str
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffserv_reverse str
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcode_forward str
    Change packet's DiffServ to this value.
    diffservcode_rev str
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer str
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlp_profile str
    Name of an existing DLP profile.
    dlp_sensor str
    Name of an existing DLP sensor.
    dnsfilter_profile str
    Name of an existing DNS filter profile.
    dsri str
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6_negate str
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s Sequence[PolicyDstaddr6Args]
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddr_negate str
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs Sequence[PolicyDstaddrArgs]
    Destination address and address group names. The structure of dstaddr block is documented below.
    dstintfs Sequence[PolicyDstintfArgs]
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    dynamic_shaping str
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamic_sort_subtable str
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    email_collect str
    Enable/disable email collection. Valid values: enable, disable.
    emailfilter_profile str
    Name of an existing email filter profile.
    fec str
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    file_filter_profile str
    Name of an existing file-filter profile.
    firewall_session_dirty str
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport str
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso str
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fsso_agent_for_ntlm str
    FSSO agent to use for NTLM authentication.
    fsso_groups Sequence[PolicyFssoGroupArgs]
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoip_anycast str
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoip_match str
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    get_all_tables str
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    global_label str
    Label for the policy that appears when the GUI is in Global View mode.
    groups Sequence[PolicyGroupArgs]
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    http_policy_redirect str
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icap_profile str
    Name of an existing ICAP profile.
    identity_based_route str
    Name of identity-based routing rule.
    inbound str
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspection_mode str
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internet_service str
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internet_service6 str
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internet_service6_custom_groups Sequence[PolicyInternetService6CustomGroupArgs]
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internet_service6_customs Sequence[PolicyInternetService6CustomArgs]
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internet_service6_groups Sequence[PolicyInternetService6GroupArgs]
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internet_service6_names Sequence[PolicyInternetService6NameArgs]
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internet_service6_negate str
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internet_service6_src str
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internet_service6_src_custom_groups Sequence[PolicyInternetService6SrcCustomGroupArgs]
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internet_service6_src_customs Sequence[PolicyInternetService6SrcCustomArgs]
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internet_service6_src_groups Sequence[PolicyInternetService6SrcGroupArgs]
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internet_service6_src_names Sequence[PolicyInternetService6SrcNameArgs]
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internet_service6_src_negate str
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internet_service_custom_groups Sequence[PolicyInternetServiceCustomGroupArgs]
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internet_service_customs Sequence[PolicyInternetServiceCustomArgs]
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internet_service_groups Sequence[PolicyInternetServiceGroupArgs]
    Internet Service group name. The structure of internet_service_group block is documented below.
    internet_service_ids Sequence[PolicyInternetServiceIdArgs]
    Internet Service ID. The structure of internet_service_id block is documented below.
    internet_service_names Sequence[PolicyInternetServiceNameArgs]
    Internet Service name. The structure of internet_service_name block is documented below.
    internet_service_negate str
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internet_service_src str
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internet_service_src_custom_groups Sequence[PolicyInternetServiceSrcCustomGroupArgs]
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internet_service_src_customs Sequence[PolicyInternetServiceSrcCustomArgs]
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internet_service_src_groups Sequence[PolicyInternetServiceSrcGroupArgs]
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internet_service_src_ids Sequence[PolicyInternetServiceSrcIdArgs]
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internet_service_src_names Sequence[PolicyInternetServiceSrcNameArgs]
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internet_service_src_negate str
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool str
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ips_sensor str
    Name of an existing IPS sensor.
    ips_voip_filter str
    Name of an existing VoIP (ips) profile.
    label str
    Label for the policy that appears when the GUI is in Section View mode.
    learning_mode str
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic str
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtraffic_start str
    Record logs when a session starts. Valid values: enable, disable.
    match_vip str
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    match_vip_only str
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name str
    Policy name.
    nat str
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 str
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 str
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound str
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip str
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound str
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    network_service_dynamics Sequence[PolicyNetworkServiceDynamicArgs]
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    network_service_src_dynamics Sequence[PolicyNetworkServiceSrcDynamicArgs]
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    np_acceleration str
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm str
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlm_enabled_browsers Sequence[PolicyNtlmEnabledBrowserArgs]
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlm_guest str
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound str
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passive_wan_health_measurement str
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcp_inbound str
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcp_outbound str
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcp_poolnames Sequence[PolicyPcpPoolnameArgs]
    PCP pool names. The structure of pcp_poolname block is documented below.
    per_ip_shaper str
    Per-IP traffic shaper.
    permit_any_host str
    Accept UDP packets from any host. Valid values: enable, disable.
    permit_stun_host str
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policy_expiry str
    Enable/disable policy expiry. Valid values: enable, disable.
    policy_expiry_date str
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policy_expiry_date_utc str
    Policy expiry date and time, in epoch format.
    policyid int
    Policy ID.
    poolname6s Sequence[PolicyPoolname6Args]
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames Sequence[PolicyPoolnameArgs]
    IP Pool names. The structure of poolname block is documented below.
    port_preserve str
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profile_group str
    Name of profile group.
    profile_protocol_options str
    Name of an existing Protocol options profile.
    profile_type str
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radius_mac_auth_bypass str
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirect_url str
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsg_override_group str
    Override the default replacement message group for this policy.
    reputation_direction str
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputation_direction6 str
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputation_minimum int
    Minimum Reputation to take action.
    reputation_minimum6 int
    IPv6 Minimum Reputation to take action.
    rsso str
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtp_addrs Sequence[PolicyRtpAddrArgs]
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtp_nat str
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scan_botnet_connections str
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule str
    Schedule name.(Default is always)
    schedule_timeout str
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctp_filter_profile str
    Name of an existing SCTP filter profile.
    send_deny_packet str
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    service_negate str
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services Sequence[PolicyServiceArgs]
    Service and service group names. The structure of service block is documented below.
    session_ttl int
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgt_check str
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts Sequence[PolicySgtArgs]
    Security group tags. The structure of sgt block is documented below.
    spamfilter_profile str
    Name of an existing Spam filter profile.
    src_vendor_macs Sequence[PolicySrcVendorMacArgs]
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6_negate str
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s Sequence[PolicySrcaddr6Args]
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddr_negate str
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs Sequence[PolicySrcaddrArgs]
    Source address and address group names. The structure of srcaddr block is documented below.
    srcintfs Sequence[PolicySrcintfArgs]
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    ssh_filter_profile str
    Name of an existing SSH filter profile.
    ssh_policy_redirect str
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    ssl_mirror str
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    ssl_mirror_intfs Sequence[PolicySslMirrorIntfArgs]
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    ssl_ssh_profile str
    Name of an existing SSL SSH profile.
    status str
    Enable or disable this policy. Valid values: enable, disable.
    tcp_mss_receiver int
    Receiver TCP maximum segment size (MSS).
    tcp_mss_sender int
    Sender TCP maximum segment size (MSS).
    tcp_session_without_syn str
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeout_send_rst str
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos str
    ToS (Type of Service) value used for comparison.
    tos_mask str
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tos_negate str
    Enable negated TOS match. Valid values: enable, disable.
    traffic_shaper str
    Traffic shaper.
    traffic_shaper_reverse str
    Reverse traffic shaper.
    url_categories Sequence[PolicyUrlCategoryArgs]
    URL category ID list. The structure of url_category block is documented below.
    users Sequence[PolicyUserArgs]
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utm_status str
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid str
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam str
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilter_profile str
    Name of an existing VideoFilter profile.
    virtual_patch_profile str
    Name of an existing virtual-patch profile.
    vlan_cos_fwd int
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlan_cos_rev int
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlan_filter str
    Set VLAN filters.
    voip_profile str
    Name of an existing VoIP (voipd) profile.
    vpntunnel str
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    waf_profile str
    Name of an existing Web application firewall profile.
    wanopt str
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanopt_detection str
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanopt_passive_opt str
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanopt_peer str
    WAN optimization peer.
    wanopt_profile str
    WAN optimization profile.
    wccp str
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache str
    Enable/disable web cache. Valid values: enable, disable.
    webcache_https str
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilter_profile str
    Name of an existing Web filter profile.
    webproxy_forward_server str
    Web proxy forward server name.
    webproxy_profile str
    Webproxy profile name.
    wsso str
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztna_device_ownership str
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztna_ems_tag_secondaries Sequence[PolicyZtnaEmsTagSecondaryArgs]
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztna_ems_tags Sequence[PolicyZtnaEmsTagArgs]
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztna_geo_tags Sequence[PolicyZtnaGeoTagArgs]
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztna_policy_redirect str
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztna_status str
    Enable/disable zero trust access. Valid values: enable, disable.
    ztna_tags_match_logic str
    ZTNA tag matching logic. Valid values: or, and.
    action String
    Policy action. On FortiOS versions 6.2.0-6.4.0: allow/deny/ipsec. On FortiOS versions >= 6.4.1: accept/deny/ipsec. Valid values: accept, deny, ipsec.
    antiReplay String
    Enable/disable anti-replay check. Valid values: enable, disable.
    appCategories List<Property Map>
    Application category ID list. The structure of app_category block is documented below.
    appGroups List<Property Map>
    Application group names. The structure of app_group block is documented below.
    applicationList String
    Name of an existing Application list.
    applications List<Property Map>
    Application ID list. The structure of application block is documented below.
    authCert String
    HTTPS server certificate for policy authentication.
    authPath String
    Enable/disable authentication-based routing. Valid values: enable, disable.
    authRedirectAddr String
    HTTP-to-HTTPS redirect address for firewall authentication.
    autoAsicOffload String
    Enable/disable policy traffic ASIC offloading. Valid values: enable, disable.
    avProfile String
    Name of an existing Antivirus profile.
    blockNotification String
    Enable/disable block notification. Valid values: enable, disable.
    captivePortalExempt String
    Enable to exempt some users from the captive portal. Valid values: enable, disable.
    capturePacket String
    Enable/disable capture packets. Valid values: enable, disable.
    casbProfile String
    Name of an existing CASB profile.
    cifsProfile String
    Name of an existing CIFS profile.
    comments String
    Comment.
    customLogFields List<Property Map>
    Custom fields to append to log messages for this policy. The structure of custom_log_fields block is documented below.
    decryptedTrafficMirror String
    Decrypted traffic mirror.
    delayTcpNpuSession String
    Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values: enable, disable.
    devices List<Property Map>
    Names of devices or device groups that can be matched by the policy. The structure of devices block is documented below.
    diameterFilterProfile String
    Name of an existing Diameter filter profile.
    diffservCopy String
    Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values: enable, disable.
    diffservForward String
    Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values: enable, disable.
    diffservReverse String
    Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values: enable, disable.
    diffservcodeForward String
    Change packet's DiffServ to this value.
    diffservcodeRev String
    Change packet's reverse (reply) DiffServ to this value.
    disclaimer String
    Enable/disable user authentication disclaimer. Valid values: enable, disable.
    dlpProfile String
    Name of an existing DLP profile.
    dlpSensor String
    Name of an existing DLP sensor.
    dnsfilterProfile String
    Name of an existing DNS filter profile.
    dsri String
    Enable DSRI to ignore HTTP server responses. Valid values: enable, disable.
    dstaddr6Negate String
    When enabled dstaddr6 specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddr6s List<Property Map>
    Destination IPv6 address name and address group names. The structure of dstaddr6 block is documented below.
    dstaddrNegate String
    When enabled dstaddr specifies what the destination address must NOT be. Valid values: enable, disable.
    dstaddrs List<Property Map>
    Destination address and address group names. The structure of dstaddr block is documented below.
    dstintfs List<Property Map>
    Outgoing (egress) interface. The structure of dstintf block is documented below.
    dynamicShaping String
    Enable/disable dynamic RADIUS defined traffic shaping. Valid values: enable, disable.
    dynamicSortSubtable String
    Sort sub-tables, please do not set this parameter when configuring static sub-tables. Options: [ false, true, natural, alphabetical ]. false: Default value, do not sort tables; true/natural: sort tables in natural order. For example: [ a10, a2 ] -> [ a2, a10 ]; alphabetical: sort tables in alphabetical order. For example: [ a10, a2 ] -> [ a10, a2 ].
    emailCollect String
    Enable/disable email collection. Valid values: enable, disable.
    emailfilterProfile String
    Name of an existing email filter profile.
    fec String
    Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values: enable, disable.
    fileFilterProfile String
    Name of an existing file-filter profile.
    firewallSessionDirty String
    How to handle sessions if the configuration of this firewall policy changes. Valid values: check-all, check-new.
    fixedport String
    Enable to prevent source NAT from changing a session's source port. Valid values: enable, disable.
    fsso String
    Enable/disable Fortinet Single Sign-On. Valid values: enable, disable.
    fssoAgentForNtlm String
    FSSO agent to use for NTLM authentication.
    fssoGroups List<Property Map>
    Names of FSSO groups. The structure of fsso_groups block is documented below.
    geoipAnycast String
    Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values: enable, disable.
    geoipMatch String
    Match geography address based either on its physical location or registered location. Valid values: physical-location, registered-location.
    getAllTables String
    Get all sub-tables including unconfigured tables. Do not set this variable to true if you configure sub-table in another resource, otherwise, conflicts and overwrite will occur. Options: [ false, true ]. false: Default value, do not get unconfigured tables; true: get all tables including unconfigured tables.
    globalLabel String
    Label for the policy that appears when the GUI is in Global View mode.
    groups List<Property Map>
    Names of user groups that can authenticate with this policy. The structure of groups block is documented below.
    httpPolicyRedirect String
    Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values: enable, disable.
    icapProfile String
    Name of an existing ICAP profile.
    identityBasedRoute String
    Name of identity-based routing rule.
    inbound String
    Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values: enable, disable.
    inspectionMode String
    Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values: proxy, flow.
    internetService String
    Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6 String
    Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values: enable, disable.
    internetService6CustomGroups List<Property Map>
    Custom Internet Service6 group name. The structure of internet_service6_custom_group block is documented below.
    internetService6Customs List<Property Map>
    Custom IPv6 Internet Service name. The structure of internet_service6_custom block is documented below.
    internetService6Groups List<Property Map>
    Internet Service group name. The structure of internet_service6_group block is documented below.
    internetService6Names List<Property Map>
    IPv6 Internet Service name. The structure of internet_service6_name block is documented below.
    internetService6Negate String
    When enabled internet-service6 specifies what the service must NOT be. Valid values: enable, disable.
    internetService6Src String
    Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetService6SrcCustomGroups List<Property Map>
    Custom Internet Service6 source group name. The structure of internet_service6_src_custom_group block is documented below.
    internetService6SrcCustoms List<Property Map>
    Custom IPv6 Internet Service source name. The structure of internet_service6_src_custom block is documented below.
    internetService6SrcGroups List<Property Map>
    Internet Service6 source group name. The structure of internet_service6_src_group block is documented below.
    internetService6SrcNames List<Property Map>
    IPv6 Internet Service source name. The structure of internet_service6_src_name block is documented below.
    internetService6SrcNegate String
    When enabled internet-service6-src specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceCustomGroups List<Property Map>
    Custom Internet Service group name. The structure of internet_service_custom_group block is documented below.
    internetServiceCustoms List<Property Map>
    Custom Internet Service name. The structure of internet_service_custom block is documented below.
    internetServiceGroups List<Property Map>
    Internet Service group name. The structure of internet_service_group block is documented below.
    internetServiceIds List<Property Map>
    Internet Service ID. The structure of internet_service_id block is documented below.
    internetServiceNames List<Property Map>
    Internet Service name. The structure of internet_service_name block is documented below.
    internetServiceNegate String
    When enabled internet-service specifies what the service must NOT be. Valid values: enable, disable.
    internetServiceSrc String
    Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values: enable, disable.
    internetServiceSrcCustomGroups List<Property Map>
    Custom Internet Service source group name. The structure of internet_service_src_custom_group block is documented below.
    internetServiceSrcCustoms List<Property Map>
    Custom Internet Service source name. The structure of internet_service_src_custom block is documented below.
    internetServiceSrcGroups List<Property Map>
    Internet Service source group name. The structure of internet_service_src_group block is documented below.
    internetServiceSrcIds List<Property Map>
    Internet Service source ID. The structure of internet_service_src_id block is documented below.
    internetServiceSrcNames List<Property Map>
    Internet Service source name. The structure of internet_service_src_name block is documented below.
    internetServiceSrcNegate String
    When enabled internet-service-src specifies what the service must NOT be. Valid values: enable, disable.
    ippool String
    Enable to use IP Pools for source NAT. Valid values: enable, disable.
    ipsSensor String
    Name of an existing IPS sensor.
    ipsVoipFilter String
    Name of an existing VoIP (ips) profile.
    label String
    Label for the policy that appears when the GUI is in Section View mode.
    learningMode String
    Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values: enable, disable.
    logtraffic String
    Enable or disable logging. Log all sessions or security profile sessions. Valid values: all, utm, disable.
    logtrafficStart String
    Record logs when a session starts. Valid values: enable, disable.
    matchVip String
    Enable to match packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    matchVipOnly String
    Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values: enable, disable.
    name String
    Policy name.
    nat String
    Enable/disable source NAT. Valid values: enable, disable.
    nat46 String
    Enable/disable NAT46. Valid values: enable, disable.
    nat64 String
    Enable/disable NAT64. Valid values: enable, disable.
    natinbound String
    Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values: enable, disable.
    natip String
    Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
    natoutbound String
    Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values: enable, disable.
    networkServiceDynamics List<Property Map>
    Dynamic Network Service name. The structure of network_service_dynamic block is documented below.
    networkServiceSrcDynamics List<Property Map>
    Dynamic Network Service source name. The structure of network_service_src_dynamic block is documented below.
    npAcceleration String
    Enable/disable UTM Network Processor acceleration. Valid values: enable, disable.
    ntlm String
    Enable/disable NTLM authentication. Valid values: enable, disable.
    ntlmEnabledBrowsers List<Property Map>
    HTTP-User-Agent value of supported browsers. The structure of ntlm_enabled_browsers block is documented below.
    ntlmGuest String
    Enable/disable NTLM guest user access. Valid values: enable, disable.
    outbound String
    Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values: enable, disable.
    passiveWanHealthMeasurement String
    Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values: enable, disable.
    pcpInbound String
    Enable/disable PCP inbound DNAT. Valid values: enable, disable.
    pcpOutbound String
    Enable/disable PCP outbound SNAT. Valid values: enable, disable.
    pcpPoolnames List<Property Map>
    PCP pool names. The structure of pcp_poolname block is documented below.
    perIpShaper String
    Per-IP traffic shaper.
    permitAnyHost String
    Accept UDP packets from any host. Valid values: enable, disable.
    permitStunHost String
    Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values: enable, disable.
    policyExpiry String
    Enable/disable policy expiry. Valid values: enable, disable.
    policyExpiryDate String
    Policy expiry date (YYYY-MM-DD HH:MM:SS).
    policyExpiryDateUtc String
    Policy expiry date and time, in epoch format.
    policyid Number
    Policy ID.
    poolname6s List<Property Map>
    IPv6 pool names. The structure of poolname6 block is documented below.
    poolnames List<Property Map>
    IP Pool names. The structure of poolname block is documented below.
    portPreserve String
    Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values: enable, disable.
    profileGroup String
    Name of profile group.
    profileProtocolOptions String
    Name of an existing Protocol options profile.
    profileType String
    Determine whether the firewall policy allows security profile groups or single profiles only. Valid values: single, group.
    radiusMacAuthBypass String
    Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values: enable, disable.
    redirectUrl String
    URL users are directed to after seeing and accepting the disclaimer or authenticating.
    replacemsgOverrideGroup String
    Override the default replacement message group for this policy.
    reputationDirection String
    Direction of the initial traffic for reputation to take effect. Valid values: source, destination.
    reputationDirection6 String
    Direction of the initial traffic for IPv6 reputation to take effect. Valid values: source, destination.
    reputationMinimum Number
    Minimum Reputation to take action.
    reputationMinimum6 Number
    IPv6 Minimum Reputation to take action.
    rsso String
    Enable/disable RADIUS single sign-on (RSSO). Valid values: enable, disable.
    rtpAddrs List<Property Map>
    Address names if this is an RTP NAT policy. The structure of rtp_addr block is documented below.
    rtpNat String
    Enable Real Time Protocol (RTP) NAT. Valid values: disable, enable.
    scanBotnetConnections String
    Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values: disable, block, monitor.
    schedule String
    Schedule name.(Default is always)
    scheduleTimeout String
    Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values: enable, disable.
    sctpFilterProfile String
    Name of an existing SCTP filter profile.
    sendDenyPacket String
    Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values: disable, enable.
    serviceNegate String
    When enabled service specifies what the service must NOT be. Valid values: enable, disable.
    services List<Property Map>
    Service and service group names. The structure of service block is documented below.
    sessionTtl Number
    TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
    sgtCheck String
    Enable/disable security group tags (SGT) check. Valid values: enable, disable.
    sgts List<Property Map>
    Security group tags. The structure of sgt block is documented below.
    spamfilterProfile String
    Name of an existing Spam filter profile.
    srcVendorMacs List<Property Map>
    Vendor MAC source ID. The structure of src_vendor_mac block is documented below.
    srcaddr6Negate String
    When enabled srcaddr6 specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddr6s List<Property Map>
    Source IPv6 address name and address group names. The structure of srcaddr6 block is documented below.
    srcaddrNegate String
    When enabled srcaddr specifies what the source address must NOT be. Valid values: enable, disable.
    srcaddrs List<Property Map>
    Source address and address group names. The structure of srcaddr block is documented below.
    srcintfs List<Property Map>
    Incoming (ingress) interface. The structure of srcintf block is documented below.
    sshFilterProfile String
    Name of an existing SSH filter profile.
    sshPolicyRedirect String
    Redirect SSH traffic to matching transparent proxy policy. Valid values: enable, disable.
    sslMirror String
    Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values: enable, disable.
    sslMirrorIntfs List<Property Map>
    SSL mirror interface name. The structure of ssl_mirror_intf block is documented below.
    sslSshProfile String
    Name of an existing SSL SSH profile.
    status String
    Enable or disable this policy. Valid values: enable, disable.
    tcpMssReceiver Number
    Receiver TCP maximum segment size (MSS).
    tcpMssSender Number
    Sender TCP maximum segment size (MSS).
    tcpSessionWithoutSyn String
    Enable/disable creation of TCP session without SYN flag. Valid values: all, data-only, disable.
    timeoutSendRst String
    Enable/disable sending RST packets when TCP sessions expire. Valid values: enable, disable.
    tos String
    ToS (Type of Service) value used for comparison.
    tosMask String
    Non-zero bit positions are used for comparison while zero bit positions are ignored.
    tosNegate String
    Enable negated TOS match. Valid values: enable, disable.
    trafficShaper String
    Traffic shaper.
    trafficShaperReverse String
    Reverse traffic shaper.
    urlCategories List<Property Map>
    URL category ID list. The structure of url_category block is documented below.
    users List<Property Map>
    Names of individual users that can authenticate with this policy. The structure of users block is documented below.
    utmStatus String
    Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values: enable, disable.
    uuid String
    Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
    vdomparam String
    Specifies the vdom to which the resource will be applied when the FortiGate unit is running in VDOM mode. Only one vdom can be specified. If you want to inherit the vdom configuration of the provider, please do not set this parameter.
    videofilterProfile String
    Name of an existing VideoFilter profile.
    virtualPatchProfile String
    Name of an existing virtual-patch profile.
    vlanCosFwd Number
    VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanCosRev Number
    VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
    vlanFilter String
    Set VLAN filters.
    voipProfile String
    Name of an existing VoIP (voipd) profile.
    vpntunnel String
    Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
    wafProfile String
    Name of an existing Web application firewall profile.
    wanopt String
    Enable/disable WAN optimization. Valid values: enable, disable.
    wanoptDetection String
    WAN optimization auto-detection mode. Valid values: active, passive, off.
    wanoptPassiveOpt String
    WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values: default, transparent, non-transparent.
    wanoptPeer String
    WAN optimization peer.
    wanoptProfile String
    WAN optimization profile.
    wccp String
    Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values: enable, disable.
    webcache String
    Enable/disable web cache. Valid values: enable, disable.
    webcacheHttps String
    Enable/disable web cache for HTTPS. Valid values: disable, enable.
    webfilterProfile String
    Name of an existing Web filter profile.
    webproxyForwardServer String
    Web proxy forward server name.
    webproxyProfile String
    Webproxy profile name.
    wsso String
    Enable/disable WiFi Single Sign On (WSSO). Valid values: enable, disable.
    ztnaDeviceOwnership String
    Enable/disable zero trust device ownership. Valid values: enable, disable.
    ztnaEmsTagSecondaries List<Property Map>
    Source ztna-ems-tag-secondary names. The structure of ztna_ems_tag_secondary block is documented below.
    ztnaEmsTags List<Property Map>
    Source ztna-ems-tag names. The structure of ztna_ems_tag block is documented below.
    ztnaGeoTags List<Property Map>
    Source ztna-geo-tag names. The structure of ztna_geo_tag block is documented below.
    ztnaPolicyRedirect String
    Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values: enable, disable.
    ztnaStatus String
    Enable/disable zero trust access. Valid values: enable, disable.
    ztnaTagsMatchLogic String
    ZTNA tag matching logic. Valid values: or, and.

    Supporting Types

    PolicyAppCategory, PolicyAppCategoryArgs

    Id int
    Category IDs.
    Id int
    Category IDs.
    id Integer
    Category IDs.
    id number
    Category IDs.
    id int
    Category IDs.
    id Number
    Category IDs.

    PolicyAppGroup, PolicyAppGroupArgs

    Name string
    Application group names.
    Name string
    Application group names.
    name String
    Application group names.
    name string
    Application group names.
    name str
    Application group names.
    name String
    Application group names.

    PolicyApplication, PolicyApplicationArgs

    Id int
    Application IDs.
    Id int
    Application IDs.
    id Integer
    Application IDs.
    id number
    Application IDs.
    id int
    Application IDs.
    id Number
    Application IDs.

    PolicyCustomLogField, PolicyCustomLogFieldArgs

    FieldId string
    Custom log field.
    FieldId string
    Custom log field.
    fieldId String
    Custom log field.
    fieldId string
    Custom log field.
    field_id str
    Custom log field.
    fieldId String
    Custom log field.

    PolicyDevice, PolicyDeviceArgs

    Name string
    Device or group name.
    Name string
    Device or group name.
    name String
    Device or group name.
    name string
    Device or group name.
    name str
    Device or group name.
    name String
    Device or group name.

    PolicyDstaddr, PolicyDstaddrArgs

    Name string
    Address name.
    Name string
    Address name.
    name String
    Address name.
    name string
    Address name.
    name str
    Address name.
    name String
    Address name.

    PolicyDstaddr6, PolicyDstaddr6Args

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyDstintf, PolicyDstintfArgs

    Name string
    Interface name.
    Name string
    Interface name.
    name String
    Interface name.
    name string
    Interface name.
    name str
    Interface name.
    name String
    Interface name.

    PolicyFssoGroup, PolicyFssoGroupArgs

    Name string
    Names of FSSO groups.
    Name string
    Names of FSSO groups.
    name String
    Names of FSSO groups.
    name string
    Names of FSSO groups.
    name str
    Names of FSSO groups.
    name String
    Names of FSSO groups.

    PolicyGroup, PolicyGroupArgs

    Name string
    Group name.
    Name string
    Group name.
    name String
    Group name.
    name string
    Group name.
    name str
    Group name.
    name String
    Group name.

    PolicyInternetService6Custom, PolicyInternetService6CustomArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6CustomGroup, PolicyInternetService6CustomGroupArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6Group, PolicyInternetService6GroupArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6Name, PolicyInternetService6NameArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6SrcCustom, PolicyInternetService6SrcCustomArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6SrcCustomGroup, PolicyInternetService6SrcCustomGroupArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6SrcGroup, PolicyInternetService6SrcGroupArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetService6SrcName, PolicyInternetService6SrcNameArgs

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyInternetServiceCustom, PolicyInternetServiceCustomArgs

    Name string
    Custom Internet Service name.
    Name string
    Custom Internet Service name.
    name String
    Custom Internet Service name.
    name string
    Custom Internet Service name.
    name str
    Custom Internet Service name.
    name String
    Custom Internet Service name.

    PolicyInternetServiceCustomGroup, PolicyInternetServiceCustomGroupArgs

    Name string
    Custom Internet Service group name.
    Name string
    Custom Internet Service group name.
    name String
    Custom Internet Service group name.
    name string
    Custom Internet Service group name.
    name str
    Custom Internet Service group name.
    name String
    Custom Internet Service group name.

    PolicyInternetServiceGroup, PolicyInternetServiceGroupArgs

    Name string
    Internet Service group name.
    Name string
    Internet Service group name.
    name String
    Internet Service group name.
    name string
    Internet Service group name.
    name str
    Internet Service group name.
    name String
    Internet Service group name.

    PolicyInternetServiceId, PolicyInternetServiceIdArgs

    Id int
    Internet Service ID.
    Id int
    Internet Service ID.
    id Integer
    Internet Service ID.
    id number
    Internet Service ID.
    id int
    Internet Service ID.
    id Number
    Internet Service ID.

    PolicyInternetServiceName, PolicyInternetServiceNameArgs

    Name string
    Internet Service name.
    Name string
    Internet Service name.
    name String
    Internet Service name.
    name string
    Internet Service name.
    name str
    Internet Service name.
    name String
    Internet Service name.

    PolicyInternetServiceSrcCustom, PolicyInternetServiceSrcCustomArgs

    Name string
    Custom Internet Service name.
    Name string
    Custom Internet Service name.
    name String
    Custom Internet Service name.
    name string
    Custom Internet Service name.
    name str
    Custom Internet Service name.
    name String
    Custom Internet Service name.

    PolicyInternetServiceSrcCustomGroup, PolicyInternetServiceSrcCustomGroupArgs

    Name string
    Custom Internet Service group name.
    Name string
    Custom Internet Service group name.
    name String
    Custom Internet Service group name.
    name string
    Custom Internet Service group name.
    name str
    Custom Internet Service group name.
    name String
    Custom Internet Service group name.

    PolicyInternetServiceSrcGroup, PolicyInternetServiceSrcGroupArgs

    Name string
    Internet Service group name.
    Name string
    Internet Service group name.
    name String
    Internet Service group name.
    name string
    Internet Service group name.
    name str
    Internet Service group name.
    name String
    Internet Service group name.

    PolicyInternetServiceSrcId, PolicyInternetServiceSrcIdArgs

    Id int
    Internet Service ID.
    Id int
    Internet Service ID.
    id Integer
    Internet Service ID.
    id number
    Internet Service ID.
    id int
    Internet Service ID.
    id Number
    Internet Service ID.

    PolicyInternetServiceSrcName, PolicyInternetServiceSrcNameArgs

    Name string
    Internet Service name.
    Name string
    Internet Service name.
    name String
    Internet Service name.
    name string
    Internet Service name.
    name str
    Internet Service name.
    name String
    Internet Service name.

    PolicyNetworkServiceDynamic, PolicyNetworkServiceDynamicArgs

    Name string
    Dynamic Network Service name.
    Name string
    Dynamic Network Service name.
    name String
    Dynamic Network Service name.
    name string
    Dynamic Network Service name.
    name str
    Dynamic Network Service name.
    name String
    Dynamic Network Service name.

    PolicyNetworkServiceSrcDynamic, PolicyNetworkServiceSrcDynamicArgs

    Name string
    Dynamic Network Service name.
    Name string
    Dynamic Network Service name.
    name String
    Dynamic Network Service name.
    name string
    Dynamic Network Service name.
    name str
    Dynamic Network Service name.
    name String
    Dynamic Network Service name.

    PolicyNtlmEnabledBrowser, PolicyNtlmEnabledBrowserArgs

    UserAgentString string
    User agent string.
    UserAgentString string
    User agent string.
    userAgentString String
    User agent string.
    userAgentString string
    User agent string.
    user_agent_string str
    User agent string.
    userAgentString String
    User agent string.

    PolicyPcpPoolname, PolicyPcpPoolnameArgs

    Name string
    PCP pool name.
    Name string
    PCP pool name.
    name String
    PCP pool name.
    name string
    PCP pool name.
    name str
    PCP pool name.
    name String
    PCP pool name.

    PolicyPoolname, PolicyPoolnameArgs

    Name string
    IPv6 pool name.
    Name string
    IPv6 pool name.
    name String
    IPv6 pool name.
    name string
    IPv6 pool name.
    name str
    IPv6 pool name.
    name String
    IPv6 pool name.

    PolicyPoolname6, PolicyPoolname6Args

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicyRtpAddr, PolicyRtpAddrArgs

    Name string
    Address name.
    Name string
    Address name.
    name String
    Address name.
    name string
    Address name.
    name str
    Address name.
    name String
    Address name.

    PolicyService, PolicyServiceArgs

    Name string
    Service and service group names.
    Name string
    Service and service group names.
    name String
    Service and service group names.
    name string
    Service and service group names.
    name str
    Service and service group names.
    name String
    Service and service group names.

    PolicySgt, PolicySgtArgs

    Id int
    Security group tag.
    Id int
    Security group tag.
    id Integer
    Security group tag.
    id number
    Security group tag.
    id int
    Security group tag.
    id Number
    Security group tag.

    PolicySrcVendorMac, PolicySrcVendorMacArgs

    Id int

    Vendor MAC ID.

    The internet_service6_name block supports:

    Id int

    Vendor MAC ID.

    The internet_service6_name block supports:

    id Integer

    Vendor MAC ID.

    The internet_service6_name block supports:

    id number

    Vendor MAC ID.

    The internet_service6_name block supports:

    id int

    Vendor MAC ID.

    The internet_service6_name block supports:

    id Number

    Vendor MAC ID.

    The internet_service6_name block supports:

    PolicySrcaddr, PolicySrcaddrArgs

    Name string
    Address name.
    Name string
    Address name.
    name String
    Address name.
    name string
    Address name.
    name str
    Address name.
    name String
    Address name.

    PolicySrcaddr6, PolicySrcaddr6Args

    Name string
    Policy name.
    Name string
    Policy name.
    name String
    Policy name.
    name string
    Policy name.
    name str
    Policy name.
    name String
    Policy name.

    PolicySrcintf, PolicySrcintfArgs

    Name string
    Interface name.
    Name string
    Interface name.
    name String
    Interface name.
    name string
    Interface name.
    name str
    Interface name.
    name String
    Interface name.

    PolicySslMirrorIntf, PolicySslMirrorIntfArgs

    Name string
    Mirror Interface name.
    Name string
    Mirror Interface name.
    name String
    Mirror Interface name.
    name string
    Mirror Interface name.
    name str
    Mirror Interface name.
    name String
    Mirror Interface name.

    PolicyUrlCategory, PolicyUrlCategoryArgs

    Id int
    URL category ID.
    Id int
    URL category ID.
    id Integer
    URL category ID.
    id number
    URL category ID.
    id int
    URL category ID.
    id Number
    URL category ID.

    PolicyUser, PolicyUserArgs

    Name string
    Names of individual users that can authenticate with this policy.
    Name string
    Names of individual users that can authenticate with this policy.
    name String
    Names of individual users that can authenticate with this policy.
    name string
    Names of individual users that can authenticate with this policy.
    name str
    Names of individual users that can authenticate with this policy.
    name String
    Names of individual users that can authenticate with this policy.

    PolicyZtnaEmsTag, PolicyZtnaEmsTagArgs

    Name string
    Address name.
    Name string
    Address name.
    name String
    Address name.
    name string
    Address name.
    name str
    Address name.
    name String
    Address name.

    PolicyZtnaEmsTagSecondary, PolicyZtnaEmsTagSecondaryArgs

    Name string
    Address name.
    Name string
    Address name.
    name String
    Address name.
    name string
    Address name.
    name str
    Address name.
    name String
    Address name.

    PolicyZtnaGeoTag, PolicyZtnaGeoTagArgs

    Name string
    Address name.
    Name string
    Address name.
    name String
    Address name.
    name string
    Address name.
    name str
    Address name.
    name String
    Address name.

    Import

    Firewall Policy can be imported using any of these accepted formats:

    $ pulumi import fortios:firewall/policy:Policy labelname {{policyid}}
    

    If you do not want to import arguments of block:

    $ export “FORTIOS_IMPORT_TABLE”=“false”

    $ pulumi import fortios:firewall/policy:Policy labelname {{policyid}}
    

    $ unset “FORTIOS_IMPORT_TABLE”

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    fortios pulumiverse/pulumi-fortios
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the fortios Terraform Provider.
    fortios logo
    Fortios v0.0.6 published on Tuesday, Jul 9, 2024 by pulumiverse