Docs Home
fortimanager 1.13.0 published on Thursday, Mar 13, 2025 by fortinetdev
fortimanager.PackagesGlobalHeaderPolicy
Explore with Pulumi AI
fortimanager 1.13.0 published on Thursday, Mar 13, 2025 by fortinetdev
Configure IPv4 policies.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortimanager from "@pulumi/fortimanager";
const labelname = new fortimanager.PackagesGlobalHeaderPolicy("labelname", {
action: "deny",
antiReplay: "enable",
applicationCharts: [],
blockNotification: "disable",
captivePortalExempt: "disable",
cgnResourceQuota: 0,
cgnSessionQuota: 0,
delayTcpNpuSession: "disable",
diffservForward: "disable",
diffservReverse: "disable",
dsri: "disable",
dstaddrs: ["gall"],
dstaddrNegate: "disable",
dstintfs: ["any"],
dynamicProfileAccesses: [],
emailCollect: "disable",
geoipAnycast: "disable",
geoipMatch: "physical-location",
internetService: "disable",
internetServiceSrc: "disable",
logtraffic: "all",
logtrafficStart: "disable",
matchVip: "disable",
matchVipOnly: "disable",
natips: [
"0.0.0.0",
"0.0.0.0",
],
npAcceleration: "enable",
permitAnyHost: "disable",
pkg: "default",
policyid: 1074741825,
profileType: "single",
radiusMacAuthBypass: "disable",
reputationMinimum: 0,
rtpNat: "disable",
schedule: "galways",
scheduleTimeout: "disable",
sendDenyPacket: "disable",
services: ["gALL"],
serviceNegate: "disable",
sessionTtl: "0",
srcaddrs: ["gall"],
srcaddrNegate: "disable",
srcintfs: ["any"],
status: "enable",
tcpMssReceiver: 0,
tcpMssSender: 0,
tcpSessionWithoutSyn: "disable",
tos: "0x00",
tosMask: "0x00",
tosNegate: "disable",
vlanCosFwd: 255,
vlanCosRev: 255,
wccp: "disable",
});
import pulumi
import pulumi_fortimanager as fortimanager
labelname = fortimanager.PackagesGlobalHeaderPolicy("labelname",
action="deny",
anti_replay="enable",
application_charts=[],
block_notification="disable",
captive_portal_exempt="disable",
cgn_resource_quota=0,
cgn_session_quota=0,
delay_tcp_npu_session="disable",
diffserv_forward="disable",
diffserv_reverse="disable",
dsri="disable",
dstaddrs=["gall"],
dstaddr_negate="disable",
dstintfs=["any"],
dynamic_profile_accesses=[],
email_collect="disable",
geoip_anycast="disable",
geoip_match="physical-location",
internet_service="disable",
internet_service_src="disable",
logtraffic="all",
logtraffic_start="disable",
match_vip="disable",
match_vip_only="disable",
natips=[
"0.0.0.0",
"0.0.0.0",
],
np_acceleration="enable",
permit_any_host="disable",
pkg="default",
policyid=1074741825,
profile_type="single",
radius_mac_auth_bypass="disable",
reputation_minimum=0,
rtp_nat="disable",
schedule="galways",
schedule_timeout="disable",
send_deny_packet="disable",
services=["gALL"],
service_negate="disable",
session_ttl="0",
srcaddrs=["gall"],
srcaddr_negate="disable",
srcintfs=["any"],
status="enable",
tcp_mss_receiver=0,
tcp_mss_sender=0,
tcp_session_without_syn="disable",
tos="0x00",
tos_mask="0x00",
tos_negate="disable",
vlan_cos_fwd=255,
vlan_cos_rev=255,
wccp="disable")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/fortimanager/fortimanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := fortimanager.NewPackagesGlobalHeaderPolicy(ctx, "labelname", &fortimanager.PackagesGlobalHeaderPolicyArgs{
Action: pulumi.String("deny"),
AntiReplay: pulumi.String("enable"),
ApplicationCharts: pulumi.StringArray{},
BlockNotification: pulumi.String("disable"),
CaptivePortalExempt: pulumi.String("disable"),
CgnResourceQuota: pulumi.Float64(0),
CgnSessionQuota: pulumi.Float64(0),
DelayTcpNpuSession: pulumi.String("disable"),
DiffservForward: pulumi.String("disable"),
DiffservReverse: pulumi.String("disable"),
Dsri: pulumi.String("disable"),
Dstaddrs: pulumi.StringArray{
pulumi.String("gall"),
},
DstaddrNegate: pulumi.String("disable"),
Dstintfs: pulumi.StringArray{
pulumi.String("any"),
},
DynamicProfileAccesses: pulumi.StringArray{},
EmailCollect: pulumi.String("disable"),
GeoipAnycast: pulumi.String("disable"),
GeoipMatch: pulumi.String("physical-location"),
InternetService: pulumi.String("disable"),
InternetServiceSrc: pulumi.String("disable"),
Logtraffic: pulumi.String("all"),
LogtrafficStart: pulumi.String("disable"),
MatchVip: pulumi.String("disable"),
MatchVipOnly: pulumi.String("disable"),
Natips: pulumi.StringArray{
pulumi.String("0.0.0.0"),
pulumi.String("0.0.0.0"),
},
NpAcceleration: pulumi.String("enable"),
PermitAnyHost: pulumi.String("disable"),
Pkg: pulumi.String("default"),
Policyid: pulumi.Float64(1074741825),
ProfileType: pulumi.String("single"),
RadiusMacAuthBypass: pulumi.String("disable"),
ReputationMinimum: pulumi.Float64(0),
RtpNat: pulumi.String("disable"),
Schedule: pulumi.String("galways"),
ScheduleTimeout: pulumi.String("disable"),
SendDenyPacket: pulumi.String("disable"),
Services: pulumi.StringArray{
pulumi.String("gALL"),
},
ServiceNegate: pulumi.String("disable"),
SessionTtl: pulumi.String("0"),
Srcaddrs: pulumi.StringArray{
pulumi.String("gall"),
},
SrcaddrNegate: pulumi.String("disable"),
Srcintfs: pulumi.StringArray{
pulumi.String("any"),
},
Status: pulumi.String("enable"),
TcpMssReceiver: pulumi.Float64(0),
TcpMssSender: pulumi.Float64(0),
TcpSessionWithoutSyn: pulumi.String("disable"),
Tos: pulumi.String("0x00"),
TosMask: pulumi.String("0x00"),
TosNegate: pulumi.String("disable"),
VlanCosFwd: pulumi.Float64(255),
VlanCosRev: pulumi.Float64(255),
Wccp: pulumi.String("disable"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortimanager = Pulumi.Fortimanager;
return await Deployment.RunAsync(() =>
{
var labelname = new Fortimanager.PackagesGlobalHeaderPolicy("labelname", new()
{
Action = "deny",
AntiReplay = "enable",
ApplicationCharts = new[] {},
BlockNotification = "disable",
CaptivePortalExempt = "disable",
CgnResourceQuota = 0,
CgnSessionQuota = 0,
DelayTcpNpuSession = "disable",
DiffservForward = "disable",
DiffservReverse = "disable",
Dsri = "disable",
Dstaddrs = new[]
{
"gall",
},
DstaddrNegate = "disable",
Dstintfs = new[]
{
"any",
},
DynamicProfileAccesses = new[] {},
EmailCollect = "disable",
GeoipAnycast = "disable",
GeoipMatch = "physical-location",
InternetService = "disable",
InternetServiceSrc = "disable",
Logtraffic = "all",
LogtrafficStart = "disable",
MatchVip = "disable",
MatchVipOnly = "disable",
Natips = new[]
{
"0.0.0.0",
"0.0.0.0",
},
NpAcceleration = "enable",
PermitAnyHost = "disable",
Pkg = "default",
Policyid = 1074741825,
ProfileType = "single",
RadiusMacAuthBypass = "disable",
ReputationMinimum = 0,
RtpNat = "disable",
Schedule = "galways",
ScheduleTimeout = "disable",
SendDenyPacket = "disable",
Services = new[]
{
"gALL",
},
ServiceNegate = "disable",
SessionTtl = "0",
Srcaddrs = new[]
{
"gall",
},
SrcaddrNegate = "disable",
Srcintfs = new[]
{
"any",
},
Status = "enable",
TcpMssReceiver = 0,
TcpMssSender = 0,
TcpSessionWithoutSyn = "disable",
Tos = "0x00",
TosMask = "0x00",
TosNegate = "disable",
VlanCosFwd = 255,
VlanCosRev = 255,
Wccp = "disable",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortimanager.PackagesGlobalHeaderPolicy;
import com.pulumi.fortimanager.PackagesGlobalHeaderPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var labelname = new PackagesGlobalHeaderPolicy("labelname", PackagesGlobalHeaderPolicyArgs.builder()
.action("deny")
.antiReplay("enable")
.applicationCharts()
.blockNotification("disable")
.captivePortalExempt("disable")
.cgnResourceQuota(0)
.cgnSessionQuota(0)
.delayTcpNpuSession("disable")
.diffservForward("disable")
.diffservReverse("disable")
.dsri("disable")
.dstaddrs("gall")
.dstaddrNegate("disable")
.dstintfs("any")
.dynamicProfileAccesses()
.emailCollect("disable")
.geoipAnycast("disable")
.geoipMatch("physical-location")
.internetService("disable")
.internetServiceSrc("disable")
.logtraffic("all")
.logtrafficStart("disable")
.matchVip("disable")
.matchVipOnly("disable")
.natips(
"0.0.0.0",
"0.0.0.0")
.npAcceleration("enable")
.permitAnyHost("disable")
.pkg("default")
.policyid(1074741825)
.profileType("single")
.radiusMacAuthBypass("disable")
.reputationMinimum(0)
.rtpNat("disable")
.schedule("galways")
.scheduleTimeout("disable")
.sendDenyPacket("disable")
.services("gALL")
.serviceNegate("disable")
.sessionTtl("0")
.srcaddrs("gall")
.srcaddrNegate("disable")
.srcintfs("any")
.status("enable")
.tcpMssReceiver(0)
.tcpMssSender(0)
.tcpSessionWithoutSyn("disable")
.tos("0x00")
.tosMask("0x00")
.tosNegate("disable")
.vlanCosFwd(255)
.vlanCosRev(255)
.wccp("disable")
.build());
}
}
resources:
labelname:
type: fortimanager:PackagesGlobalHeaderPolicy
properties:
action: deny
antiReplay: enable
applicationCharts: []
blockNotification: disable
captivePortalExempt: disable
cgnResourceQuota: 0
cgnSessionQuota: 0
delayTcpNpuSession: disable
diffservForward: disable
diffservReverse: disable
dsri: disable
dstaddrs:
- gall
dstaddrNegate: disable
dstintfs:
- any
dynamicProfileAccesses: []
emailCollect: disable
geoipAnycast: disable
geoipMatch: physical-location
internetService: disable
internetServiceSrc: disable
logtraffic: all
logtrafficStart: disable
matchVip: disable
matchVipOnly: disable
natips:
- 0.0.0.0
- 0.0.0.0
npAcceleration: enable
permitAnyHost: disable
pkg: default
policyid: 1.074741825e+09
profileType: single
radiusMacAuthBypass: disable
reputationMinimum: 0
rtpNat: disable
schedule: galways
scheduleTimeout: disable
sendDenyPacket: disable
services:
- gALL
serviceNegate: disable
sessionTtl: '0'
srcaddrs:
- gall
srcaddrNegate: disable
srcintfs:
- any
status: enable
tcpMssReceiver: 0
tcpMssSender: 0
tcpSessionWithoutSyn: disable
tos: 0x00
tosMask: 0x00
tosNegate: disable
vlanCosFwd: 255
vlanCosRev: 255
wccp: disable
Create PackagesGlobalHeaderPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PackagesGlobalHeaderPolicy(name: string, args: PackagesGlobalHeaderPolicyArgs, opts?: CustomResourceOptions);@overload
def PackagesGlobalHeaderPolicy(resource_name: str,
args: PackagesGlobalHeaderPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def PackagesGlobalHeaderPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
pkg: Optional[str] = None,
_policy_block: Optional[float] = None,
access_proxies: Optional[Sequence[str]] = None,
action: Optional[str] = None,
active_auth_method: Optional[str] = None,
anti_replay: Optional[str] = None,
app_category: Optional[str] = None,
app_group: Optional[str] = None,
application_charts: Optional[Sequence[str]] = None,
application_list: Optional[str] = None,
applications: Optional[Sequence[float]] = None,
auth_cert: Optional[str] = None,
auth_method: Optional[str] = None,
auth_path: Optional[str] = None,
auth_portal: Optional[str] = None,
auth_redirect_addr: Optional[str] = None,
auto_asic_offload: Optional[str] = None,
av_profile: Optional[str] = None,
bandwidth: Optional[str] = None,
best_route: Optional[str] = None,
block_notification: Optional[str] = None,
captive_portal_exempt: Optional[str] = None,
capture_packet: Optional[str] = None,
casb_profile: Optional[str] = None,
casi_profile: Optional[str] = None,
central_nat: Optional[str] = None,
cgn_eif: Optional[str] = None,
cgn_eim: Optional[str] = None,
cgn_log_server_grp: Optional[str] = None,
cgn_resource_quota: Optional[float] = None,
cgn_session_quota: Optional[float] = None,
cgn_sw_eif_ctrl: Optional[str] = None,
cifs_profile: Optional[str] = None,
client_reputation: Optional[str] = None,
client_reputation_mode: Optional[str] = None,
comments: Optional[str] = None,
custom_log_fields: Optional[Sequence[str]] = None,
decrypted_traffic_mirror: Optional[str] = None,
deep_inspection_options: Optional[str] = None,
delay_tcp_npu_session: Optional[str] = None,
delay_tcp_npu_sessoin: Optional[str] = None,
detect_https_in_http_request: Optional[str] = None,
device_detection_portal: Optional[str] = None,
device_ownership: Optional[str] = None,
devices: Optional[str] = None,
diameter_filter_profile: Optional[str] = None,
diffserv_copy: Optional[str] = None,
diffserv_forward: Optional[str] = None,
diffserv_reverse: Optional[str] = None,
diffservcode_forward: Optional[str] = None,
diffservcode_rev: Optional[str] = None,
disclaimer: Optional[str] = None,
dlp_profiles: Optional[Sequence[str]] = None,
dlp_sensor: Optional[str] = None,
dnsfilter_profile: Optional[str] = None,
dponly: Optional[str] = None,
dscp_match: Optional[str] = None,
dscp_negate: Optional[str] = None,
dscp_value: Optional[str] = None,
dsri: Optional[str] = None,
dstaddr6_negate: Optional[str] = None,
dstaddr6s: Optional[Sequence[str]] = None,
dstaddr_negate: Optional[str] = None,
dstaddrs: Optional[Sequence[str]] = None,
dstintfs: Optional[Sequence[str]] = None,
dynamic_bypass: Optional[str] = None,
dynamic_profile: Optional[str] = None,
dynamic_profile_accesses: Optional[Sequence[str]] = None,
dynamic_profile_fallthrough: Optional[str] = None,
dynamic_profile_group: Optional[str] = None,
dynamic_shaping: Optional[str] = None,
eif_check: Optional[str] = None,
eif_learn: Optional[str] = None,
email_collect: Optional[str] = None,
email_collection_portal: Optional[str] = None,
emailfilter_profile: Optional[str] = None,
endpoint_check: Optional[str] = None,
endpoint_compliance: Optional[str] = None,
endpoint_keepalive_interface: Optional[str] = None,
endpoint_profile: Optional[str] = None,
extended_log: Optional[str] = None,
failed_connection: Optional[str] = None,
fall_through_unauthenticated: Optional[str] = None,
fec: Optional[str] = None,
file_filter_profile: Optional[str] = None,
firewall_session_dirty: Optional[str] = None,
fixedport: Optional[str] = None,
force_proxy: Optional[str] = None,
forticlient_compliance_devices: Optional[Sequence[str]] = None,
forticlient_compliance_enforcement_portal: Optional[str] = None,
fsae: Optional[str] = None,
fsae_server_for_ntlm: Optional[str] = None,
fsso: Optional[str] = None,
fsso_agent_for_ntlm: Optional[str] = None,
fsso_groups: Optional[Sequence[str]] = None,
geo_location: Optional[str] = None,
geoip_anycast: Optional[str] = None,
geoip_match: Optional[str] = None,
global_label: Optional[str] = None,
groups: Optional[Sequence[str]] = None,
gtp_profile: Optional[str] = None,
http_policy_redirect: Optional[str] = None,
http_tunnel_auth: Optional[str] = None,
ia_profiles: Optional[Sequence[str]] = None,
icap_profile: Optional[str] = None,
identity_based: Optional[str] = None,
identity_based_route: Optional[str] = None,
identity_from: Optional[str] = None,
implicit_proxy_detection: Optional[str] = None,
inbound: Optional[str] = None,
inspection_mode: Optional[str] = None,
internet_service: Optional[str] = None,
internet_service6: Optional[str] = None,
internet_service6_custom_groups: Optional[Sequence[str]] = None,
internet_service6_customs: Optional[Sequence[str]] = None,
internet_service6_groups: Optional[Sequence[str]] = None,
internet_service6_names: Optional[Sequence[str]] = None,
internet_service6_negate: Optional[str] = None,
internet_service6_src: Optional[str] = None,
internet_service6_src_custom_groups: Optional[Sequence[str]] = None,
internet_service6_src_customs: Optional[Sequence[str]] = None,
internet_service6_src_groups: Optional[Sequence[str]] = None,
internet_service6_src_names: Optional[Sequence[str]] = None,
internet_service6_src_negate: Optional[str] = None,
internet_service_custom: Optional[str] = None,
internet_service_custom_group: Optional[str] = None,
internet_service_group: Optional[str] = None,
internet_service_id: Optional[str] = None,
internet_service_name: Optional[str] = None,
internet_service_negate: Optional[str] = None,
internet_service_src: Optional[str] = None,
internet_service_src_custom: Optional[str] = None,
internet_service_src_custom_group: Optional[str] = None,
internet_service_src_group: Optional[str] = None,
internet_service_src_id: Optional[str] = None,
internet_service_src_name: Optional[str] = None,
internet_service_src_negate: Optional[str] = None,
ip_based: Optional[str] = None,
ip_version_type: Optional[str] = None,
ippool: Optional[str] = None,
ips_sensor: Optional[str] = None,
ips_voip_filter: Optional[str] = None,
isolator_profiles: Optional[Sequence[str]] = None,
isolator_servers: Optional[Sequence[str]] = None,
label: Optional[str] = None,
learning_mode: Optional[str] = None,
log_http_transaction: Optional[str] = None,
log_unmatched_traffic: Optional[str] = None,
logtraffic: Optional[str] = None,
logtraffic_app: Optional[str] = None,
logtraffic_start: Optional[str] = None,
match_vip: Optional[str] = None,
match_vip_only: Optional[str] = None,
max_session_per_user: Optional[float] = None,
mms_profile: Optional[str] = None,
name: Optional[str] = None,
nat: Optional[str] = None,
nat46: Optional[str] = None,
nat64: Optional[str] = None,
natinbound: Optional[str] = None,
natips: Optional[Sequence[str]] = None,
natoutbound: Optional[str] = None,
network_service_dynamics: Optional[Sequence[str]] = None,
network_service_src_dynamics: Optional[Sequence[str]] = None,
np_acceleration: Optional[str] = None,
ntlm: Optional[str] = None,
ntlm_enabled_browsers: Optional[Sequence[str]] = None,
ntlm_guest: Optional[str] = None,
outbound: Optional[str] = None,
packages_global_header_policy_id: Optional[str] = None,
pass_through: Optional[str] = None,
passive_wan_health_measurement: Optional[str] = None,
pcp_inbound: Optional[str] = None,
pcp_outbound: Optional[str] = None,
pcp_poolnames: Optional[Sequence[str]] = None,
per_ip_shaper: Optional[str] = None,
permit_any_host: Optional[str] = None,
permit_stun_host: Optional[str] = None,
pfcp_profile: Optional[str] = None,
pkg_folder_path: Optional[str] = None,
policy_behaviour_type: Optional[str] = None,
policy_expiry: Optional[str] = None,
policy_expiry_date: Optional[str] = None,
policy_expiry_date_utc: Optional[str] = None,
policy_offload: Optional[str] = None,
policyid: Optional[float] = None,
poolname: Optional[str] = None,
poolname6: Optional[str] = None,
port_preserve: Optional[str] = None,
profile_group: Optional[str] = None,
profile_protocol_options: Optional[str] = None,
profile_type: Optional[str] = None,
radius_ip_auth_bypass: Optional[str] = None,
radius_mac_auth_bypass: Optional[str] = None,
redirect_profiles: Optional[Sequence[str]] = None,
redirect_url: Optional[str] = None,
replacemsg_group: Optional[str] = None,
replacemsg_override_group: Optional[str] = None,
reputation_direction: Optional[str] = None,
reputation_direction6: Optional[str] = None,
reputation_minimum: Optional[float] = None,
reputation_minimum6: Optional[float] = None,
require_tfa: Optional[str] = None,
reverse_cache: Optional[str] = None,
rsso: Optional[str] = None,
rtp_addr: Optional[str] = None,
rtp_nat: Optional[str] = None,
scan_botnet_connections: Optional[str] = None,
schedule: Optional[str] = None,
schedule_timeout: Optional[str] = None,
sctp_filter_profile: Optional[str] = None,
send_deny_packet: Optional[str] = None,
service_negate: Optional[str] = None,
services: Optional[Sequence[str]] = None,
session_ttl: Optional[str] = None,
sessions: Optional[str] = None,
sgt_check: Optional[str] = None,
sgts: Optional[Sequence[float]] = None,
spamfilter_profile: Optional[str] = None,
src_vendor_macs: Optional[Sequence[str]] = None,
srcaddr6_negate: Optional[str] = None,
srcaddr6s: Optional[Sequence[str]] = None,
srcaddr_negate: Optional[str] = None,
srcaddrs: Optional[Sequence[str]] = None,
srcintfs: Optional[Sequence[str]] = None,
ssh_filter_profile: Optional[str] = None,
ssh_policy_check: Optional[str] = None,
ssh_policy_redirect: Optional[str] = None,
ssl_mirror: Optional[str] = None,
ssl_mirror_intf: Optional[str] = None,
ssl_ssh_profile: Optional[str] = None,
sslvpn_auth: Optional[str] = None,
sslvpn_ccert: Optional[str] = None,
sslvpn_cipher: Optional[str] = None,
sso_auth_method: Optional[str] = None,
status: Optional[str] = None,
tags: Optional[str] = None,
tcp_mss_receiver: Optional[float] = None,
tcp_mss_sender: Optional[float] = None,
tcp_reset: Optional[str] = None,
tcp_session_without_syn: Optional[str] = None,
tcp_timeout_pid: Optional[str] = None,
timeout_send_rst: Optional[str] = None,
tos: Optional[str] = None,
tos_mask: Optional[str] = None,
tos_negate: Optional[str] = None,
traffic_shaper: Optional[str] = None,
traffic_shaper_reverse: Optional[str] = None,
transaction_based: Optional[str] = None,
transparent: Optional[str] = None,
type: Optional[str] = None,
udp_timeout_pid: Optional[str] = None,
url_category: Optional[str] = None,
url_risks: Optional[Sequence[str]] = None,
users: Optional[Sequence[str]] = None,
utm_inspection_mode: Optional[str] = None,
utm_status: Optional[str] = None,
uuid: Optional[str] = None,
uuid_idx: Optional[float] = None,
vendor_mac: Optional[str] = None,
videofilter_profile: Optional[str] = None,
virtual_patch_profile: Optional[str] = None,
vlan_cos_fwd: Optional[float] = None,
vlan_cos_rev: Optional[float] = None,
vlan_filter: Optional[str] = None,
voip_profile: Optional[str] = None,
vpntunnel: Optional[str] = None,
waf_profile: Optional[str] = None,
wanopt: Optional[str] = None,
wanopt_detection: Optional[str] = None,
wanopt_passive_opt: Optional[str] = None,
wanopt_peer: Optional[str] = None,
wanopt_profile: Optional[str] = None,
wccp: Optional[str] = None,
web_auth_cookie: Optional[str] = None,
webcache: Optional[str] = None,
webcache_https: Optional[str] = None,
webfilter_profile: Optional[str] = None,
webproxy_forward_server: Optional[str] = None,
webproxy_profile: Optional[str] = None,
wsso: Optional[str] = None,
ztna_device_ownership: Optional[str] = None,
ztna_ems_tag_secondaries: Optional[Sequence[str]] = None,
ztna_ems_tags: Optional[Sequence[str]] = None,
ztna_geo_tags: Optional[Sequence[str]] = None,
ztna_policy_redirect: Optional[str] = None,
ztna_status: Optional[str] = None,
ztna_tags_match_logic: Optional[str] = None)func NewPackagesGlobalHeaderPolicy(ctx *Context, name string, args PackagesGlobalHeaderPolicyArgs, opts ...ResourceOption) (*PackagesGlobalHeaderPolicy, error)public PackagesGlobalHeaderPolicy(string name, PackagesGlobalHeaderPolicyArgs args, CustomResourceOptions? opts = null)
public PackagesGlobalHeaderPolicy(String name, PackagesGlobalHeaderPolicyArgs args)
public PackagesGlobalHeaderPolicy(String name, PackagesGlobalHeaderPolicyArgs args, CustomResourceOptions options)
type: fortimanager:PackagesGlobalHeaderPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PackagesGlobalHeaderPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PackagesGlobalHeaderPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PackagesGlobalHeaderPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PackagesGlobalHeaderPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PackagesGlobalHeaderPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var packagesGlobalHeaderPolicyResource = new Fortimanager.PackagesGlobalHeaderPolicy("packagesGlobalHeaderPolicyResource", new()
{
Pkg = "string",
_policyBlock = 0,
AccessProxies = new[]
{
"string",
},
Action = "string",
ActiveAuthMethod = "string",
AntiReplay = "string",
AppCategory = "string",
AppGroup = "string",
ApplicationCharts = new[]
{
"string",
},
ApplicationList = "string",
Applications = new[]
{
0,
},
AuthCert = "string",
AuthMethod = "string",
AuthPath = "string",
AuthPortal = "string",
AuthRedirectAddr = "string",
AutoAsicOffload = "string",
AvProfile = "string",
Bandwidth = "string",
BestRoute = "string",
BlockNotification = "string",
CaptivePortalExempt = "string",
CapturePacket = "string",
CasbProfile = "string",
CasiProfile = "string",
CentralNat = "string",
CgnEif = "string",
CgnEim = "string",
CgnLogServerGrp = "string",
CgnResourceQuota = 0,
CgnSessionQuota = 0,
CgnSwEifCtrl = "string",
CifsProfile = "string",
ClientReputation = "string",
ClientReputationMode = "string",
Comments = "string",
CustomLogFields = new[]
{
"string",
},
DecryptedTrafficMirror = "string",
DeepInspectionOptions = "string",
DelayTcpNpuSession = "string",
DelayTcpNpuSessoin = "string",
DetectHttpsInHttpRequest = "string",
DeviceDetectionPortal = "string",
DeviceOwnership = "string",
Devices = "string",
DiameterFilterProfile = "string",
DiffservCopy = "string",
DiffservForward = "string",
DiffservReverse = "string",
DiffservcodeForward = "string",
DiffservcodeRev = "string",
Disclaimer = "string",
DlpProfiles = new[]
{
"string",
},
DlpSensor = "string",
DnsfilterProfile = "string",
Dponly = "string",
DscpMatch = "string",
DscpNegate = "string",
DscpValue = "string",
Dsri = "string",
Dstaddr6Negate = "string",
Dstaddr6s = new[]
{
"string",
},
DstaddrNegate = "string",
Dstaddrs = new[]
{
"string",
},
Dstintfs = new[]
{
"string",
},
DynamicBypass = "string",
DynamicProfile = "string",
DynamicProfileAccesses = new[]
{
"string",
},
DynamicProfileFallthrough = "string",
DynamicProfileGroup = "string",
DynamicShaping = "string",
EifCheck = "string",
EifLearn = "string",
EmailCollect = "string",
EmailCollectionPortal = "string",
EmailfilterProfile = "string",
EndpointCheck = "string",
EndpointCompliance = "string",
EndpointKeepaliveInterface = "string",
EndpointProfile = "string",
ExtendedLog = "string",
FailedConnection = "string",
FallThroughUnauthenticated = "string",
Fec = "string",
FileFilterProfile = "string",
FirewallSessionDirty = "string",
Fixedport = "string",
ForceProxy = "string",
ForticlientComplianceDevices = new[]
{
"string",
},
ForticlientComplianceEnforcementPortal = "string",
Fsae = "string",
FsaeServerForNtlm = "string",
Fsso = "string",
FssoAgentForNtlm = "string",
FssoGroups = new[]
{
"string",
},
GeoLocation = "string",
GeoipAnycast = "string",
GeoipMatch = "string",
GlobalLabel = "string",
Groups = new[]
{
"string",
},
GtpProfile = "string",
HttpPolicyRedirect = "string",
HttpTunnelAuth = "string",
IaProfiles = new[]
{
"string",
},
IcapProfile = "string",
IdentityBased = "string",
IdentityBasedRoute = "string",
IdentityFrom = "string",
ImplicitProxyDetection = "string",
Inbound = "string",
InspectionMode = "string",
InternetService = "string",
InternetService6 = "string",
InternetService6CustomGroups = new[]
{
"string",
},
InternetService6Customs = new[]
{
"string",
},
InternetService6Groups = new[]
{
"string",
},
InternetService6Names = new[]
{
"string",
},
InternetService6Negate = "string",
InternetService6Src = "string",
InternetService6SrcCustomGroups = new[]
{
"string",
},
InternetService6SrcCustoms = new[]
{
"string",
},
InternetService6SrcGroups = new[]
{
"string",
},
InternetService6SrcNames = new[]
{
"string",
},
InternetService6SrcNegate = "string",
InternetServiceCustom = "string",
InternetServiceCustomGroup = "string",
InternetServiceGroup = "string",
InternetServiceId = "string",
InternetServiceName = "string",
InternetServiceNegate = "string",
InternetServiceSrc = "string",
InternetServiceSrcCustom = "string",
InternetServiceSrcCustomGroup = "string",
InternetServiceSrcGroup = "string",
InternetServiceSrcId = "string",
InternetServiceSrcName = "string",
InternetServiceSrcNegate = "string",
IpBased = "string",
IpVersionType = "string",
Ippool = "string",
IpsSensor = "string",
IpsVoipFilter = "string",
IsolatorProfiles = new[]
{
"string",
},
IsolatorServers = new[]
{
"string",
},
Label = "string",
LearningMode = "string",
LogHttpTransaction = "string",
LogUnmatchedTraffic = "string",
Logtraffic = "string",
LogtrafficApp = "string",
LogtrafficStart = "string",
MatchVip = "string",
MatchVipOnly = "string",
MaxSessionPerUser = 0,
MmsProfile = "string",
Name = "string",
Nat = "string",
Nat46 = "string",
Nat64 = "string",
Natinbound = "string",
Natips = new[]
{
"string",
},
Natoutbound = "string",
NetworkServiceDynamics = new[]
{
"string",
},
NetworkServiceSrcDynamics = new[]
{
"string",
},
NpAcceleration = "string",
Ntlm = "string",
NtlmEnabledBrowsers = new[]
{
"string",
},
NtlmGuest = "string",
Outbound = "string",
PackagesGlobalHeaderPolicyId = "string",
PassThrough = "string",
PassiveWanHealthMeasurement = "string",
PcpInbound = "string",
PcpOutbound = "string",
PcpPoolnames = new[]
{
"string",
},
PerIpShaper = "string",
PermitAnyHost = "string",
PermitStunHost = "string",
PfcpProfile = "string",
PkgFolderPath = "string",
PolicyBehaviourType = "string",
PolicyExpiry = "string",
PolicyExpiryDate = "string",
PolicyExpiryDateUtc = "string",
PolicyOffload = "string",
Policyid = 0,
Poolname = "string",
Poolname6 = "string",
PortPreserve = "string",
ProfileGroup = "string",
ProfileProtocolOptions = "string",
ProfileType = "string",
RadiusIpAuthBypass = "string",
RadiusMacAuthBypass = "string",
RedirectProfiles = new[]
{
"string",
},
RedirectUrl = "string",
ReplacemsgGroup = "string",
ReplacemsgOverrideGroup = "string",
ReputationDirection = "string",
ReputationDirection6 = "string",
ReputationMinimum = 0,
ReputationMinimum6 = 0,
RequireTfa = "string",
ReverseCache = "string",
Rsso = "string",
RtpAddr = "string",
RtpNat = "string",
ScanBotnetConnections = "string",
Schedule = "string",
ScheduleTimeout = "string",
SctpFilterProfile = "string",
SendDenyPacket = "string",
ServiceNegate = "string",
Services = new[]
{
"string",
},
SessionTtl = "string",
Sessions = "string",
SgtCheck = "string",
Sgts = new[]
{
0,
},
SpamfilterProfile = "string",
SrcVendorMacs = new[]
{
"string",
},
Srcaddr6Negate = "string",
Srcaddr6s = new[]
{
"string",
},
SrcaddrNegate = "string",
Srcaddrs = new[]
{
"string",
},
Srcintfs = new[]
{
"string",
},
SshFilterProfile = "string",
SshPolicyCheck = "string",
SshPolicyRedirect = "string",
SslMirror = "string",
SslMirrorIntf = "string",
SslSshProfile = "string",
SslvpnAuth = "string",
SslvpnCcert = "string",
SslvpnCipher = "string",
SsoAuthMethod = "string",
Status = "string",
Tags = "string",
TcpMssReceiver = 0,
TcpMssSender = 0,
TcpReset = "string",
TcpSessionWithoutSyn = "string",
TcpTimeoutPid = "string",
TimeoutSendRst = "string",
Tos = "string",
TosMask = "string",
TosNegate = "string",
TrafficShaper = "string",
TrafficShaperReverse = "string",
TransactionBased = "string",
Transparent = "string",
Type = "string",
UdpTimeoutPid = "string",
UrlCategory = "string",
UrlRisks = new[]
{
"string",
},
Users = new[]
{
"string",
},
UtmInspectionMode = "string",
UtmStatus = "string",
Uuid = "string",
UuidIdx = 0,
VendorMac = "string",
VideofilterProfile = "string",
VirtualPatchProfile = "string",
VlanCosFwd = 0,
VlanCosRev = 0,
VlanFilter = "string",
VoipProfile = "string",
Vpntunnel = "string",
WafProfile = "string",
Wanopt = "string",
WanoptDetection = "string",
WanoptPassiveOpt = "string",
WanoptPeer = "string",
WanoptProfile = "string",
Wccp = "string",
WebAuthCookie = "string",
Webcache = "string",
WebcacheHttps = "string",
WebfilterProfile = "string",
WebproxyForwardServer = "string",
WebproxyProfile = "string",
Wsso = "string",
ZtnaDeviceOwnership = "string",
ZtnaEmsTagSecondaries = new[]
{
"string",
},
ZtnaEmsTags = new[]
{
"string",
},
ZtnaGeoTags = new[]
{
"string",
},
ZtnaPolicyRedirect = "string",
ZtnaStatus = "string",
ZtnaTagsMatchLogic = "string",
});
example, err := fortimanager.NewPackagesGlobalHeaderPolicy(ctx, "packagesGlobalHeaderPolicyResource", &fortimanager.PackagesGlobalHeaderPolicyArgs{
Pkg: pulumi.String("string"),
_policyBlock: pulumi.Float64(0),
AccessProxies: pulumi.StringArray{
pulumi.String("string"),
},
Action: pulumi.String("string"),
ActiveAuthMethod: pulumi.String("string"),
AntiReplay: pulumi.String("string"),
AppCategory: pulumi.String("string"),
AppGroup: pulumi.String("string"),
ApplicationCharts: pulumi.StringArray{
pulumi.String("string"),
},
ApplicationList: pulumi.String("string"),
Applications: pulumi.Float64Array{
pulumi.Float64(0),
},
AuthCert: pulumi.String("string"),
AuthMethod: pulumi.String("string"),
AuthPath: pulumi.String("string"),
AuthPortal: pulumi.String("string"),
AuthRedirectAddr: pulumi.String("string"),
AutoAsicOffload: pulumi.String("string"),
AvProfile: pulumi.String("string"),
Bandwidth: pulumi.String("string"),
BestRoute: pulumi.String("string"),
BlockNotification: pulumi.String("string"),
CaptivePortalExempt: pulumi.String("string"),
CapturePacket: pulumi.String("string"),
CasbProfile: pulumi.String("string"),
CasiProfile: pulumi.String("string"),
CentralNat: pulumi.String("string"),
CgnEif: pulumi.String("string"),
CgnEim: pulumi.String("string"),
CgnLogServerGrp: pulumi.String("string"),
CgnResourceQuota: pulumi.Float64(0),
CgnSessionQuota: pulumi.Float64(0),
CgnSwEifCtrl: pulumi.String("string"),
CifsProfile: pulumi.String("string"),
ClientReputation: pulumi.String("string"),
ClientReputationMode: pulumi.String("string"),
Comments: pulumi.String("string"),
CustomLogFields: pulumi.StringArray{
pulumi.String("string"),
},
DecryptedTrafficMirror: pulumi.String("string"),
DeepInspectionOptions: pulumi.String("string"),
DelayTcpNpuSession: pulumi.String("string"),
DelayTcpNpuSessoin: pulumi.String("string"),
DetectHttpsInHttpRequest: pulumi.String("string"),
DeviceDetectionPortal: pulumi.String("string"),
DeviceOwnership: pulumi.String("string"),
Devices: pulumi.String("string"),
DiameterFilterProfile: pulumi.String("string"),
DiffservCopy: pulumi.String("string"),
DiffservForward: pulumi.String("string"),
DiffservReverse: pulumi.String("string"),
DiffservcodeForward: pulumi.String("string"),
DiffservcodeRev: pulumi.String("string"),
Disclaimer: pulumi.String("string"),
DlpProfiles: pulumi.StringArray{
pulumi.String("string"),
},
DlpSensor: pulumi.String("string"),
DnsfilterProfile: pulumi.String("string"),
Dponly: pulumi.String("string"),
DscpMatch: pulumi.String("string"),
DscpNegate: pulumi.String("string"),
DscpValue: pulumi.String("string"),
Dsri: pulumi.String("string"),
Dstaddr6Negate: pulumi.String("string"),
Dstaddr6s: pulumi.StringArray{
pulumi.String("string"),
},
DstaddrNegate: pulumi.String("string"),
Dstaddrs: pulumi.StringArray{
pulumi.String("string"),
},
Dstintfs: pulumi.StringArray{
pulumi.String("string"),
},
DynamicBypass: pulumi.String("string"),
DynamicProfile: pulumi.String("string"),
DynamicProfileAccesses: pulumi.StringArray{
pulumi.String("string"),
},
DynamicProfileFallthrough: pulumi.String("string"),
DynamicProfileGroup: pulumi.String("string"),
DynamicShaping: pulumi.String("string"),
EifCheck: pulumi.String("string"),
EifLearn: pulumi.String("string"),
EmailCollect: pulumi.String("string"),
EmailCollectionPortal: pulumi.String("string"),
EmailfilterProfile: pulumi.String("string"),
EndpointCheck: pulumi.String("string"),
EndpointCompliance: pulumi.String("string"),
EndpointKeepaliveInterface: pulumi.String("string"),
EndpointProfile: pulumi.String("string"),
ExtendedLog: pulumi.String("string"),
FailedConnection: pulumi.String("string"),
FallThroughUnauthenticated: pulumi.String("string"),
Fec: pulumi.String("string"),
FileFilterProfile: pulumi.String("string"),
FirewallSessionDirty: pulumi.String("string"),
Fixedport: pulumi.String("string"),
ForceProxy: pulumi.String("string"),
ForticlientComplianceDevices: pulumi.StringArray{
pulumi.String("string"),
},
ForticlientComplianceEnforcementPortal: pulumi.String("string"),
Fsae: pulumi.String("string"),
FsaeServerForNtlm: pulumi.String("string"),
Fsso: pulumi.String("string"),
FssoAgentForNtlm: pulumi.String("string"),
FssoGroups: pulumi.StringArray{
pulumi.String("string"),
},
GeoLocation: pulumi.String("string"),
GeoipAnycast: pulumi.String("string"),
GeoipMatch: pulumi.String("string"),
GlobalLabel: pulumi.String("string"),
Groups: pulumi.StringArray{
pulumi.String("string"),
},
GtpProfile: pulumi.String("string"),
HttpPolicyRedirect: pulumi.String("string"),
HttpTunnelAuth: pulumi.String("string"),
IaProfiles: pulumi.StringArray{
pulumi.String("string"),
},
IcapProfile: pulumi.String("string"),
IdentityBased: pulumi.String("string"),
IdentityBasedRoute: pulumi.String("string"),
IdentityFrom: pulumi.String("string"),
ImplicitProxyDetection: pulumi.String("string"),
Inbound: pulumi.String("string"),
InspectionMode: pulumi.String("string"),
InternetService: pulumi.String("string"),
InternetService6: pulumi.String("string"),
InternetService6CustomGroups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Customs: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Groups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Names: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Negate: pulumi.String("string"),
InternetService6Src: pulumi.String("string"),
InternetService6SrcCustomGroups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcCustoms: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcGroups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcNames: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcNegate: pulumi.String("string"),
InternetServiceCustom: pulumi.String("string"),
InternetServiceCustomGroup: pulumi.String("string"),
InternetServiceGroup: pulumi.String("string"),
InternetServiceId: pulumi.String("string"),
InternetServiceName: pulumi.String("string"),
InternetServiceNegate: pulumi.String("string"),
InternetServiceSrc: pulumi.String("string"),
InternetServiceSrcCustom: pulumi.String("string"),
InternetServiceSrcCustomGroup: pulumi.String("string"),
InternetServiceSrcGroup: pulumi.String("string"),
InternetServiceSrcId: pulumi.String("string"),
InternetServiceSrcName: pulumi.String("string"),
InternetServiceSrcNegate: pulumi.String("string"),
IpBased: pulumi.String("string"),
IpVersionType: pulumi.String("string"),
Ippool: pulumi.String("string"),
IpsSensor: pulumi.String("string"),
IpsVoipFilter: pulumi.String("string"),
IsolatorProfiles: pulumi.StringArray{
pulumi.String("string"),
},
IsolatorServers: pulumi.StringArray{
pulumi.String("string"),
},
Label: pulumi.String("string"),
LearningMode: pulumi.String("string"),
LogHttpTransaction: pulumi.String("string"),
LogUnmatchedTraffic: pulumi.String("string"),
Logtraffic: pulumi.String("string"),
LogtrafficApp: pulumi.String("string"),
LogtrafficStart: pulumi.String("string"),
MatchVip: pulumi.String("string"),
MatchVipOnly: pulumi.String("string"),
MaxSessionPerUser: pulumi.Float64(0),
MmsProfile: pulumi.String("string"),
Name: pulumi.String("string"),
Nat: pulumi.String("string"),
Nat46: pulumi.String("string"),
Nat64: pulumi.String("string"),
Natinbound: pulumi.String("string"),
Natips: pulumi.StringArray{
pulumi.String("string"),
},
Natoutbound: pulumi.String("string"),
NetworkServiceDynamics: pulumi.StringArray{
pulumi.String("string"),
},
NetworkServiceSrcDynamics: pulumi.StringArray{
pulumi.String("string"),
},
NpAcceleration: pulumi.String("string"),
Ntlm: pulumi.String("string"),
NtlmEnabledBrowsers: pulumi.StringArray{
pulumi.String("string"),
},
NtlmGuest: pulumi.String("string"),
Outbound: pulumi.String("string"),
PackagesGlobalHeaderPolicyId: pulumi.String("string"),
PassThrough: pulumi.String("string"),
PassiveWanHealthMeasurement: pulumi.String("string"),
PcpInbound: pulumi.String("string"),
PcpOutbound: pulumi.String("string"),
PcpPoolnames: pulumi.StringArray{
pulumi.String("string"),
},
PerIpShaper: pulumi.String("string"),
PermitAnyHost: pulumi.String("string"),
PermitStunHost: pulumi.String("string"),
PfcpProfile: pulumi.String("string"),
PkgFolderPath: pulumi.String("string"),
PolicyBehaviourType: pulumi.String("string"),
PolicyExpiry: pulumi.String("string"),
PolicyExpiryDate: pulumi.String("string"),
PolicyExpiryDateUtc: pulumi.String("string"),
PolicyOffload: pulumi.String("string"),
Policyid: pulumi.Float64(0),
Poolname: pulumi.String("string"),
Poolname6: pulumi.String("string"),
PortPreserve: pulumi.String("string"),
ProfileGroup: pulumi.String("string"),
ProfileProtocolOptions: pulumi.String("string"),
ProfileType: pulumi.String("string"),
RadiusIpAuthBypass: pulumi.String("string"),
RadiusMacAuthBypass: pulumi.String("string"),
RedirectProfiles: pulumi.StringArray{
pulumi.String("string"),
},
RedirectUrl: pulumi.String("string"),
ReplacemsgGroup: pulumi.String("string"),
ReplacemsgOverrideGroup: pulumi.String("string"),
ReputationDirection: pulumi.String("string"),
ReputationDirection6: pulumi.String("string"),
ReputationMinimum: pulumi.Float64(0),
ReputationMinimum6: pulumi.Float64(0),
RequireTfa: pulumi.String("string"),
ReverseCache: pulumi.String("string"),
Rsso: pulumi.String("string"),
RtpAddr: pulumi.String("string"),
RtpNat: pulumi.String("string"),
ScanBotnetConnections: pulumi.String("string"),
Schedule: pulumi.String("string"),
ScheduleTimeout: pulumi.String("string"),
SctpFilterProfile: pulumi.String("string"),
SendDenyPacket: pulumi.String("string"),
ServiceNegate: pulumi.String("string"),
Services: pulumi.StringArray{
pulumi.String("string"),
},
SessionTtl: pulumi.String("string"),
Sessions: pulumi.String("string"),
SgtCheck: pulumi.String("string"),
Sgts: pulumi.Float64Array{
pulumi.Float64(0),
},
SpamfilterProfile: pulumi.String("string"),
SrcVendorMacs: pulumi.StringArray{
pulumi.String("string"),
},
Srcaddr6Negate: pulumi.String("string"),
Srcaddr6s: pulumi.StringArray{
pulumi.String("string"),
},
SrcaddrNegate: pulumi.String("string"),
Srcaddrs: pulumi.StringArray{
pulumi.String("string"),
},
Srcintfs: pulumi.StringArray{
pulumi.String("string"),
},
SshFilterProfile: pulumi.String("string"),
SshPolicyCheck: pulumi.String("string"),
SshPolicyRedirect: pulumi.String("string"),
SslMirror: pulumi.String("string"),
SslMirrorIntf: pulumi.String("string"),
SslSshProfile: pulumi.String("string"),
SslvpnAuth: pulumi.String("string"),
SslvpnCcert: pulumi.String("string"),
SslvpnCipher: pulumi.String("string"),
SsoAuthMethod: pulumi.String("string"),
Status: pulumi.String("string"),
Tags: pulumi.String("string"),
TcpMssReceiver: pulumi.Float64(0),
TcpMssSender: pulumi.Float64(0),
TcpReset: pulumi.String("string"),
TcpSessionWithoutSyn: pulumi.String("string"),
TcpTimeoutPid: pulumi.String("string"),
TimeoutSendRst: pulumi.String("string"),
Tos: pulumi.String("string"),
TosMask: pulumi.String("string"),
TosNegate: pulumi.String("string"),
TrafficShaper: pulumi.String("string"),
TrafficShaperReverse: pulumi.String("string"),
TransactionBased: pulumi.String("string"),
Transparent: pulumi.String("string"),
Type: pulumi.String("string"),
UdpTimeoutPid: pulumi.String("string"),
UrlCategory: pulumi.String("string"),
UrlRisks: pulumi.StringArray{
pulumi.String("string"),
},
Users: pulumi.StringArray{
pulumi.String("string"),
},
UtmInspectionMode: pulumi.String("string"),
UtmStatus: pulumi.String("string"),
Uuid: pulumi.String("string"),
UuidIdx: pulumi.Float64(0),
VendorMac: pulumi.String("string"),
VideofilterProfile: pulumi.String("string"),
VirtualPatchProfile: pulumi.String("string"),
VlanCosFwd: pulumi.Float64(0),
VlanCosRev: pulumi.Float64(0),
VlanFilter: pulumi.String("string"),
VoipProfile: pulumi.String("string"),
Vpntunnel: pulumi.String("string"),
WafProfile: pulumi.String("string"),
Wanopt: pulumi.String("string"),
WanoptDetection: pulumi.String("string"),
WanoptPassiveOpt: pulumi.String("string"),
WanoptPeer: pulumi.String("string"),
WanoptProfile: pulumi.String("string"),
Wccp: pulumi.String("string"),
WebAuthCookie: pulumi.String("string"),
Webcache: pulumi.String("string"),
WebcacheHttps: pulumi.String("string"),
WebfilterProfile: pulumi.String("string"),
WebproxyForwardServer: pulumi.String("string"),
WebproxyProfile: pulumi.String("string"),
Wsso: pulumi.String("string"),
ZtnaDeviceOwnership: pulumi.String("string"),
ZtnaEmsTagSecondaries: pulumi.StringArray{
pulumi.String("string"),
},
ZtnaEmsTags: pulumi.StringArray{
pulumi.String("string"),
},
ZtnaGeoTags: pulumi.StringArray{
pulumi.String("string"),
},
ZtnaPolicyRedirect: pulumi.String("string"),
ZtnaStatus: pulumi.String("string"),
ZtnaTagsMatchLogic: pulumi.String("string"),
})
var packagesGlobalHeaderPolicyResource = new PackagesGlobalHeaderPolicy("packagesGlobalHeaderPolicyResource", PackagesGlobalHeaderPolicyArgs.builder()
.pkg("string")
._policyBlock(0)
.accessProxies("string")
.action("string")
.activeAuthMethod("string")
.antiReplay("string")
.appCategory("string")
.appGroup("string")
.applicationCharts("string")
.applicationList("string")
.applications(0)
.authCert("string")
.authMethod("string")
.authPath("string")
.authPortal("string")
.authRedirectAddr("string")
.autoAsicOffload("string")
.avProfile("string")
.bandwidth("string")
.bestRoute("string")
.blockNotification("string")
.captivePortalExempt("string")
.capturePacket("string")
.casbProfile("string")
.casiProfile("string")
.centralNat("string")
.cgnEif("string")
.cgnEim("string")
.cgnLogServerGrp("string")
.cgnResourceQuota(0)
.cgnSessionQuota(0)
.cgnSwEifCtrl("string")
.cifsProfile("string")
.clientReputation("string")
.clientReputationMode("string")
.comments("string")
.customLogFields("string")
.decryptedTrafficMirror("string")
.deepInspectionOptions("string")
.delayTcpNpuSession("string")
.delayTcpNpuSessoin("string")
.detectHttpsInHttpRequest("string")
.deviceDetectionPortal("string")
.deviceOwnership("string")
.devices("string")
.diameterFilterProfile("string")
.diffservCopy("string")
.diffservForward("string")
.diffservReverse("string")
.diffservcodeForward("string")
.diffservcodeRev("string")
.disclaimer("string")
.dlpProfiles("string")
.dlpSensor("string")
.dnsfilterProfile("string")
.dponly("string")
.dscpMatch("string")
.dscpNegate("string")
.dscpValue("string")
.dsri("string")
.dstaddr6Negate("string")
.dstaddr6s("string")
.dstaddrNegate("string")
.dstaddrs("string")
.dstintfs("string")
.dynamicBypass("string")
.dynamicProfile("string")
.dynamicProfileAccesses("string")
.dynamicProfileFallthrough("string")
.dynamicProfileGroup("string")
.dynamicShaping("string")
.eifCheck("string")
.eifLearn("string")
.emailCollect("string")
.emailCollectionPortal("string")
.emailfilterProfile("string")
.endpointCheck("string")
.endpointCompliance("string")
.endpointKeepaliveInterface("string")
.endpointProfile("string")
.extendedLog("string")
.failedConnection("string")
.fallThroughUnauthenticated("string")
.fec("string")
.fileFilterProfile("string")
.firewallSessionDirty("string")
.fixedport("string")
.forceProxy("string")
.forticlientComplianceDevices("string")
.forticlientComplianceEnforcementPortal("string")
.fsae("string")
.fsaeServerForNtlm("string")
.fsso("string")
.fssoAgentForNtlm("string")
.fssoGroups("string")
.geoLocation("string")
.geoipAnycast("string")
.geoipMatch("string")
.globalLabel("string")
.groups("string")
.gtpProfile("string")
.httpPolicyRedirect("string")
.httpTunnelAuth("string")
.iaProfiles("string")
.icapProfile("string")
.identityBased("string")
.identityBasedRoute("string")
.identityFrom("string")
.implicitProxyDetection("string")
.inbound("string")
.inspectionMode("string")
.internetService("string")
.internetService6("string")
.internetService6CustomGroups("string")
.internetService6Customs("string")
.internetService6Groups("string")
.internetService6Names("string")
.internetService6Negate("string")
.internetService6Src("string")
.internetService6SrcCustomGroups("string")
.internetService6SrcCustoms("string")
.internetService6SrcGroups("string")
.internetService6SrcNames("string")
.internetService6SrcNegate("string")
.internetServiceCustom("string")
.internetServiceCustomGroup("string")
.internetServiceGroup("string")
.internetServiceId("string")
.internetServiceName("string")
.internetServiceNegate("string")
.internetServiceSrc("string")
.internetServiceSrcCustom("string")
.internetServiceSrcCustomGroup("string")
.internetServiceSrcGroup("string")
.internetServiceSrcId("string")
.internetServiceSrcName("string")
.internetServiceSrcNegate("string")
.ipBased("string")
.ipVersionType("string")
.ippool("string")
.ipsSensor("string")
.ipsVoipFilter("string")
.isolatorProfiles("string")
.isolatorServers("string")
.label("string")
.learningMode("string")
.logHttpTransaction("string")
.logUnmatchedTraffic("string")
.logtraffic("string")
.logtrafficApp("string")
.logtrafficStart("string")
.matchVip("string")
.matchVipOnly("string")
.maxSessionPerUser(0)
.mmsProfile("string")
.name("string")
.nat("string")
.nat46("string")
.nat64("string")
.natinbound("string")
.natips("string")
.natoutbound("string")
.networkServiceDynamics("string")
.networkServiceSrcDynamics("string")
.npAcceleration("string")
.ntlm("string")
.ntlmEnabledBrowsers("string")
.ntlmGuest("string")
.outbound("string")
.packagesGlobalHeaderPolicyId("string")
.passThrough("string")
.passiveWanHealthMeasurement("string")
.pcpInbound("string")
.pcpOutbound("string")
.pcpPoolnames("string")
.perIpShaper("string")
.permitAnyHost("string")
.permitStunHost("string")
.pfcpProfile("string")
.pkgFolderPath("string")
.policyBehaviourType("string")
.policyExpiry("string")
.policyExpiryDate("string")
.policyExpiryDateUtc("string")
.policyOffload("string")
.policyid(0)
.poolname("string")
.poolname6("string")
.portPreserve("string")
.profileGroup("string")
.profileProtocolOptions("string")
.profileType("string")
.radiusIpAuthBypass("string")
.radiusMacAuthBypass("string")
.redirectProfiles("string")
.redirectUrl("string")
.replacemsgGroup("string")
.replacemsgOverrideGroup("string")
.reputationDirection("string")
.reputationDirection6("string")
.reputationMinimum(0)
.reputationMinimum6(0)
.requireTfa("string")
.reverseCache("string")
.rsso("string")
.rtpAddr("string")
.rtpNat("string")
.scanBotnetConnections("string")
.schedule("string")
.scheduleTimeout("string")
.sctpFilterProfile("string")
.sendDenyPacket("string")
.serviceNegate("string")
.services("string")
.sessionTtl("string")
.sessions("string")
.sgtCheck("string")
.sgts(0)
.spamfilterProfile("string")
.srcVendorMacs("string")
.srcaddr6Negate("string")
.srcaddr6s("string")
.srcaddrNegate("string")
.srcaddrs("string")
.srcintfs("string")
.sshFilterProfile("string")
.sshPolicyCheck("string")
.sshPolicyRedirect("string")
.sslMirror("string")
.sslMirrorIntf("string")
.sslSshProfile("string")
.sslvpnAuth("string")
.sslvpnCcert("string")
.sslvpnCipher("string")
.ssoAuthMethod("string")
.status("string")
.tags("string")
.tcpMssReceiver(0)
.tcpMssSender(0)
.tcpReset("string")
.tcpSessionWithoutSyn("string")
.tcpTimeoutPid("string")
.timeoutSendRst("string")
.tos("string")
.tosMask("string")
.tosNegate("string")
.trafficShaper("string")
.trafficShaperReverse("string")
.transactionBased("string")
.transparent("string")
.type("string")
.udpTimeoutPid("string")
.urlCategory("string")
.urlRisks("string")
.users("string")
.utmInspectionMode("string")
.utmStatus("string")
.uuid("string")
.uuidIdx(0)
.vendorMac("string")
.videofilterProfile("string")
.virtualPatchProfile("string")
.vlanCosFwd(0)
.vlanCosRev(0)
.vlanFilter("string")
.voipProfile("string")
.vpntunnel("string")
.wafProfile("string")
.wanopt("string")
.wanoptDetection("string")
.wanoptPassiveOpt("string")
.wanoptPeer("string")
.wanoptProfile("string")
.wccp("string")
.webAuthCookie("string")
.webcache("string")
.webcacheHttps("string")
.webfilterProfile("string")
.webproxyForwardServer("string")
.webproxyProfile("string")
.wsso("string")
.ztnaDeviceOwnership("string")
.ztnaEmsTagSecondaries("string")
.ztnaEmsTags("string")
.ztnaGeoTags("string")
.ztnaPolicyRedirect("string")
.ztnaStatus("string")
.ztnaTagsMatchLogic("string")
.build());
packages_global_header_policy_resource = fortimanager.PackagesGlobalHeaderPolicy("packagesGlobalHeaderPolicyResource",
pkg="string",
_policy_block=0,
access_proxies=["string"],
action="string",
active_auth_method="string",
anti_replay="string",
app_category="string",
app_group="string",
application_charts=["string"],
application_list="string",
applications=[0],
auth_cert="string",
auth_method="string",
auth_path="string",
auth_portal="string",
auth_redirect_addr="string",
auto_asic_offload="string",
av_profile="string",
bandwidth="string",
best_route="string",
block_notification="string",
captive_portal_exempt="string",
capture_packet="string",
casb_profile="string",
casi_profile="string",
central_nat="string",
cgn_eif="string",
cgn_eim="string",
cgn_log_server_grp="string",
cgn_resource_quota=0,
cgn_session_quota=0,
cgn_sw_eif_ctrl="string",
cifs_profile="string",
client_reputation="string",
client_reputation_mode="string",
comments="string",
custom_log_fields=["string"],
decrypted_traffic_mirror="string",
deep_inspection_options="string",
delay_tcp_npu_session="string",
delay_tcp_npu_sessoin="string",
detect_https_in_http_request="string",
device_detection_portal="string",
device_ownership="string",
devices="string",
diameter_filter_profile="string",
diffserv_copy="string",
diffserv_forward="string",
diffserv_reverse="string",
diffservcode_forward="string",
diffservcode_rev="string",
disclaimer="string",
dlp_profiles=["string"],
dlp_sensor="string",
dnsfilter_profile="string",
dponly="string",
dscp_match="string",
dscp_negate="string",
dscp_value="string",
dsri="string",
dstaddr6_negate="string",
dstaddr6s=["string"],
dstaddr_negate="string",
dstaddrs=["string"],
dstintfs=["string"],
dynamic_bypass="string",
dynamic_profile="string",
dynamic_profile_accesses=["string"],
dynamic_profile_fallthrough="string",
dynamic_profile_group="string",
dynamic_shaping="string",
eif_check="string",
eif_learn="string",
email_collect="string",
email_collection_portal="string",
emailfilter_profile="string",
endpoint_check="string",
endpoint_compliance="string",
endpoint_keepalive_interface="string",
endpoint_profile="string",
extended_log="string",
failed_connection="string",
fall_through_unauthenticated="string",
fec="string",
file_filter_profile="string",
firewall_session_dirty="string",
fixedport="string",
force_proxy="string",
forticlient_compliance_devices=["string"],
forticlient_compliance_enforcement_portal="string",
fsae="string",
fsae_server_for_ntlm="string",
fsso="string",
fsso_agent_for_ntlm="string",
fsso_groups=["string"],
geo_location="string",
geoip_anycast="string",
geoip_match="string",
global_label="string",
groups=["string"],
gtp_profile="string",
http_policy_redirect="string",
http_tunnel_auth="string",
ia_profiles=["string"],
icap_profile="string",
identity_based="string",
identity_based_route="string",
identity_from="string",
implicit_proxy_detection="string",
inbound="string",
inspection_mode="string",
internet_service="string",
internet_service6="string",
internet_service6_custom_groups=["string"],
internet_service6_customs=["string"],
internet_service6_groups=["string"],
internet_service6_names=["string"],
internet_service6_negate="string",
internet_service6_src="string",
internet_service6_src_custom_groups=["string"],
internet_service6_src_customs=["string"],
internet_service6_src_groups=["string"],
internet_service6_src_names=["string"],
internet_service6_src_negate="string",
internet_service_custom="string",
internet_service_custom_group="string",
internet_service_group="string",
internet_service_id="string",
internet_service_name="string",
internet_service_negate="string",
internet_service_src="string",
internet_service_src_custom="string",
internet_service_src_custom_group="string",
internet_service_src_group="string",
internet_service_src_id="string",
internet_service_src_name="string",
internet_service_src_negate="string",
ip_based="string",
ip_version_type="string",
ippool="string",
ips_sensor="string",
ips_voip_filter="string",
isolator_profiles=["string"],
isolator_servers=["string"],
label="string",
learning_mode="string",
log_http_transaction="string",
log_unmatched_traffic="string",
logtraffic="string",
logtraffic_app="string",
logtraffic_start="string",
match_vip="string",
match_vip_only="string",
max_session_per_user=0,
mms_profile="string",
name="string",
nat="string",
nat46="string",
nat64="string",
natinbound="string",
natips=["string"],
natoutbound="string",
network_service_dynamics=["string"],
network_service_src_dynamics=["string"],
np_acceleration="string",
ntlm="string",
ntlm_enabled_browsers=["string"],
ntlm_guest="string",
outbound="string",
packages_global_header_policy_id="string",
pass_through="string",
passive_wan_health_measurement="string",
pcp_inbound="string",
pcp_outbound="string",
pcp_poolnames=["string"],
per_ip_shaper="string",
permit_any_host="string",
permit_stun_host="string",
pfcp_profile="string",
pkg_folder_path="string",
policy_behaviour_type="string",
policy_expiry="string",
policy_expiry_date="string",
policy_expiry_date_utc="string",
policy_offload="string",
policyid=0,
poolname="string",
poolname6="string",
port_preserve="string",
profile_group="string",
profile_protocol_options="string",
profile_type="string",
radius_ip_auth_bypass="string",
radius_mac_auth_bypass="string",
redirect_profiles=["string"],
redirect_url="string",
replacemsg_group="string",
replacemsg_override_group="string",
reputation_direction="string",
reputation_direction6="string",
reputation_minimum=0,
reputation_minimum6=0,
require_tfa="string",
reverse_cache="string",
rsso="string",
rtp_addr="string",
rtp_nat="string",
scan_botnet_connections="string",
schedule="string",
schedule_timeout="string",
sctp_filter_profile="string",
send_deny_packet="string",
service_negate="string",
services=["string"],
session_ttl="string",
sessions="string",
sgt_check="string",
sgts=[0],
spamfilter_profile="string",
src_vendor_macs=["string"],
srcaddr6_negate="string",
srcaddr6s=["string"],
srcaddr_negate="string",
srcaddrs=["string"],
srcintfs=["string"],
ssh_filter_profile="string",
ssh_policy_check="string",
ssh_policy_redirect="string",
ssl_mirror="string",
ssl_mirror_intf="string",
ssl_ssh_profile="string",
sslvpn_auth="string",
sslvpn_ccert="string",
sslvpn_cipher="string",
sso_auth_method="string",
status="string",
tags="string",
tcp_mss_receiver=0,
tcp_mss_sender=0,
tcp_reset="string",
tcp_session_without_syn="string",
tcp_timeout_pid="string",
timeout_send_rst="string",
tos="string",
tos_mask="string",
tos_negate="string",
traffic_shaper="string",
traffic_shaper_reverse="string",
transaction_based="string",
transparent="string",
type="string",
udp_timeout_pid="string",
url_category="string",
url_risks=["string"],
users=["string"],
utm_inspection_mode="string",
utm_status="string",
uuid="string",
uuid_idx=0,
vendor_mac="string",
videofilter_profile="string",
virtual_patch_profile="string",
vlan_cos_fwd=0,
vlan_cos_rev=0,
vlan_filter="string",
voip_profile="string",
vpntunnel="string",
waf_profile="string",
wanopt="string",
wanopt_detection="string",
wanopt_passive_opt="string",
wanopt_peer="string",
wanopt_profile="string",
wccp="string",
web_auth_cookie="string",
webcache="string",
webcache_https="string",
webfilter_profile="string",
webproxy_forward_server="string",
webproxy_profile="string",
wsso="string",
ztna_device_ownership="string",
ztna_ems_tag_secondaries=["string"],
ztna_ems_tags=["string"],
ztna_geo_tags=["string"],
ztna_policy_redirect="string",
ztna_status="string",
ztna_tags_match_logic="string")
const packagesGlobalHeaderPolicyResource = new fortimanager.PackagesGlobalHeaderPolicy("packagesGlobalHeaderPolicyResource", {
pkg: "string",
_policyBlock: 0,
accessProxies: ["string"],
action: "string",
activeAuthMethod: "string",
antiReplay: "string",
appCategory: "string",
appGroup: "string",
applicationCharts: ["string"],
applicationList: "string",
applications: [0],
authCert: "string",
authMethod: "string",
authPath: "string",
authPortal: "string",
authRedirectAddr: "string",
autoAsicOffload: "string",
avProfile: "string",
bandwidth: "string",
bestRoute: "string",
blockNotification: "string",
captivePortalExempt: "string",
capturePacket: "string",
casbProfile: "string",
casiProfile: "string",
centralNat: "string",
cgnEif: "string",
cgnEim: "string",
cgnLogServerGrp: "string",
cgnResourceQuota: 0,
cgnSessionQuota: 0,
cgnSwEifCtrl: "string",
cifsProfile: "string",
clientReputation: "string",
clientReputationMode: "string",
comments: "string",
customLogFields: ["string"],
decryptedTrafficMirror: "string",
deepInspectionOptions: "string",
delayTcpNpuSession: "string",
delayTcpNpuSessoin: "string",
detectHttpsInHttpRequest: "string",
deviceDetectionPortal: "string",
deviceOwnership: "string",
devices: "string",
diameterFilterProfile: "string",
diffservCopy: "string",
diffservForward: "string",
diffservReverse: "string",
diffservcodeForward: "string",
diffservcodeRev: "string",
disclaimer: "string",
dlpProfiles: ["string"],
dlpSensor: "string",
dnsfilterProfile: "string",
dponly: "string",
dscpMatch: "string",
dscpNegate: "string",
dscpValue: "string",
dsri: "string",
dstaddr6Negate: "string",
dstaddr6s: ["string"],
dstaddrNegate: "string",
dstaddrs: ["string"],
dstintfs: ["string"],
dynamicBypass: "string",
dynamicProfile: "string",
dynamicProfileAccesses: ["string"],
dynamicProfileFallthrough: "string",
dynamicProfileGroup: "string",
dynamicShaping: "string",
eifCheck: "string",
eifLearn: "string",
emailCollect: "string",
emailCollectionPortal: "string",
emailfilterProfile: "string",
endpointCheck: "string",
endpointCompliance: "string",
endpointKeepaliveInterface: "string",
endpointProfile: "string",
extendedLog: "string",
failedConnection: "string",
fallThroughUnauthenticated: "string",
fec: "string",
fileFilterProfile: "string",
firewallSessionDirty: "string",
fixedport: "string",
forceProxy: "string",
forticlientComplianceDevices: ["string"],
forticlientComplianceEnforcementPortal: "string",
fsae: "string",
fsaeServerForNtlm: "string",
fsso: "string",
fssoAgentForNtlm: "string",
fssoGroups: ["string"],
geoLocation: "string",
geoipAnycast: "string",
geoipMatch: "string",
globalLabel: "string",
groups: ["string"],
gtpProfile: "string",
httpPolicyRedirect: "string",
httpTunnelAuth: "string",
iaProfiles: ["string"],
icapProfile: "string",
identityBased: "string",
identityBasedRoute: "string",
identityFrom: "string",
implicitProxyDetection: "string",
inbound: "string",
inspectionMode: "string",
internetService: "string",
internetService6: "string",
internetService6CustomGroups: ["string"],
internetService6Customs: ["string"],
internetService6Groups: ["string"],
internetService6Names: ["string"],
internetService6Negate: "string",
internetService6Src: "string",
internetService6SrcCustomGroups: ["string"],
internetService6SrcCustoms: ["string"],
internetService6SrcGroups: ["string"],
internetService6SrcNames: ["string"],
internetService6SrcNegate: "string",
internetServiceCustom: "string",
internetServiceCustomGroup: "string",
internetServiceGroup: "string",
internetServiceId: "string",
internetServiceName: "string",
internetServiceNegate: "string",
internetServiceSrc: "string",
internetServiceSrcCustom: "string",
internetServiceSrcCustomGroup: "string",
internetServiceSrcGroup: "string",
internetServiceSrcId: "string",
internetServiceSrcName: "string",
internetServiceSrcNegate: "string",
ipBased: "string",
ipVersionType: "string",
ippool: "string",
ipsSensor: "string",
ipsVoipFilter: "string",
isolatorProfiles: ["string"],
isolatorServers: ["string"],
label: "string",
learningMode: "string",
logHttpTransaction: "string",
logUnmatchedTraffic: "string",
logtraffic: "string",
logtrafficApp: "string",
logtrafficStart: "string",
matchVip: "string",
matchVipOnly: "string",
maxSessionPerUser: 0,
mmsProfile: "string",
name: "string",
nat: "string",
nat46: "string",
nat64: "string",
natinbound: "string",
natips: ["string"],
natoutbound: "string",
networkServiceDynamics: ["string"],
networkServiceSrcDynamics: ["string"],
npAcceleration: "string",
ntlm: "string",
ntlmEnabledBrowsers: ["string"],
ntlmGuest: "string",
outbound: "string",
packagesGlobalHeaderPolicyId: "string",
passThrough: "string",
passiveWanHealthMeasurement: "string",
pcpInbound: "string",
pcpOutbound: "string",
pcpPoolnames: ["string"],
perIpShaper: "string",
permitAnyHost: "string",
permitStunHost: "string",
pfcpProfile: "string",
pkgFolderPath: "string",
policyBehaviourType: "string",
policyExpiry: "string",
policyExpiryDate: "string",
policyExpiryDateUtc: "string",
policyOffload: "string",
policyid: 0,
poolname: "string",
poolname6: "string",
portPreserve: "string",
profileGroup: "string",
profileProtocolOptions: "string",
profileType: "string",
radiusIpAuthBypass: "string",
radiusMacAuthBypass: "string",
redirectProfiles: ["string"],
redirectUrl: "string",
replacemsgGroup: "string",
replacemsgOverrideGroup: "string",
reputationDirection: "string",
reputationDirection6: "string",
reputationMinimum: 0,
reputationMinimum6: 0,
requireTfa: "string",
reverseCache: "string",
rsso: "string",
rtpAddr: "string",
rtpNat: "string",
scanBotnetConnections: "string",
schedule: "string",
scheduleTimeout: "string",
sctpFilterProfile: "string",
sendDenyPacket: "string",
serviceNegate: "string",
services: ["string"],
sessionTtl: "string",
sessions: "string",
sgtCheck: "string",
sgts: [0],
spamfilterProfile: "string",
srcVendorMacs: ["string"],
srcaddr6Negate: "string",
srcaddr6s: ["string"],
srcaddrNegate: "string",
srcaddrs: ["string"],
srcintfs: ["string"],
sshFilterProfile: "string",
sshPolicyCheck: "string",
sshPolicyRedirect: "string",
sslMirror: "string",
sslMirrorIntf: "string",
sslSshProfile: "string",
sslvpnAuth: "string",
sslvpnCcert: "string",
sslvpnCipher: "string",
ssoAuthMethod: "string",
status: "string",
tags: "string",
tcpMssReceiver: 0,
tcpMssSender: 0,
tcpReset: "string",
tcpSessionWithoutSyn: "string",
tcpTimeoutPid: "string",
timeoutSendRst: "string",
tos: "string",
tosMask: "string",
tosNegate: "string",
trafficShaper: "string",
trafficShaperReverse: "string",
transactionBased: "string",
transparent: "string",
type: "string",
udpTimeoutPid: "string",
urlCategory: "string",
urlRisks: ["string"],
users: ["string"],
utmInspectionMode: "string",
utmStatus: "string",
uuid: "string",
uuidIdx: 0,
vendorMac: "string",
videofilterProfile: "string",
virtualPatchProfile: "string",
vlanCosFwd: 0,
vlanCosRev: 0,
vlanFilter: "string",
voipProfile: "string",
vpntunnel: "string",
wafProfile: "string",
wanopt: "string",
wanoptDetection: "string",
wanoptPassiveOpt: "string",
wanoptPeer: "string",
wanoptProfile: "string",
wccp: "string",
webAuthCookie: "string",
webcache: "string",
webcacheHttps: "string",
webfilterProfile: "string",
webproxyForwardServer: "string",
webproxyProfile: "string",
wsso: "string",
ztnaDeviceOwnership: "string",
ztnaEmsTagSecondaries: ["string"],
ztnaEmsTags: ["string"],
ztnaGeoTags: ["string"],
ztnaPolicyRedirect: "string",
ztnaStatus: "string",
ztnaTagsMatchLogic: "string",
});
type: fortimanager:PackagesGlobalHeaderPolicy
properties:
_policyBlock: 0
accessProxies:
- string
action: string
activeAuthMethod: string
antiReplay: string
appCategory: string
appGroup: string
applicationCharts:
- string
applicationList: string
applications:
- 0
authCert: string
authMethod: string
authPath: string
authPortal: string
authRedirectAddr: string
autoAsicOffload: string
avProfile: string
bandwidth: string
bestRoute: string
blockNotification: string
captivePortalExempt: string
capturePacket: string
casbProfile: string
casiProfile: string
centralNat: string
cgnEif: string
cgnEim: string
cgnLogServerGrp: string
cgnResourceQuota: 0
cgnSessionQuota: 0
cgnSwEifCtrl: string
cifsProfile: string
clientReputation: string
clientReputationMode: string
comments: string
customLogFields:
- string
decryptedTrafficMirror: string
deepInspectionOptions: string
delayTcpNpuSession: string
delayTcpNpuSessoin: string
detectHttpsInHttpRequest: string
deviceDetectionPortal: string
deviceOwnership: string
devices: string
diameterFilterProfile: string
diffservCopy: string
diffservForward: string
diffservReverse: string
diffservcodeForward: string
diffservcodeRev: string
disclaimer: string
dlpProfiles:
- string
dlpSensor: string
dnsfilterProfile: string
dponly: string
dscpMatch: string
dscpNegate: string
dscpValue: string
dsri: string
dstaddr6Negate: string
dstaddr6s:
- string
dstaddrNegate: string
dstaddrs:
- string
dstintfs:
- string
dynamicBypass: string
dynamicProfile: string
dynamicProfileAccesses:
- string
dynamicProfileFallthrough: string
dynamicProfileGroup: string
dynamicShaping: string
eifCheck: string
eifLearn: string
emailCollect: string
emailCollectionPortal: string
emailfilterProfile: string
endpointCheck: string
endpointCompliance: string
endpointKeepaliveInterface: string
endpointProfile: string
extendedLog: string
failedConnection: string
fallThroughUnauthenticated: string
fec: string
fileFilterProfile: string
firewallSessionDirty: string
fixedport: string
forceProxy: string
forticlientComplianceDevices:
- string
forticlientComplianceEnforcementPortal: string
fsae: string
fsaeServerForNtlm: string
fsso: string
fssoAgentForNtlm: string
fssoGroups:
- string
geoLocation: string
geoipAnycast: string
geoipMatch: string
globalLabel: string
groups:
- string
gtpProfile: string
httpPolicyRedirect: string
httpTunnelAuth: string
iaProfiles:
- string
icapProfile: string
identityBased: string
identityBasedRoute: string
identityFrom: string
implicitProxyDetection: string
inbound: string
inspectionMode: string
internetService: string
internetService6: string
internetService6CustomGroups:
- string
internetService6Customs:
- string
internetService6Groups:
- string
internetService6Names:
- string
internetService6Negate: string
internetService6Src: string
internetService6SrcCustomGroups:
- string
internetService6SrcCustoms:
- string
internetService6SrcGroups:
- string
internetService6SrcNames:
- string
internetService6SrcNegate: string
internetServiceCustom: string
internetServiceCustomGroup: string
internetServiceGroup: string
internetServiceId: string
internetServiceName: string
internetServiceNegate: string
internetServiceSrc: string
internetServiceSrcCustom: string
internetServiceSrcCustomGroup: string
internetServiceSrcGroup: string
internetServiceSrcId: string
internetServiceSrcName: string
internetServiceSrcNegate: string
ipBased: string
ipVersionType: string
ippool: string
ipsSensor: string
ipsVoipFilter: string
isolatorProfiles:
- string
isolatorServers:
- string
label: string
learningMode: string
logHttpTransaction: string
logUnmatchedTraffic: string
logtraffic: string
logtrafficApp: string
logtrafficStart: string
matchVip: string
matchVipOnly: string
maxSessionPerUser: 0
mmsProfile: string
name: string
nat: string
nat46: string
nat64: string
natinbound: string
natips:
- string
natoutbound: string
networkServiceDynamics:
- string
networkServiceSrcDynamics:
- string
npAcceleration: string
ntlm: string
ntlmEnabledBrowsers:
- string
ntlmGuest: string
outbound: string
packagesGlobalHeaderPolicyId: string
passThrough: string
passiveWanHealthMeasurement: string
pcpInbound: string
pcpOutbound: string
pcpPoolnames:
- string
perIpShaper: string
permitAnyHost: string
permitStunHost: string
pfcpProfile: string
pkg: string
pkgFolderPath: string
policyBehaviourType: string
policyExpiry: string
policyExpiryDate: string
policyExpiryDateUtc: string
policyOffload: string
policyid: 0
poolname: string
poolname6: string
portPreserve: string
profileGroup: string
profileProtocolOptions: string
profileType: string
radiusIpAuthBypass: string
radiusMacAuthBypass: string
redirectProfiles:
- string
redirectUrl: string
replacemsgGroup: string
replacemsgOverrideGroup: string
reputationDirection: string
reputationDirection6: string
reputationMinimum: 0
reputationMinimum6: 0
requireTfa: string
reverseCache: string
rsso: string
rtpAddr: string
rtpNat: string
scanBotnetConnections: string
schedule: string
scheduleTimeout: string
sctpFilterProfile: string
sendDenyPacket: string
serviceNegate: string
services:
- string
sessionTtl: string
sessions: string
sgtCheck: string
sgts:
- 0
spamfilterProfile: string
srcVendorMacs:
- string
srcaddr6Negate: string
srcaddr6s:
- string
srcaddrNegate: string
srcaddrs:
- string
srcintfs:
- string
sshFilterProfile: string
sshPolicyCheck: string
sshPolicyRedirect: string
sslMirror: string
sslMirrorIntf: string
sslSshProfile: string
sslvpnAuth: string
sslvpnCcert: string
sslvpnCipher: string
ssoAuthMethod: string
status: string
tags: string
tcpMssReceiver: 0
tcpMssSender: 0
tcpReset: string
tcpSessionWithoutSyn: string
tcpTimeoutPid: string
timeoutSendRst: string
tos: string
tosMask: string
tosNegate: string
trafficShaper: string
trafficShaperReverse: string
transactionBased: string
transparent: string
type: string
udpTimeoutPid: string
urlCategory: string
urlRisks:
- string
users:
- string
utmInspectionMode: string
utmStatus: string
uuid: string
uuidIdx: 0
vendorMac: string
videofilterProfile: string
virtualPatchProfile: string
vlanCosFwd: 0
vlanCosRev: 0
vlanFilter: string
voipProfile: string
vpntunnel: string
wafProfile: string
wanopt: string
wanoptDetection: string
wanoptPassiveOpt: string
wanoptPeer: string
wanoptProfile: string
wccp: string
webAuthCookie: string
webcache: string
webcacheHttps: string
webfilterProfile: string
webproxyForwardServer: string
webproxyProfile: string
wsso: string
ztnaDeviceOwnership: string
ztnaEmsTagSecondaries:
- string
ztnaEmsTags:
- string
ztnaGeoTags:
- string
ztnaPolicyRedirect: string
ztnaStatus: string
ztnaTagsMatchLogic: string
PackagesGlobalHeaderPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PackagesGlobalHeaderPolicy resource accepts the following input properties:
- Pkg string
- Package.
- Access
Proxies List<string> - Access-Proxy.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Active
Auth stringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- Application
Charts List<string> - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - Application
List string - Name of an existing Application list.
- Applications List<double>
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Method string - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Portal string - Auth-Portal. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Bandwidth string
- Bandwidth. Valid values:
disable,enable. - Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Casi
Profile string - Casi-Profile.
- Central
Nat string - Central-Nat. Valid values:
disable,enable. - Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource doubleQuota - resource quota
- Cgn
Session doubleQuota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Client
Reputation string - Client-Reputation. Valid values:
disable,enable. - Client
Reputation stringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - Comments string
- Comment.
- Custom
Log List<string>Fields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted-Traffic-Mirror.
- Deep
Inspection stringOptions - Deep-Inspection-Options.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Delay
Tcp stringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - Detect
Https stringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - Device
Detection stringPortal - Device-Detection-Portal. Valid values:
disable,enable. - Device
Ownership string - Device-Ownership. Valid values:
disable,enable. - Devices string
- Devices.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profiles List<string> - Dlp-Profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dponly string
- Dponly. Valid values:
disable,enable. - Dscp
Match string - Dscp-Match. Valid values:
disable,enable. - Dscp
Negate string - Dscp-Negate. Valid values:
disable,enable. - Dscp
Value string - Dscp-Value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s List<string>
- Dstaddr6.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs List<string>
- Destination address and address group names.
- Dstintfs List<string>
- Outgoing (egress) interface.
- Dynamic
Bypass string - Dynamic-Bypass. Valid values:
disable,enable. - Dynamic
Profile string - Dynamic-Profile. Valid values:
disable,enable. - Dynamic
Profile List<string>Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - Dynamic
Profile stringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - Dynamic
Profile stringGroup - Dynamic-Profile-Group.
- Dynamic
Shaping string - Dynamic-Shaping. Valid values:
disable,enable. - Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Email
Collection stringPortal - Email-Collection-Portal. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Endpoint
Check string - Endpoint-Check. Valid values:
disable,enable. - Endpoint
Compliance string - Endpoint-Compliance. Valid values:
disable,enable. - Endpoint
Keepalive stringInterface - Endpoint-Keepalive-Interface.
- Endpoint
Profile string - Endpoint-Profile.
- Extended
Log string - Extended-Log. Valid values:
disable,enable. - Failed
Connection string - Failed-Connection. Valid values:
disable,enable. - Fall
Through stringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - File-Filter-Profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Force
Proxy string - Force-Proxy. Valid values:
disable,enable. - Forticlient
Compliance List<string>Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - Forticlient
Compliance stringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - Fsae string
- Fsae. Valid values:
disable,enable. - Fsae
Server stringFor Ntlm - Fsae-Server-For-Ntlm.
- Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<string> - Names of FSSO groups.
- Geo
Location string - Geo-Location. Valid values:
disable,enable. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Geoip-Match. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups List<string>
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Http
Tunnel stringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - Ia
Profiles List<string> - Ia-Profile.
- Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based string - Identity-Based. Valid values:
disable,enable. - Identity
Based stringRoute - Name of identity-based routing rule.
- Identity
From string - Identity-From. Valid values:
auth,device. - Implicit
Proxy stringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom List<string>Groups - Custom Internet Service6 group name.
- Internet
Service6Customs List<string> - Custom IPv6 Internet Service name.
- Internet
Service6Groups List<string> - Internet Service group name.
- Internet
Service6Names List<string> - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src List<string>Custom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src List<string>Customs - Custom IPv6 Internet Service source name.
- Internet
Service6Src List<string>Groups - Internet Service6 source group name.
- Internet
Service6Src List<string>Names - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service stringId - Internet Service ID.
- Internet
Service stringName - Internet-Service-Name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet-Service-Src-Name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Based string - Ip-Based. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Isolator
Profiles List<string> - Isolator-Profile.
- Isolator
Servers List<string> - Isolator-Server.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Learning-Mode. Valid values:
disable,enable. - Log
Http stringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - Log
Unmatched stringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
App string - Logtraffic-App. Valid values:
disable,enable. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Max
Session doublePer User - Max-Session-Per-User.
- Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips List<string>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service List<string>Dynamics - Dynamic Network Service name.
- Network
Service List<string>Src Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled List<string>Browsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Global stringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- Pass
Through string - Pass-Through. Valid values:
disable,enable. - Passive
Wan stringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames List<string> - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Policy-Expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy-Expiry-Date.
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid double
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- Poolname6.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Profiles List<string> - Redirect-Profile.
- Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Group string - Replacemsg-Group.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum double - Minimum Reputation to take action.
- Reputation
Minimum6 double - IPv6 Minimum Reputation to take action.
- Require
Tfa string - Require-Tfa. Valid values:
disable,enable. - Reverse
Cache string - Reverse-Cache. Valid values:
disable,enable. - Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services List<string>
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sessions string
- Sessions. Valid values:
disable,enable. - Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts List<double>
- Security group tags.
- Spamfilter
Profile string - Spamfilter-Profile.
- Src
Vendor List<string>Macs - Src-Vendor-Mac.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s List<string>
- Srcaddr6.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs List<string>
- Source address and address group names.
- Srcintfs List<string>
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Sslvpn
Auth string - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - Sslvpn
Ccert string - Sslvpn-Ccert. Valid values:
disable,enable. - Sslvpn
Cipher string - Sslvpn-Cipher. Valid values:
any,high,medium. - Sso
Auth stringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - Status string
- Enable or disable this policy. Valid values:
disable,enable. - string
- Tags.
- Tcp
Mss doubleReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss doubleSender - Sender TCP maximum segment size (MSS).
- Tcp
Reset string - Tcp-Reset. Valid values:
disable,enable. - Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Transaction
Based string - Transaction-Based. Valid values:
disable,enable. - Transparent string
- Transparent. Valid values:
disable,enable. - Type string
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Url
Risks List<string> - Url-Risk.
- Users List<string>
- Names of individual users that can authenticate with this policy.
- Utm
Inspection stringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Uuid
Idx double - Uuid-Idx.
- Vendor
Mac string - Vendor-Mac.
- Videofilter
Profile string - Videofilter-Profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos doubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos doubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - string
- Web-Auth-Cookie. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - List<string>
- Source ztna-ems-tag-secondary names.
- List<string>
- Ztna-Ems-Tag.
- List<string>
- Ztna-Geo-Tag.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Ztna-Status. Valid values:
disable,enable. - string
- Ztna-Tags-Match-Logic. Valid values:
or,and. - _
policy doubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- Pkg string
- Package.
- Access
Proxies []string - Access-Proxy.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Active
Auth stringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- Application
Charts []string - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - Application
List string - Name of an existing Application list.
- Applications []float64
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Method string - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Portal string - Auth-Portal. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Bandwidth string
- Bandwidth. Valid values:
disable,enable. - Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Casi
Profile string - Casi-Profile.
- Central
Nat string - Central-Nat. Valid values:
disable,enable. - Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource float64Quota - resource quota
- Cgn
Session float64Quota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Client
Reputation string - Client-Reputation. Valid values:
disable,enable. - Client
Reputation stringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - Comments string
- Comment.
- Custom
Log []stringFields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted-Traffic-Mirror.
- Deep
Inspection stringOptions - Deep-Inspection-Options.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Delay
Tcp stringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - Detect
Https stringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - Device
Detection stringPortal - Device-Detection-Portal. Valid values:
disable,enable. - Device
Ownership string - Device-Ownership. Valid values:
disable,enable. - Devices string
- Devices.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profiles []string - Dlp-Profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dponly string
- Dponly. Valid values:
disable,enable. - Dscp
Match string - Dscp-Match. Valid values:
disable,enable. - Dscp
Negate string - Dscp-Negate. Valid values:
disable,enable. - Dscp
Value string - Dscp-Value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s []string
- Dstaddr6.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs []string
- Destination address and address group names.
- Dstintfs []string
- Outgoing (egress) interface.
- Dynamic
Bypass string - Dynamic-Bypass. Valid values:
disable,enable. - Dynamic
Profile string - Dynamic-Profile. Valid values:
disable,enable. - Dynamic
Profile []stringAccesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - Dynamic
Profile stringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - Dynamic
Profile stringGroup - Dynamic-Profile-Group.
- Dynamic
Shaping string - Dynamic-Shaping. Valid values:
disable,enable. - Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Email
Collection stringPortal - Email-Collection-Portal. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Endpoint
Check string - Endpoint-Check. Valid values:
disable,enable. - Endpoint
Compliance string - Endpoint-Compliance. Valid values:
disable,enable. - Endpoint
Keepalive stringInterface - Endpoint-Keepalive-Interface.
- Endpoint
Profile string - Endpoint-Profile.
- Extended
Log string - Extended-Log. Valid values:
disable,enable. - Failed
Connection string - Failed-Connection. Valid values:
disable,enable. - Fall
Through stringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - File-Filter-Profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Force
Proxy string - Force-Proxy. Valid values:
disable,enable. - Forticlient
Compliance []stringDevices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - Forticlient
Compliance stringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - Fsae string
- Fsae. Valid values:
disable,enable. - Fsae
Server stringFor Ntlm - Fsae-Server-For-Ntlm.
- Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []string - Names of FSSO groups.
- Geo
Location string - Geo-Location. Valid values:
disable,enable. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Geoip-Match. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups []string
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Http
Tunnel stringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - Ia
Profiles []string - Ia-Profile.
- Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based string - Identity-Based. Valid values:
disable,enable. - Identity
Based stringRoute - Name of identity-based routing rule.
- Identity
From string - Identity-From. Valid values:
auth,device. - Implicit
Proxy stringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom []stringGroups - Custom Internet Service6 group name.
- Internet
Service6Customs []string - Custom IPv6 Internet Service name.
- Internet
Service6Groups []string - Internet Service group name.
- Internet
Service6Names []string - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src []stringCustom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src []stringCustoms - Custom IPv6 Internet Service source name.
- Internet
Service6Src []stringGroups - Internet Service6 source group name.
- Internet
Service6Src []stringNames - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service stringId - Internet Service ID.
- Internet
Service stringName - Internet-Service-Name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet-Service-Src-Name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Based string - Ip-Based. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Isolator
Profiles []string - Isolator-Profile.
- Isolator
Servers []string - Isolator-Server.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Learning-Mode. Valid values:
disable,enable. - Log
Http stringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - Log
Unmatched stringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
App string - Logtraffic-App. Valid values:
disable,enable. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Max
Session float64Per User - Max-Session-Per-User.
- Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips []string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service []stringDynamics - Dynamic Network Service name.
- Network
Service []stringSrc Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled []stringBrowsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Global stringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- Pass
Through string - Pass-Through. Valid values:
disable,enable. - Passive
Wan stringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames []string - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Policy-Expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy-Expiry-Date.
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid float64
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- Poolname6.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Profiles []string - Redirect-Profile.
- Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Group string - Replacemsg-Group.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum float64 - Minimum Reputation to take action.
- Reputation
Minimum6 float64 - IPv6 Minimum Reputation to take action.
- Require
Tfa string - Require-Tfa. Valid values:
disable,enable. - Reverse
Cache string - Reverse-Cache. Valid values:
disable,enable. - Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services []string
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sessions string
- Sessions. Valid values:
disable,enable. - Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts []float64
- Security group tags.
- Spamfilter
Profile string - Spamfilter-Profile.
- Src
Vendor []stringMacs - Src-Vendor-Mac.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s []string
- Srcaddr6.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs []string
- Source address and address group names.
- Srcintfs []string
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Sslvpn
Auth string - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - Sslvpn
Ccert string - Sslvpn-Ccert. Valid values:
disable,enable. - Sslvpn
Cipher string - Sslvpn-Cipher. Valid values:
any,high,medium. - Sso
Auth stringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - Status string
- Enable or disable this policy. Valid values:
disable,enable. - string
- Tags.
- Tcp
Mss float64Receiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss float64Sender - Sender TCP maximum segment size (MSS).
- Tcp
Reset string - Tcp-Reset. Valid values:
disable,enable. - Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Transaction
Based string - Transaction-Based. Valid values:
disable,enable. - Transparent string
- Transparent. Valid values:
disable,enable. - Type string
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Url
Risks []string - Url-Risk.
- Users []string
- Names of individual users that can authenticate with this policy.
- Utm
Inspection stringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Uuid
Idx float64 - Uuid-Idx.
- Vendor
Mac string - Vendor-Mac.
- Videofilter
Profile string - Videofilter-Profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos float64Fwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos float64Rev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - string
- Web-Auth-Cookie. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - []string
- Source ztna-ems-tag-secondary names.
- []string
- Ztna-Ems-Tag.
- []string
- Ztna-Geo-Tag.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Ztna-Status. Valid values:
disable,enable. - string
- Ztna-Tags-Match-Logic. Valid values:
or,and. - _
policy float64Block - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- pkg String
- Package.
- _
policy DoubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access
Proxies List<String> - Access-Proxy.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active
Auth StringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- application
Charts List<String> - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application
List String - Name of an existing Application list.
- applications List<Double>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Method String - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Portal String - Auth-Portal. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- bandwidth String
- Bandwidth. Valid values:
disable,enable. - best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- casi
Profile String - Casi-Profile.
- central
Nat String - Central-Nat. Valid values:
disable,enable. - cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource DoubleQuota - resource quota
- cgn
Session DoubleQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- client
Reputation String - Client-Reputation. Valid values:
disable,enable. - client
Reputation StringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments String
- Comment.
- custom
Log List<String>Fields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted-Traffic-Mirror.
- deep
Inspection StringOptions - Deep-Inspection-Options.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay
Tcp StringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect
Https StringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device
Detection StringPortal - Device-Detection-Portal. Valid values:
disable,enable. - device
Ownership String - Device-Ownership. Valid values:
disable,enable. - devices String
- Devices.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profiles List<String> - Dlp-Profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dponly String
- Dponly. Valid values:
disable,enable. - dscp
Match String - Dscp-Match. Valid values:
disable,enable. - dscp
Negate String - Dscp-Negate. Valid values:
disable,enable. - dscp
Value String - Dscp-Value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Dstaddr6.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Bypass String - Dynamic-Bypass. Valid values:
disable,enable. - dynamic
Profile String - Dynamic-Profile. Valid values:
disable,enable. - dynamic
Profile List<String>Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic
Profile StringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic
Profile StringGroup - Dynamic-Profile-Group.
- dynamic
Shaping String - Dynamic-Shaping. Valid values:
disable,enable. - eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - email
Collection StringPortal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- endpoint
Check String - Endpoint-Check. Valid values:
disable,enable. - endpoint
Compliance String - Endpoint-Compliance. Valid values:
disable,enable. - endpoint
Keepalive StringInterface - Endpoint-Keepalive-Interface.
- endpoint
Profile String - Endpoint-Profile.
- extended
Log String - Extended-Log. Valid values:
disable,enable. - failed
Connection String - Failed-Connection. Valid values:
disable,enable. - fall
Through StringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - File-Filter-Profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force
Proxy String - Force-Proxy. Valid values:
disable,enable. - forticlient
Compliance List<String>Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient
Compliance StringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae String
- Fsae. Valid values:
disable,enable. - fsae
Server StringFor Ntlm - Fsae-Server-For-Ntlm.
- fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geo
Location String - Geo-Location. Valid values:
disable,enable. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Geoip-Match. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http
Tunnel StringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia
Profiles List<String> - Ia-Profile.
- icap
Profile String - Name of an existing ICAP profile.
- identity
Based String - Identity-Based. Valid values:
disable,enable. - identity
Based StringRoute - Name of identity-based routing rule.
- identity
From String - Identity-From. Valid values:
auth,device. - implicit
Proxy StringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service StringId - Internet Service ID.
- internet
Service StringName - Internet-Service-Name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet-Service-Src-Name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Based String - Ip-Based. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- isolator
Profiles List<String> - Isolator-Profile.
- isolator
Servers List<String> - Isolator-Server.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Learning-Mode. Valid values:
disable,enable. - log
Http StringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - log
Unmatched StringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
App String - Logtraffic-App. Valid values:
disable,enable. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max
Session DoublePer User - Max-Session-Per-User.
- mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Global StringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- pass
Through String - Pass-Through. Valid values:
disable,enable. - passive
Wan StringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Policy-Expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy-Expiry-Date.
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Double
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- Poolname6.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Profiles List<String> - Redirect-Profile.
- redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Group String - Replacemsg-Group.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Double - Minimum Reputation to take action.
- reputation
Minimum6 Double - IPv6 Minimum Reputation to take action.
- require
Tfa String - Require-Tfa. Valid values:
disable,enable. - reverse
Cache String - Reverse-Cache. Valid values:
disable,enable. - rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions String
- Sessions. Valid values:
disable,enable. - sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Double>
- Security group tags.
- spamfilter
Profile String - Spamfilter-Profile.
- src
Vendor List<String>Macs - Src-Vendor-Mac.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Srcaddr6.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- sslvpn
Auth String - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn
Ccert String - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn
Cipher String - Sslvpn-Cipher. Valid values:
any,high,medium. - sso
Auth StringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status String
- Enable or disable this policy. Valid values:
disable,enable. - String
- Tags.
- tcp
Mss DoubleReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss DoubleSender - Sender TCP maximum segment size (MSS).
- tcp
Reset String - Tcp-Reset. Valid values:
disable,enable. - tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- transaction
Based String - Transaction-Based. Valid values:
disable,enable. - transparent String
- Transparent. Valid values:
disable,enable. - type String
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- url
Risks List<String> - Url-Risk.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Inspection StringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid
Idx Double - Uuid-Idx.
- vendor
Mac String - Vendor-Mac.
- videofilter
Profile String - Videofilter-Profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos DoubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos DoubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - String
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- List<String>
- Ztna-Ems-Tag.
- List<String>
- Ztna-Geo-Tag.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Ztna-Status. Valid values:
disable,enable. - String
- Ztna-Tags-Match-Logic. Valid values:
or,and.
- pkg string
- Package.
- _
policy numberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access
Proxies string[] - Access-Proxy.
- action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active
Auth stringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category string - Application category ID list.
- app
Group string - Application group names.
- application
Charts string[] - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application
List string - Name of an existing Application list.
- applications number[]
- Application ID list.
- auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Method string - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Portal string - Auth-Portal. Valid values:
disable,enable. - auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile string - Name of an existing Antivirus profile.
- bandwidth string
- Bandwidth. Valid values:
disable,enable. - best
Route string - Best-Route. Valid values:
disable,enable. - block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile string - Name of an existing CASB profile.
- casi
Profile string - Casi-Profile.
- central
Nat string - Central-Nat. Valid values:
disable,enable. - cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log stringServer Grp - NP log server group name
- cgn
Resource numberQuota - resource quota
- cgn
Session numberQuota - session quota
- cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile string - Name of an existing CIFS profile.
- client
Reputation string - Client-Reputation. Valid values:
disable,enable. - client
Reputation stringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments string
- Comment.
- custom
Log string[]Fields - Custom fields to append to log messages for this policy.
- decrypted
Traffic stringMirror - Decrypted-Traffic-Mirror.
- deep
Inspection stringOptions - Deep-Inspection-Options.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay
Tcp stringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect
Https stringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device
Detection stringPortal - Device-Detection-Portal. Valid values:
disable,enable. - device
Ownership string - Device-Ownership. Valid values:
disable,enable. - devices string
- Devices.
- diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profiles string[] - Dlp-Profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dponly string
- Dponly. Valid values:
disable,enable. - dscp
Match string - Dscp-Match. Valid values:
disable,enable. - dscp
Negate string - Dscp-Negate. Valid values:
disable,enable. - dscp
Value string - Dscp-Value.
- dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s string[]
- Dstaddr6.
- dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs string[]
- Destination address and address group names.
- dstintfs string[]
- Outgoing (egress) interface.
- dynamic
Bypass string - Dynamic-Bypass. Valid values:
disable,enable. - dynamic
Profile string - Dynamic-Profile. Valid values:
disable,enable. - dynamic
Profile string[]Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic
Profile stringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic
Profile stringGroup - Dynamic-Profile-Group.
- dynamic
Shaping string - Dynamic-Shaping. Valid values:
disable,enable. - eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - email
Collection stringPortal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter
Profile string - Name of an existing email filter profile.
- endpoint
Check string - Endpoint-Check. Valid values:
disable,enable. - endpoint
Compliance string - Endpoint-Compliance. Valid values:
disable,enable. - endpoint
Keepalive stringInterface - Endpoint-Keepalive-Interface.
- endpoint
Profile string - Endpoint-Profile.
- extended
Log string - Extended-Log. Valid values:
disable,enable. - failed
Connection string - Failed-Connection. Valid values:
disable,enable. - fall
Through stringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter stringProfile - File-Filter-Profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force
Proxy string - Force-Proxy. Valid values:
disable,enable. - forticlient
Compliance string[]Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient
Compliance stringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae string
- Fsae. Valid values:
disable,enable. - fsae
Server stringFor Ntlm - Fsae-Server-For-Ntlm.
- fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups string[] - Names of FSSO groups.
- geo
Location string - Geo-Location. Valid values:
disable,enable. - geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match string - Geoip-Match. Valid values:
physical-location,registered-location. - global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups string[]
- Names of user groups that can authenticate with this policy.
- gtp
Profile string - GTP profile.
- http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http
Tunnel stringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia
Profiles string[] - Ia-Profile.
- icap
Profile string - Name of an existing ICAP profile.
- identity
Based string - Identity-Based. Valid values:
disable,enable. - identity
Based stringRoute - Name of identity-based routing rule.
- identity
From string - Identity-From. Valid values:
auth,device. - implicit
Proxy stringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom string[]Groups - Custom Internet Service6 group name.
- internet
Service6Customs string[] - Custom IPv6 Internet Service name.
- internet
Service6Groups string[] - Internet Service group name.
- internet
Service6Names string[] - IPv6 Internet Service name.
- internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src string[]Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src string[]Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src string[]Groups - Internet Service6 source group name.
- internet
Service6Src string[]Names - IPv6 Internet Service source name.
- internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringCustom - Custom Internet Service name.
- internet
Service stringCustom Group - Custom Internet Service group name.
- internet
Service stringGroup - Internet Service group name.
- internet
Service stringId - Internet Service ID.
- internet
Service stringName - Internet-Service-Name.
- internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service stringSrc Custom - Custom Internet Service source name.
- internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- internet
Service stringSrc Group - Internet Service source group name.
- internet
Service stringSrc Id - Internet Service source ID.
- internet
Service stringSrc Name - Internet-Service-Src-Name.
- internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Based string - Ip-Based. Valid values:
disable,enable. - ip
Version stringType - IP version of the policy.
- ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- isolator
Profiles string[] - Isolator-Profile.
- isolator
Servers string[] - Isolator-Server.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Learning-Mode. Valid values:
disable,enable. - log
Http stringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - log
Unmatched stringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
App string - Logtraffic-App. Valid values:
disable,enable. - logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max
Session numberPer User - Max-Session-Per-User.
- mms
Profile string - Name of an existing MMS profile.
- name string
- Policy name.
- nat string
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips string[]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service string[]Dynamics - Dynamic Network Service name.
- network
Service string[]Src Dynamics - Dynamic Network Service source name.
- np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled string[]Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Global stringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- pass
Through string - Pass-Through. Valid values:
disable,enable. - passive
Wan stringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames string[] - PCP pool names.
- per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile string - PFCP profile.
- pkg
Folder stringPath - Pkg Folder Path.
- policy
Behaviour stringType - Behaviour of the policy.
- policy
Expiry string - Policy-Expiry. Valid values:
disable,enable. - policy
Expiry stringDate - Policy-Expiry-Date.
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid number
- Policy ID (0 - 4294967294).
- poolname string
- IP Pool names.
- poolname6 string
- Poolname6.
- port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Profiles string[] - Redirect-Profile.
- redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Group string - Replacemsg-Group.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- require
Tfa string - Require-Tfa. Valid values:
disable,enable. - reverse
Cache string - Reverse-Cache. Valid values:
disable,enable. - rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr string - Address names if this is an RTP NAT policy.
- rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet stringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule string
- Schedule name.
- schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services string[]
- Service and service group names.
- session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions string
- Sessions. Valid values:
disable,enable. - sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts number[]
- Security group tags.
- spamfilter
Profile string - Spamfilter-Profile.
- src
Vendor string[]Macs - Src-Vendor-Mac.
- srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s string[]
- Srcaddr6.
- srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs string[]
- Source address and address group names.
- srcintfs string[]
- Incoming (ingress) interface.
- ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror stringIntf - SSL mirror interface name.
- ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- sslvpn
Auth string - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn
Ccert string - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn
Cipher string - Sslvpn-Cipher. Valid values:
any,high,medium. - sso
Auth stringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status string
- Enable or disable this policy. Valid values:
disable,enable. - string
- Tags.
- tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Reset string - Tcp-Reset. Valid values:
disable,enable. - tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout stringPid - TCP timeout profile ID
- timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- transaction
Based string - Transaction-Based. Valid values:
disable,enable. - transparent string
- Transparent. Valid values:
disable,enable. - type string
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp
Timeout stringPid - UDP timeout profile ID
- url
Category string - URL category ID list.
- url
Risks string[] - Url-Risk.
- users string[]
- Names of individual users that can authenticate with this policy.
- utm
Inspection stringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid
Idx number - Uuid-Idx.
- vendor
Mac string - Vendor-Mac.
- videofilter
Profile string - Videofilter-Profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP profile.
- vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - string
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache string
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Webproxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - string[]
- Source ztna-ems-tag-secondary names.
- string[]
- Ztna-Ems-Tag.
- string[]
- Ztna-Geo-Tag.
- ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status string - Ztna-Status. Valid values:
disable,enable. - string
- Ztna-Tags-Match-Logic. Valid values:
or,and.
- pkg str
- Package.
- _
policy_ floatblock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access_
proxies Sequence[str] - Access-Proxy.
- action str
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active_
auth_ strmethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti_
replay str - Enable/disable anti-replay check. Valid values:
disable,enable. - app_
category str - Application category ID list.
- app_
group str - Application group names.
- application_
charts Sequence[str] - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application_
list str - Name of an existing Application list.
- applications Sequence[float]
- Application ID list.
- auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
method str - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth_
path str - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth_
portal str - Auth-Portal. Valid values:
disable,enable. - auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av_
profile str - Name of an existing Antivirus profile.
- bandwidth str
- Bandwidth. Valid values:
disable,enable. - best_
route str - Best-Route. Valid values:
disable,enable. - block_
notification str - Enable/disable block notification. Valid values:
disable,enable. - captive_
portal_ strexempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture_
packet str - Enable/disable capture packets. Valid values:
disable,enable. - casb_
profile str - Name of an existing CASB profile.
- casi_
profile str - Casi-Profile.
- central_
nat str - Central-Nat. Valid values:
disable,enable. - cgn_
eif str - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn_
eim str - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn_
log_ strserver_ grp - NP log server group name
- cgn_
resource_ floatquota - resource quota
- cgn_
session_ floatquota - session quota
- cgn_
sw_ streif_ ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs_
profile str - Name of an existing CIFS profile.
- client_
reputation str - Client-Reputation. Valid values:
disable,enable. - client_
reputation_ strmode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments str
- Comment.
- custom_
log_ Sequence[str]fields - Custom fields to append to log messages for this policy.
- decrypted_
traffic_ strmirror - Decrypted-Traffic-Mirror.
- deep_
inspection_ stroptions - Deep-Inspection-Options.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay_
tcp_ strnpu_ sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect_
https_ strin_ http_ request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device_
detection_ strportal - Device-Detection-Portal. Valid values:
disable,enable. - device_
ownership str - Device-Ownership. Valid values:
disable,enable. - devices str
- Devices.
- diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp_
profiles Sequence[str] - Dlp-Profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dponly str
- Dponly. Valid values:
disable,enable. - dscp_
match str - Dscp-Match. Valid values:
disable,enable. - dscp_
negate str - Dscp-Negate. Valid values:
disable,enable. - dscp_
value str - Dscp-Value.
- dsri str
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s Sequence[str]
- Dstaddr6.
- dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs Sequence[str]
- Destination address and address group names.
- dstintfs Sequence[str]
- Outgoing (egress) interface.
- dynamic_
bypass str - Dynamic-Bypass. Valid values:
disable,enable. - dynamic_
profile str - Dynamic-Profile. Valid values:
disable,enable. - dynamic_
profile_ Sequence[str]accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic_
profile_ strfallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic_
profile_ strgroup - Dynamic-Profile-Group.
- dynamic_
shaping str - Dynamic-Shaping. Valid values:
disable,enable. - eif_
check str - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif_
learn str - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email_
collect str - Enable/disable email collection. Valid values:
disable,enable. - email_
collection_ strportal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter_
profile str - Name of an existing email filter profile.
- endpoint_
check str - Endpoint-Check. Valid values:
disable,enable. - endpoint_
compliance str - Endpoint-Compliance. Valid values:
disable,enable. - endpoint_
keepalive_ strinterface - Endpoint-Keepalive-Interface.
- endpoint_
profile str - Endpoint-Profile.
- extended_
log str - Extended-Log. Valid values:
disable,enable. - failed_
connection str - Failed-Connection. Valid values:
disable,enable. - fall_
through_ strunauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file_
filter_ strprofile - File-Filter-Profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport str
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force_
proxy str - Force-Proxy. Valid values:
disable,enable. - forticlient_
compliance_ Sequence[str]devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient_
compliance_ strenforcement_ portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae str
- Fsae. Valid values:
disable,enable. - fsae_
server_ strfor_ ntlm - Fsae-Server-For-Ntlm.
- fsso str
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[str] - Names of FSSO groups.
- geo_
location str - Geo-Location. Valid values:
disable,enable. - geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip_
match str - Geoip-Match. Valid values:
physical-location,registered-location. - global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups Sequence[str]
- Names of user groups that can authenticate with this policy.
- gtp_
profile str - GTP profile.
- http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http_
tunnel_ strauth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia_
profiles Sequence[str] - Ia-Profile.
- icap_
profile str - Name of an existing ICAP profile.
- identity_
based str - Identity-Based. Valid values:
disable,enable. - identity_
based_ strroute - Name of identity-based routing rule.
- identity_
from str - Identity-From. Valid values:
auth,device. - implicit_
proxy_ strdetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]custom_ groups - Custom Internet Service6 group name.
- internet_
service6_ Sequence[str]customs - Custom IPv6 Internet Service name.
- internet_
service6_ Sequence[str]groups - Internet Service group name.
- internet_
service6_ Sequence[str]names - IPv6 Internet Service name.
- internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]src_ custom_ groups - Custom Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ customs - Custom IPv6 Internet Service source name.
- internet_
service6_ Sequence[str]src_ groups - Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ names - IPv6 Internet Service source name.
- internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strcustom - Custom Internet Service name.
- internet_
service_ strcustom_ group - Custom Internet Service group name.
- internet_
service_ strgroup - Internet Service group name.
- internet_
service_ strid - Internet Service ID.
- internet_
service_ strname - Internet-Service-Name.
- internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service_ strsrc_ custom - Custom Internet Service source name.
- internet_
service_ strsrc_ custom_ group - Custom Internet Service source group name.
- internet_
service_ strsrc_ group - Internet Service source group name.
- internet_
service_ strsrc_ id - Internet Service source ID.
- internet_
service_ strsrc_ name - Internet-Service-Src-Name.
- internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip_
based str - Ip-Based. Valid values:
disable,enable. - ip_
version_ strtype - IP version of the policy.
- ippool str
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- isolator_
profiles Sequence[str] - Isolator-Profile.
- isolator_
servers Sequence[str] - Isolator-Server.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Learning-Mode. Valid values:
disable,enable. - log_
http_ strtransaction - Log-Http-Transaction. Valid values:
disable,enable. - log_
unmatched_ strtraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic_
app str - Logtraffic-App. Valid values:
disable,enable. - logtraffic_
start str - Record logs when a session starts. Valid values:
disable,enable. - match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max_
session_ floatper_ user - Max-Session-Per-User.
- mms_
profile str - Name of an existing MMS profile.
- name str
- Policy name.
- nat str
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 str
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 str
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips Sequence[str]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network_
service_ Sequence[str]dynamics - Dynamic Network Service name.
- network_
service_ Sequence[str]src_ dynamics - Dynamic Network Service source name.
- np_
acceleration str - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm str
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm_
enabled_ Sequence[str]browsers - HTTP-User-Agent value of supported browsers.
- ntlm_
guest str - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages_
global_ strheader_ policy_ id - an identifier for the resource with format {{policyid}}.
- pass_
through str - Pass-Through. Valid values:
disable,enable. - passive_
wan_ strhealth_ measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp_
inbound str - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp_
outbound str - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp_
poolnames Sequence[str] - PCP pool names.
- per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host. Valid values:
disable,enable. - permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp_
profile str - PFCP profile.
- pkg_
folder_ strpath - Pkg Folder Path.
- policy_
behaviour_ strtype - Behaviour of the policy.
- policy_
expiry str - Policy-Expiry. Valid values:
disable,enable. - policy_
expiry_ strdate - Policy-Expiry-Date.
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policy_
offload str - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid float
- Policy ID (0 - 4294967294).
- poolname str
- IP Pool names.
- poolname6 str
- Poolname6.
- port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius_
ip_ strauth_ bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect_
profiles Sequence[str] - Redirect-Profile.
- redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
group str - Replacemsg-Group.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation_
minimum float - Minimum Reputation to take action.
- reputation_
minimum6 float - IPv6 Minimum Reputation to take action.
- require_
tfa str - Require-Tfa. Valid values:
disable,enable. - reverse_
cache str - Reverse-Cache. Valid values:
disable,enable. - rsso str
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp_
addr str - Address names if this is an RTP NAT policy.
- rtp_
nat str - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan_
botnet_ strconnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule str
- Schedule name.
- schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service_
negate str - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services Sequence[str]
- Service and service group names.
- session_
ttl str - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions str
- Sessions. Valid values:
disable,enable. - sgt_
check str - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts Sequence[float]
- Security group tags.
- spamfilter_
profile str - Spamfilter-Profile.
- src_
vendor_ Sequence[str]macs - Src-Vendor-Mac.
- srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s Sequence[str]
- Srcaddr6.
- srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs Sequence[str]
- Source address and address group names.
- srcintfs Sequence[str]
- Incoming (ingress) interface.
- ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strcheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl_
mirror_ strintf - SSL mirror interface name.
- ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- sslvpn_
auth str - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn_
ccert str - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn_
cipher str - Sslvpn-Cipher. Valid values:
any,high,medium. - sso_
auth_ strmethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status str
- Enable or disable this policy. Valid values:
disable,enable. - str
- Tags.
- tcp_
mss_ floatreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ floatsender - Sender TCP maximum segment size (MSS).
- tcp_
reset str - Tcp-Reset. Valid values:
disable,enable. - tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp_
timeout_ strpid - TCP timeout profile ID
- timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match. Valid values:
disable,enable. - traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- transaction_
based str - Transaction-Based. Valid values:
disable,enable. - transparent str
- Transparent. Valid values:
disable,enable. - type str
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp_
timeout_ strpid - UDP timeout profile ID
- url_
category str - URL category ID list.
- url_
risks Sequence[str] - Url-Risk.
- users Sequence[str]
- Names of individual users that can authenticate with this policy.
- utm_
inspection_ strmode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid_
idx float - Uuid-Idx.
- vendor_
mac str - Vendor-Mac.
- videofilter_
profile str - Videofilter-Profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ floatfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ floatrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP profile.
- vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt_
detection str - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - str
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache str
- Enable/disable web cache. Valid values:
disable,enable. - webcache_
https str - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Webproxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna_
device_ strownership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna_
ems_ Sequence[str]tag_ secondaries - Source ztna-ems-tag-secondary names.
- Sequence[str]
- Ztna-Ems-Tag.
- Sequence[str]
- Ztna-Geo-Tag.
- ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna_
status str - Ztna-Status. Valid values:
disable,enable. - str
- Ztna-Tags-Match-Logic. Valid values:
or,and.
- pkg String
- Package.
- _
policy NumberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access
Proxies List<String> - Access-Proxy.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active
Auth StringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- application
Charts List<String> - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application
List String - Name of an existing Application list.
- applications List<Number>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Method String - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Portal String - Auth-Portal. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- bandwidth String
- Bandwidth. Valid values:
disable,enable. - best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- casi
Profile String - Casi-Profile.
- central
Nat String - Central-Nat. Valid values:
disable,enable. - cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource NumberQuota - resource quota
- cgn
Session NumberQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- client
Reputation String - Client-Reputation. Valid values:
disable,enable. - client
Reputation StringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments String
- Comment.
- custom
Log List<String>Fields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted-Traffic-Mirror.
- deep
Inspection StringOptions - Deep-Inspection-Options.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay
Tcp StringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect
Https StringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device
Detection StringPortal - Device-Detection-Portal. Valid values:
disable,enable. - device
Ownership String - Device-Ownership. Valid values:
disable,enable. - devices String
- Devices.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profiles List<String> - Dlp-Profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dponly String
- Dponly. Valid values:
disable,enable. - dscp
Match String - Dscp-Match. Valid values:
disable,enable. - dscp
Negate String - Dscp-Negate. Valid values:
disable,enable. - dscp
Value String - Dscp-Value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Dstaddr6.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Bypass String - Dynamic-Bypass. Valid values:
disable,enable. - dynamic
Profile String - Dynamic-Profile. Valid values:
disable,enable. - dynamic
Profile List<String>Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic
Profile StringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic
Profile StringGroup - Dynamic-Profile-Group.
- dynamic
Shaping String - Dynamic-Shaping. Valid values:
disable,enable. - eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - email
Collection StringPortal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- endpoint
Check String - Endpoint-Check. Valid values:
disable,enable. - endpoint
Compliance String - Endpoint-Compliance. Valid values:
disable,enable. - endpoint
Keepalive StringInterface - Endpoint-Keepalive-Interface.
- endpoint
Profile String - Endpoint-Profile.
- extended
Log String - Extended-Log. Valid values:
disable,enable. - failed
Connection String - Failed-Connection. Valid values:
disable,enable. - fall
Through StringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - File-Filter-Profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force
Proxy String - Force-Proxy. Valid values:
disable,enable. - forticlient
Compliance List<String>Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient
Compliance StringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae String
- Fsae. Valid values:
disable,enable. - fsae
Server StringFor Ntlm - Fsae-Server-For-Ntlm.
- fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geo
Location String - Geo-Location. Valid values:
disable,enable. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Geoip-Match. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http
Tunnel StringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia
Profiles List<String> - Ia-Profile.
- icap
Profile String - Name of an existing ICAP profile.
- identity
Based String - Identity-Based. Valid values:
disable,enable. - identity
Based StringRoute - Name of identity-based routing rule.
- identity
From String - Identity-From. Valid values:
auth,device. - implicit
Proxy StringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service StringId - Internet Service ID.
- internet
Service StringName - Internet-Service-Name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet-Service-Src-Name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Based String - Ip-Based. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- isolator
Profiles List<String> - Isolator-Profile.
- isolator
Servers List<String> - Isolator-Server.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Learning-Mode. Valid values:
disable,enable. - log
Http StringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - log
Unmatched StringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
App String - Logtraffic-App. Valid values:
disable,enable. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max
Session NumberPer User - Max-Session-Per-User.
- mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Global StringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- pass
Through String - Pass-Through. Valid values:
disable,enable. - passive
Wan StringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Policy-Expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy-Expiry-Date.
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Number
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- Poolname6.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Profiles List<String> - Redirect-Profile.
- redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Group String - Replacemsg-Group.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- require
Tfa String - Require-Tfa. Valid values:
disable,enable. - reverse
Cache String - Reverse-Cache. Valid values:
disable,enable. - rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions String
- Sessions. Valid values:
disable,enable. - sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Number>
- Security group tags.
- spamfilter
Profile String - Spamfilter-Profile.
- src
Vendor List<String>Macs - Src-Vendor-Mac.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Srcaddr6.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- sslvpn
Auth String - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn
Ccert String - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn
Cipher String - Sslvpn-Cipher. Valid values:
any,high,medium. - sso
Auth StringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status String
- Enable or disable this policy. Valid values:
disable,enable. - String
- Tags.
- tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Reset String - Tcp-Reset. Valid values:
disable,enable. - tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- transaction
Based String - Transaction-Based. Valid values:
disable,enable. - transparent String
- Transparent. Valid values:
disable,enable. - type String
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- url
Risks List<String> - Url-Risk.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Inspection StringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid
Idx Number - Uuid-Idx.
- vendor
Mac String - Vendor-Mac.
- videofilter
Profile String - Videofilter-Profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - String
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- List<String>
- Ztna-Ems-Tag.
- List<String>
- Ztna-Geo-Tag.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Ztna-Status. Valid values:
disable,enable. - String
- Ztna-Tags-Match-Logic. Valid values:
or,and.
Outputs
All input properties are implicitly available as output properties. Additionally, the PackagesGlobalHeaderPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing PackagesGlobalHeaderPolicy Resource
Get an existing PackagesGlobalHeaderPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PackagesGlobalHeaderPolicyState, opts?: CustomResourceOptions): PackagesGlobalHeaderPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
_policy_block: Optional[float] = None,
access_proxies: Optional[Sequence[str]] = None,
action: Optional[str] = None,
active_auth_method: Optional[str] = None,
anti_replay: Optional[str] = None,
app_category: Optional[str] = None,
app_group: Optional[str] = None,
application_charts: Optional[Sequence[str]] = None,
application_list: Optional[str] = None,
applications: Optional[Sequence[float]] = None,
auth_cert: Optional[str] = None,
auth_method: Optional[str] = None,
auth_path: Optional[str] = None,
auth_portal: Optional[str] = None,
auth_redirect_addr: Optional[str] = None,
auto_asic_offload: Optional[str] = None,
av_profile: Optional[str] = None,
bandwidth: Optional[str] = None,
best_route: Optional[str] = None,
block_notification: Optional[str] = None,
captive_portal_exempt: Optional[str] = None,
capture_packet: Optional[str] = None,
casb_profile: Optional[str] = None,
casi_profile: Optional[str] = None,
central_nat: Optional[str] = None,
cgn_eif: Optional[str] = None,
cgn_eim: Optional[str] = None,
cgn_log_server_grp: Optional[str] = None,
cgn_resource_quota: Optional[float] = None,
cgn_session_quota: Optional[float] = None,
cgn_sw_eif_ctrl: Optional[str] = None,
cifs_profile: Optional[str] = None,
client_reputation: Optional[str] = None,
client_reputation_mode: Optional[str] = None,
comments: Optional[str] = None,
custom_log_fields: Optional[Sequence[str]] = None,
decrypted_traffic_mirror: Optional[str] = None,
deep_inspection_options: Optional[str] = None,
delay_tcp_npu_session: Optional[str] = None,
delay_tcp_npu_sessoin: Optional[str] = None,
detect_https_in_http_request: Optional[str] = None,
device_detection_portal: Optional[str] = None,
device_ownership: Optional[str] = None,
devices: Optional[str] = None,
diameter_filter_profile: Optional[str] = None,
diffserv_copy: Optional[str] = None,
diffserv_forward: Optional[str] = None,
diffserv_reverse: Optional[str] = None,
diffservcode_forward: Optional[str] = None,
diffservcode_rev: Optional[str] = None,
disclaimer: Optional[str] = None,
dlp_profiles: Optional[Sequence[str]] = None,
dlp_sensor: Optional[str] = None,
dnsfilter_profile: Optional[str] = None,
dponly: Optional[str] = None,
dscp_match: Optional[str] = None,
dscp_negate: Optional[str] = None,
dscp_value: Optional[str] = None,
dsri: Optional[str] = None,
dstaddr6_negate: Optional[str] = None,
dstaddr6s: Optional[Sequence[str]] = None,
dstaddr_negate: Optional[str] = None,
dstaddrs: Optional[Sequence[str]] = None,
dstintfs: Optional[Sequence[str]] = None,
dynamic_bypass: Optional[str] = None,
dynamic_profile: Optional[str] = None,
dynamic_profile_accesses: Optional[Sequence[str]] = None,
dynamic_profile_fallthrough: Optional[str] = None,
dynamic_profile_group: Optional[str] = None,
dynamic_shaping: Optional[str] = None,
eif_check: Optional[str] = None,
eif_learn: Optional[str] = None,
email_collect: Optional[str] = None,
email_collection_portal: Optional[str] = None,
emailfilter_profile: Optional[str] = None,
endpoint_check: Optional[str] = None,
endpoint_compliance: Optional[str] = None,
endpoint_keepalive_interface: Optional[str] = None,
endpoint_profile: Optional[str] = None,
extended_log: Optional[str] = None,
failed_connection: Optional[str] = None,
fall_through_unauthenticated: Optional[str] = None,
fec: Optional[str] = None,
file_filter_profile: Optional[str] = None,
firewall_session_dirty: Optional[str] = None,
fixedport: Optional[str] = None,
force_proxy: Optional[str] = None,
forticlient_compliance_devices: Optional[Sequence[str]] = None,
forticlient_compliance_enforcement_portal: Optional[str] = None,
fsae: Optional[str] = None,
fsae_server_for_ntlm: Optional[str] = None,
fsso: Optional[str] = None,
fsso_agent_for_ntlm: Optional[str] = None,
fsso_groups: Optional[Sequence[str]] = None,
geo_location: Optional[str] = None,
geoip_anycast: Optional[str] = None,
geoip_match: Optional[str] = None,
global_label: Optional[str] = None,
groups: Optional[Sequence[str]] = None,
gtp_profile: Optional[str] = None,
http_policy_redirect: Optional[str] = None,
http_tunnel_auth: Optional[str] = None,
ia_profiles: Optional[Sequence[str]] = None,
icap_profile: Optional[str] = None,
identity_based: Optional[str] = None,
identity_based_route: Optional[str] = None,
identity_from: Optional[str] = None,
implicit_proxy_detection: Optional[str] = None,
inbound: Optional[str] = None,
inspection_mode: Optional[str] = None,
internet_service: Optional[str] = None,
internet_service6: Optional[str] = None,
internet_service6_custom_groups: Optional[Sequence[str]] = None,
internet_service6_customs: Optional[Sequence[str]] = None,
internet_service6_groups: Optional[Sequence[str]] = None,
internet_service6_names: Optional[Sequence[str]] = None,
internet_service6_negate: Optional[str] = None,
internet_service6_src: Optional[str] = None,
internet_service6_src_custom_groups: Optional[Sequence[str]] = None,
internet_service6_src_customs: Optional[Sequence[str]] = None,
internet_service6_src_groups: Optional[Sequence[str]] = None,
internet_service6_src_names: Optional[Sequence[str]] = None,
internet_service6_src_negate: Optional[str] = None,
internet_service_custom: Optional[str] = None,
internet_service_custom_group: Optional[str] = None,
internet_service_group: Optional[str] = None,
internet_service_id: Optional[str] = None,
internet_service_name: Optional[str] = None,
internet_service_negate: Optional[str] = None,
internet_service_src: Optional[str] = None,
internet_service_src_custom: Optional[str] = None,
internet_service_src_custom_group: Optional[str] = None,
internet_service_src_group: Optional[str] = None,
internet_service_src_id: Optional[str] = None,
internet_service_src_name: Optional[str] = None,
internet_service_src_negate: Optional[str] = None,
ip_based: Optional[str] = None,
ip_version_type: Optional[str] = None,
ippool: Optional[str] = None,
ips_sensor: Optional[str] = None,
ips_voip_filter: Optional[str] = None,
isolator_profiles: Optional[Sequence[str]] = None,
isolator_servers: Optional[Sequence[str]] = None,
label: Optional[str] = None,
learning_mode: Optional[str] = None,
log_http_transaction: Optional[str] = None,
log_unmatched_traffic: Optional[str] = None,
logtraffic: Optional[str] = None,
logtraffic_app: Optional[str] = None,
logtraffic_start: Optional[str] = None,
match_vip: Optional[str] = None,
match_vip_only: Optional[str] = None,
max_session_per_user: Optional[float] = None,
mms_profile: Optional[str] = None,
name: Optional[str] = None,
nat: Optional[str] = None,
nat46: Optional[str] = None,
nat64: Optional[str] = None,
natinbound: Optional[str] = None,
natips: Optional[Sequence[str]] = None,
natoutbound: Optional[str] = None,
network_service_dynamics: Optional[Sequence[str]] = None,
network_service_src_dynamics: Optional[Sequence[str]] = None,
np_acceleration: Optional[str] = None,
ntlm: Optional[str] = None,
ntlm_enabled_browsers: Optional[Sequence[str]] = None,
ntlm_guest: Optional[str] = None,
outbound: Optional[str] = None,
packages_global_header_policy_id: Optional[str] = None,
pass_through: Optional[str] = None,
passive_wan_health_measurement: Optional[str] = None,
pcp_inbound: Optional[str] = None,
pcp_outbound: Optional[str] = None,
pcp_poolnames: Optional[Sequence[str]] = None,
per_ip_shaper: Optional[str] = None,
permit_any_host: Optional[str] = None,
permit_stun_host: Optional[str] = None,
pfcp_profile: Optional[str] = None,
pkg: Optional[str] = None,
pkg_folder_path: Optional[str] = None,
policy_behaviour_type: Optional[str] = None,
policy_expiry: Optional[str] = None,
policy_expiry_date: Optional[str] = None,
policy_expiry_date_utc: Optional[str] = None,
policy_offload: Optional[str] = None,
policyid: Optional[float] = None,
poolname: Optional[str] = None,
poolname6: Optional[str] = None,
port_preserve: Optional[str] = None,
profile_group: Optional[str] = None,
profile_protocol_options: Optional[str] = None,
profile_type: Optional[str] = None,
radius_ip_auth_bypass: Optional[str] = None,
radius_mac_auth_bypass: Optional[str] = None,
redirect_profiles: Optional[Sequence[str]] = None,
redirect_url: Optional[str] = None,
replacemsg_group: Optional[str] = None,
replacemsg_override_group: Optional[str] = None,
reputation_direction: Optional[str] = None,
reputation_direction6: Optional[str] = None,
reputation_minimum: Optional[float] = None,
reputation_minimum6: Optional[float] = None,
require_tfa: Optional[str] = None,
reverse_cache: Optional[str] = None,
rsso: Optional[str] = None,
rtp_addr: Optional[str] = None,
rtp_nat: Optional[str] = None,
scan_botnet_connections: Optional[str] = None,
schedule: Optional[str] = None,
schedule_timeout: Optional[str] = None,
sctp_filter_profile: Optional[str] = None,
send_deny_packet: Optional[str] = None,
service_negate: Optional[str] = None,
services: Optional[Sequence[str]] = None,
session_ttl: Optional[str] = None,
sessions: Optional[str] = None,
sgt_check: Optional[str] = None,
sgts: Optional[Sequence[float]] = None,
spamfilter_profile: Optional[str] = None,
src_vendor_macs: Optional[Sequence[str]] = None,
srcaddr6_negate: Optional[str] = None,
srcaddr6s: Optional[Sequence[str]] = None,
srcaddr_negate: Optional[str] = None,
srcaddrs: Optional[Sequence[str]] = None,
srcintfs: Optional[Sequence[str]] = None,
ssh_filter_profile: Optional[str] = None,
ssh_policy_check: Optional[str] = None,
ssh_policy_redirect: Optional[str] = None,
ssl_mirror: Optional[str] = None,
ssl_mirror_intf: Optional[str] = None,
ssl_ssh_profile: Optional[str] = None,
sslvpn_auth: Optional[str] = None,
sslvpn_ccert: Optional[str] = None,
sslvpn_cipher: Optional[str] = None,
sso_auth_method: Optional[str] = None,
status: Optional[str] = None,
tags: Optional[str] = None,
tcp_mss_receiver: Optional[float] = None,
tcp_mss_sender: Optional[float] = None,
tcp_reset: Optional[str] = None,
tcp_session_without_syn: Optional[str] = None,
tcp_timeout_pid: Optional[str] = None,
timeout_send_rst: Optional[str] = None,
tos: Optional[str] = None,
tos_mask: Optional[str] = None,
tos_negate: Optional[str] = None,
traffic_shaper: Optional[str] = None,
traffic_shaper_reverse: Optional[str] = None,
transaction_based: Optional[str] = None,
transparent: Optional[str] = None,
type: Optional[str] = None,
udp_timeout_pid: Optional[str] = None,
url_category: Optional[str] = None,
url_risks: Optional[Sequence[str]] = None,
users: Optional[Sequence[str]] = None,
utm_inspection_mode: Optional[str] = None,
utm_status: Optional[str] = None,
uuid: Optional[str] = None,
uuid_idx: Optional[float] = None,
vendor_mac: Optional[str] = None,
videofilter_profile: Optional[str] = None,
virtual_patch_profile: Optional[str] = None,
vlan_cos_fwd: Optional[float] = None,
vlan_cos_rev: Optional[float] = None,
vlan_filter: Optional[str] = None,
voip_profile: Optional[str] = None,
vpntunnel: Optional[str] = None,
waf_profile: Optional[str] = None,
wanopt: Optional[str] = None,
wanopt_detection: Optional[str] = None,
wanopt_passive_opt: Optional[str] = None,
wanopt_peer: Optional[str] = None,
wanopt_profile: Optional[str] = None,
wccp: Optional[str] = None,
web_auth_cookie: Optional[str] = None,
webcache: Optional[str] = None,
webcache_https: Optional[str] = None,
webfilter_profile: Optional[str] = None,
webproxy_forward_server: Optional[str] = None,
webproxy_profile: Optional[str] = None,
wsso: Optional[str] = None,
ztna_device_ownership: Optional[str] = None,
ztna_ems_tag_secondaries: Optional[Sequence[str]] = None,
ztna_ems_tags: Optional[Sequence[str]] = None,
ztna_geo_tags: Optional[Sequence[str]] = None,
ztna_policy_redirect: Optional[str] = None,
ztna_status: Optional[str] = None,
ztna_tags_match_logic: Optional[str] = None) -> PackagesGlobalHeaderPolicyfunc GetPackagesGlobalHeaderPolicy(ctx *Context, name string, id IDInput, state *PackagesGlobalHeaderPolicyState, opts ...ResourceOption) (*PackagesGlobalHeaderPolicy, error)public static PackagesGlobalHeaderPolicy Get(string name, Input<string> id, PackagesGlobalHeaderPolicyState? state, CustomResourceOptions? opts = null)public static PackagesGlobalHeaderPolicy get(String name, Output<String> id, PackagesGlobalHeaderPolicyState state, CustomResourceOptions options)resources: _: type: fortimanager:PackagesGlobalHeaderPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Access
Proxies List<string> - Access-Proxy.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Active
Auth stringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- Application
Charts List<string> - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - Application
List string - Name of an existing Application list.
- Applications List<double>
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Method string - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Portal string - Auth-Portal. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Bandwidth string
- Bandwidth. Valid values:
disable,enable. - Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Casi
Profile string - Casi-Profile.
- Central
Nat string - Central-Nat. Valid values:
disable,enable. - Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource doubleQuota - resource quota
- Cgn
Session doubleQuota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Client
Reputation string - Client-Reputation. Valid values:
disable,enable. - Client
Reputation stringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - Comments string
- Comment.
- Custom
Log List<string>Fields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted-Traffic-Mirror.
- Deep
Inspection stringOptions - Deep-Inspection-Options.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Delay
Tcp stringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - Detect
Https stringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - Device
Detection stringPortal - Device-Detection-Portal. Valid values:
disable,enable. - Device
Ownership string - Device-Ownership. Valid values:
disable,enable. - Devices string
- Devices.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profiles List<string> - Dlp-Profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dponly string
- Dponly. Valid values:
disable,enable. - Dscp
Match string - Dscp-Match. Valid values:
disable,enable. - Dscp
Negate string - Dscp-Negate. Valid values:
disable,enable. - Dscp
Value string - Dscp-Value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s List<string>
- Dstaddr6.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs List<string>
- Destination address and address group names.
- Dstintfs List<string>
- Outgoing (egress) interface.
- Dynamic
Bypass string - Dynamic-Bypass. Valid values:
disable,enable. - Dynamic
Profile string - Dynamic-Profile. Valid values:
disable,enable. - Dynamic
Profile List<string>Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - Dynamic
Profile stringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - Dynamic
Profile stringGroup - Dynamic-Profile-Group.
- Dynamic
Shaping string - Dynamic-Shaping. Valid values:
disable,enable. - Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Email
Collection stringPortal - Email-Collection-Portal. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Endpoint
Check string - Endpoint-Check. Valid values:
disable,enable. - Endpoint
Compliance string - Endpoint-Compliance. Valid values:
disable,enable. - Endpoint
Keepalive stringInterface - Endpoint-Keepalive-Interface.
- Endpoint
Profile string - Endpoint-Profile.
- Extended
Log string - Extended-Log. Valid values:
disable,enable. - Failed
Connection string - Failed-Connection. Valid values:
disable,enable. - Fall
Through stringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - File-Filter-Profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Force
Proxy string - Force-Proxy. Valid values:
disable,enable. - Forticlient
Compliance List<string>Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - Forticlient
Compliance stringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - Fsae string
- Fsae. Valid values:
disable,enable. - Fsae
Server stringFor Ntlm - Fsae-Server-For-Ntlm.
- Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<string> - Names of FSSO groups.
- Geo
Location string - Geo-Location. Valid values:
disable,enable. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Geoip-Match. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups List<string>
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Http
Tunnel stringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - Ia
Profiles List<string> - Ia-Profile.
- Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based string - Identity-Based. Valid values:
disable,enable. - Identity
Based stringRoute - Name of identity-based routing rule.
- Identity
From string - Identity-From. Valid values:
auth,device. - Implicit
Proxy stringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom List<string>Groups - Custom Internet Service6 group name.
- Internet
Service6Customs List<string> - Custom IPv6 Internet Service name.
- Internet
Service6Groups List<string> - Internet Service group name.
- Internet
Service6Names List<string> - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src List<string>Custom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src List<string>Customs - Custom IPv6 Internet Service source name.
- Internet
Service6Src List<string>Groups - Internet Service6 source group name.
- Internet
Service6Src List<string>Names - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service stringId - Internet Service ID.
- Internet
Service stringName - Internet-Service-Name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet-Service-Src-Name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Based string - Ip-Based. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Isolator
Profiles List<string> - Isolator-Profile.
- Isolator
Servers List<string> - Isolator-Server.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Learning-Mode. Valid values:
disable,enable. - Log
Http stringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - Log
Unmatched stringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
App string - Logtraffic-App. Valid values:
disable,enable. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Max
Session doublePer User - Max-Session-Per-User.
- Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips List<string>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service List<string>Dynamics - Dynamic Network Service name.
- Network
Service List<string>Src Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled List<string>Browsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Global stringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- Pass
Through string - Pass-Through. Valid values:
disable,enable. - Passive
Wan stringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames List<string> - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg string
- Package.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Policy-Expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy-Expiry-Date.
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid double
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- Poolname6.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Profiles List<string> - Redirect-Profile.
- Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Group string - Replacemsg-Group.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum double - Minimum Reputation to take action.
- Reputation
Minimum6 double - IPv6 Minimum Reputation to take action.
- Require
Tfa string - Require-Tfa. Valid values:
disable,enable. - Reverse
Cache string - Reverse-Cache. Valid values:
disable,enable. - Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services List<string>
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sessions string
- Sessions. Valid values:
disable,enable. - Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts List<double>
- Security group tags.
- Spamfilter
Profile string - Spamfilter-Profile.
- Src
Vendor List<string>Macs - Src-Vendor-Mac.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s List<string>
- Srcaddr6.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs List<string>
- Source address and address group names.
- Srcintfs List<string>
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Sslvpn
Auth string - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - Sslvpn
Ccert string - Sslvpn-Ccert. Valid values:
disable,enable. - Sslvpn
Cipher string - Sslvpn-Cipher. Valid values:
any,high,medium. - Sso
Auth stringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - Status string
- Enable or disable this policy. Valid values:
disable,enable. - string
- Tags.
- Tcp
Mss doubleReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss doubleSender - Sender TCP maximum segment size (MSS).
- Tcp
Reset string - Tcp-Reset. Valid values:
disable,enable. - Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Transaction
Based string - Transaction-Based. Valid values:
disable,enable. - Transparent string
- Transparent. Valid values:
disable,enable. - Type string
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Url
Risks List<string> - Url-Risk.
- Users List<string>
- Names of individual users that can authenticate with this policy.
- Utm
Inspection stringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Uuid
Idx double - Uuid-Idx.
- Vendor
Mac string - Vendor-Mac.
- Videofilter
Profile string - Videofilter-Profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos doubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos doubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - string
- Web-Auth-Cookie. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - List<string>
- Source ztna-ems-tag-secondary names.
- List<string>
- Ztna-Ems-Tag.
- List<string>
- Ztna-Geo-Tag.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Ztna-Status. Valid values:
disable,enable. - string
- Ztna-Tags-Match-Logic. Valid values:
or,and. - _
policy doubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- Access
Proxies []string - Access-Proxy.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Active
Auth stringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- Application
Charts []string - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - Application
List string - Name of an existing Application list.
- Applications []float64
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Method string - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Portal string - Auth-Portal. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Bandwidth string
- Bandwidth. Valid values:
disable,enable. - Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Casi
Profile string - Casi-Profile.
- Central
Nat string - Central-Nat. Valid values:
disable,enable. - Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource float64Quota - resource quota
- Cgn
Session float64Quota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Client
Reputation string - Client-Reputation. Valid values:
disable,enable. - Client
Reputation stringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - Comments string
- Comment.
- Custom
Log []stringFields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted-Traffic-Mirror.
- Deep
Inspection stringOptions - Deep-Inspection-Options.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Delay
Tcp stringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - Detect
Https stringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - Device
Detection stringPortal - Device-Detection-Portal. Valid values:
disable,enable. - Device
Ownership string - Device-Ownership. Valid values:
disable,enable. - Devices string
- Devices.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profiles []string - Dlp-Profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dponly string
- Dponly. Valid values:
disable,enable. - Dscp
Match string - Dscp-Match. Valid values:
disable,enable. - Dscp
Negate string - Dscp-Negate. Valid values:
disable,enable. - Dscp
Value string - Dscp-Value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s []string
- Dstaddr6.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs []string
- Destination address and address group names.
- Dstintfs []string
- Outgoing (egress) interface.
- Dynamic
Bypass string - Dynamic-Bypass. Valid values:
disable,enable. - Dynamic
Profile string - Dynamic-Profile. Valid values:
disable,enable. - Dynamic
Profile []stringAccesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - Dynamic
Profile stringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - Dynamic
Profile stringGroup - Dynamic-Profile-Group.
- Dynamic
Shaping string - Dynamic-Shaping. Valid values:
disable,enable. - Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Email
Collection stringPortal - Email-Collection-Portal. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Endpoint
Check string - Endpoint-Check. Valid values:
disable,enable. - Endpoint
Compliance string - Endpoint-Compliance. Valid values:
disable,enable. - Endpoint
Keepalive stringInterface - Endpoint-Keepalive-Interface.
- Endpoint
Profile string - Endpoint-Profile.
- Extended
Log string - Extended-Log. Valid values:
disable,enable. - Failed
Connection string - Failed-Connection. Valid values:
disable,enable. - Fall
Through stringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - File-Filter-Profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Force
Proxy string - Force-Proxy. Valid values:
disable,enable. - Forticlient
Compliance []stringDevices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - Forticlient
Compliance stringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - Fsae string
- Fsae. Valid values:
disable,enable. - Fsae
Server stringFor Ntlm - Fsae-Server-For-Ntlm.
- Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []string - Names of FSSO groups.
- Geo
Location string - Geo-Location. Valid values:
disable,enable. - Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Geoip-Match. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups []string
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Http
Tunnel stringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - Ia
Profiles []string - Ia-Profile.
- Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based string - Identity-Based. Valid values:
disable,enable. - Identity
Based stringRoute - Name of identity-based routing rule.
- Identity
From string - Identity-From. Valid values:
auth,device. - Implicit
Proxy stringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom []stringGroups - Custom Internet Service6 group name.
- Internet
Service6Customs []string - Custom IPv6 Internet Service name.
- Internet
Service6Groups []string - Internet Service group name.
- Internet
Service6Names []string - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src []stringCustom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src []stringCustoms - Custom IPv6 Internet Service source name.
- Internet
Service6Src []stringGroups - Internet Service6 source group name.
- Internet
Service6Src []stringNames - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service stringId - Internet Service ID.
- Internet
Service stringName - Internet-Service-Name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet-Service-Src-Name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Based string - Ip-Based. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Isolator
Profiles []string - Isolator-Profile.
- Isolator
Servers []string - Isolator-Server.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Learning-Mode. Valid values:
disable,enable. - Log
Http stringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - Log
Unmatched stringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
App string - Logtraffic-App. Valid values:
disable,enable. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Max
Session float64Per User - Max-Session-Per-User.
- Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips []string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service []stringDynamics - Dynamic Network Service name.
- Network
Service []stringSrc Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled []stringBrowsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Global stringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- Pass
Through string - Pass-Through. Valid values:
disable,enable. - Passive
Wan stringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames []string - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg string
- Package.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Policy-Expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy-Expiry-Date.
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid float64
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- Poolname6.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Profiles []string - Redirect-Profile.
- Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Group string - Replacemsg-Group.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum float64 - Minimum Reputation to take action.
- Reputation
Minimum6 float64 - IPv6 Minimum Reputation to take action.
- Require
Tfa string - Require-Tfa. Valid values:
disable,enable. - Reverse
Cache string - Reverse-Cache. Valid values:
disable,enable. - Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services []string
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sessions string
- Sessions. Valid values:
disable,enable. - Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts []float64
- Security group tags.
- Spamfilter
Profile string - Spamfilter-Profile.
- Src
Vendor []stringMacs - Src-Vendor-Mac.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s []string
- Srcaddr6.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs []string
- Source address and address group names.
- Srcintfs []string
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Sslvpn
Auth string - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - Sslvpn
Ccert string - Sslvpn-Ccert. Valid values:
disable,enable. - Sslvpn
Cipher string - Sslvpn-Cipher. Valid values:
any,high,medium. - Sso
Auth stringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - Status string
- Enable or disable this policy. Valid values:
disable,enable. - string
- Tags.
- Tcp
Mss float64Receiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss float64Sender - Sender TCP maximum segment size (MSS).
- Tcp
Reset string - Tcp-Reset. Valid values:
disable,enable. - Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Transaction
Based string - Transaction-Based. Valid values:
disable,enable. - Transparent string
- Transparent. Valid values:
disable,enable. - Type string
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Url
Risks []string - Url-Risk.
- Users []string
- Names of individual users that can authenticate with this policy.
- Utm
Inspection stringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Uuid
Idx float64 - Uuid-Idx.
- Vendor
Mac string - Vendor-Mac.
- Videofilter
Profile string - Videofilter-Profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos float64Fwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos float64Rev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - string
- Web-Auth-Cookie. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - []string
- Source ztna-ems-tag-secondary names.
- []string
- Ztna-Ems-Tag.
- []string
- Ztna-Geo-Tag.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Ztna-Status. Valid values:
disable,enable. - string
- Ztna-Tags-Match-Logic. Valid values:
or,and. - _
policy float64Block - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- _
policy DoubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access
Proxies List<String> - Access-Proxy.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active
Auth StringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- application
Charts List<String> - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application
List String - Name of an existing Application list.
- applications List<Double>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Method String - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Portal String - Auth-Portal. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- bandwidth String
- Bandwidth. Valid values:
disable,enable. - best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- casi
Profile String - Casi-Profile.
- central
Nat String - Central-Nat. Valid values:
disable,enable. - cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource DoubleQuota - resource quota
- cgn
Session DoubleQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- client
Reputation String - Client-Reputation. Valid values:
disable,enable. - client
Reputation StringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments String
- Comment.
- custom
Log List<String>Fields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted-Traffic-Mirror.
- deep
Inspection StringOptions - Deep-Inspection-Options.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay
Tcp StringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect
Https StringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device
Detection StringPortal - Device-Detection-Portal. Valid values:
disable,enable. - device
Ownership String - Device-Ownership. Valid values:
disable,enable. - devices String
- Devices.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profiles List<String> - Dlp-Profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dponly String
- Dponly. Valid values:
disable,enable. - dscp
Match String - Dscp-Match. Valid values:
disable,enable. - dscp
Negate String - Dscp-Negate. Valid values:
disable,enable. - dscp
Value String - Dscp-Value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Dstaddr6.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Bypass String - Dynamic-Bypass. Valid values:
disable,enable. - dynamic
Profile String - Dynamic-Profile. Valid values:
disable,enable. - dynamic
Profile List<String>Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic
Profile StringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic
Profile StringGroup - Dynamic-Profile-Group.
- dynamic
Shaping String - Dynamic-Shaping. Valid values:
disable,enable. - eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - email
Collection StringPortal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- endpoint
Check String - Endpoint-Check. Valid values:
disable,enable. - endpoint
Compliance String - Endpoint-Compliance. Valid values:
disable,enable. - endpoint
Keepalive StringInterface - Endpoint-Keepalive-Interface.
- endpoint
Profile String - Endpoint-Profile.
- extended
Log String - Extended-Log. Valid values:
disable,enable. - failed
Connection String - Failed-Connection. Valid values:
disable,enable. - fall
Through StringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - File-Filter-Profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force
Proxy String - Force-Proxy. Valid values:
disable,enable. - forticlient
Compliance List<String>Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient
Compliance StringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae String
- Fsae. Valid values:
disable,enable. - fsae
Server StringFor Ntlm - Fsae-Server-For-Ntlm.
- fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geo
Location String - Geo-Location. Valid values:
disable,enable. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Geoip-Match. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http
Tunnel StringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia
Profiles List<String> - Ia-Profile.
- icap
Profile String - Name of an existing ICAP profile.
- identity
Based String - Identity-Based. Valid values:
disable,enable. - identity
Based StringRoute - Name of identity-based routing rule.
- identity
From String - Identity-From. Valid values:
auth,device. - implicit
Proxy StringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service StringId - Internet Service ID.
- internet
Service StringName - Internet-Service-Name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet-Service-Src-Name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Based String - Ip-Based. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- isolator
Profiles List<String> - Isolator-Profile.
- isolator
Servers List<String> - Isolator-Server.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Learning-Mode. Valid values:
disable,enable. - log
Http StringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - log
Unmatched StringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
App String - Logtraffic-App. Valid values:
disable,enable. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max
Session DoublePer User - Max-Session-Per-User.
- mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Global StringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- pass
Through String - Pass-Through. Valid values:
disable,enable. - passive
Wan StringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg String
- Package.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Policy-Expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy-Expiry-Date.
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Double
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- Poolname6.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Profiles List<String> - Redirect-Profile.
- redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Group String - Replacemsg-Group.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Double - Minimum Reputation to take action.
- reputation
Minimum6 Double - IPv6 Minimum Reputation to take action.
- require
Tfa String - Require-Tfa. Valid values:
disable,enable. - reverse
Cache String - Reverse-Cache. Valid values:
disable,enable. - rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions String
- Sessions. Valid values:
disable,enable. - sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Double>
- Security group tags.
- spamfilter
Profile String - Spamfilter-Profile.
- src
Vendor List<String>Macs - Src-Vendor-Mac.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Srcaddr6.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- sslvpn
Auth String - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn
Ccert String - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn
Cipher String - Sslvpn-Cipher. Valid values:
any,high,medium. - sso
Auth StringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status String
- Enable or disable this policy. Valid values:
disable,enable. - String
- Tags.
- tcp
Mss DoubleReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss DoubleSender - Sender TCP maximum segment size (MSS).
- tcp
Reset String - Tcp-Reset. Valid values:
disable,enable. - tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- transaction
Based String - Transaction-Based. Valid values:
disable,enable. - transparent String
- Transparent. Valid values:
disable,enable. - type String
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- url
Risks List<String> - Url-Risk.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Inspection StringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid
Idx Double - Uuid-Idx.
- vendor
Mac String - Vendor-Mac.
- videofilter
Profile String - Videofilter-Profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos DoubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos DoubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - String
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- List<String>
- Ztna-Ems-Tag.
- List<String>
- Ztna-Geo-Tag.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Ztna-Status. Valid values:
disable,enable. - String
- Ztna-Tags-Match-Logic. Valid values:
or,and.
- _
policy numberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access
Proxies string[] - Access-Proxy.
- action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active
Auth stringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category string - Application category ID list.
- app
Group string - Application group names.
- application
Charts string[] - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application
List string - Name of an existing Application list.
- applications number[]
- Application ID list.
- auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Method string - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Portal string - Auth-Portal. Valid values:
disable,enable. - auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile string - Name of an existing Antivirus profile.
- bandwidth string
- Bandwidth. Valid values:
disable,enable. - best
Route string - Best-Route. Valid values:
disable,enable. - block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile string - Name of an existing CASB profile.
- casi
Profile string - Casi-Profile.
- central
Nat string - Central-Nat. Valid values:
disable,enable. - cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log stringServer Grp - NP log server group name
- cgn
Resource numberQuota - resource quota
- cgn
Session numberQuota - session quota
- cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile string - Name of an existing CIFS profile.
- client
Reputation string - Client-Reputation. Valid values:
disable,enable. - client
Reputation stringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments string
- Comment.
- custom
Log string[]Fields - Custom fields to append to log messages for this policy.
- decrypted
Traffic stringMirror - Decrypted-Traffic-Mirror.
- deep
Inspection stringOptions - Deep-Inspection-Options.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay
Tcp stringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect
Https stringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device
Detection stringPortal - Device-Detection-Portal. Valid values:
disable,enable. - device
Ownership string - Device-Ownership. Valid values:
disable,enable. - devices string
- Devices.
- diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profiles string[] - Dlp-Profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dponly string
- Dponly. Valid values:
disable,enable. - dscp
Match string - Dscp-Match. Valid values:
disable,enable. - dscp
Negate string - Dscp-Negate. Valid values:
disable,enable. - dscp
Value string - Dscp-Value.
- dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s string[]
- Dstaddr6.
- dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs string[]
- Destination address and address group names.
- dstintfs string[]
- Outgoing (egress) interface.
- dynamic
Bypass string - Dynamic-Bypass. Valid values:
disable,enable. - dynamic
Profile string - Dynamic-Profile. Valid values:
disable,enable. - dynamic
Profile string[]Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic
Profile stringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic
Profile stringGroup - Dynamic-Profile-Group.
- dynamic
Shaping string - Dynamic-Shaping. Valid values:
disable,enable. - eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - email
Collection stringPortal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter
Profile string - Name of an existing email filter profile.
- endpoint
Check string - Endpoint-Check. Valid values:
disable,enable. - endpoint
Compliance string - Endpoint-Compliance. Valid values:
disable,enable. - endpoint
Keepalive stringInterface - Endpoint-Keepalive-Interface.
- endpoint
Profile string - Endpoint-Profile.
- extended
Log string - Extended-Log. Valid values:
disable,enable. - failed
Connection string - Failed-Connection. Valid values:
disable,enable. - fall
Through stringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter stringProfile - File-Filter-Profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force
Proxy string - Force-Proxy. Valid values:
disable,enable. - forticlient
Compliance string[]Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient
Compliance stringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae string
- Fsae. Valid values:
disable,enable. - fsae
Server stringFor Ntlm - Fsae-Server-For-Ntlm.
- fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups string[] - Names of FSSO groups.
- geo
Location string - Geo-Location. Valid values:
disable,enable. - geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match string - Geoip-Match. Valid values:
physical-location,registered-location. - global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups string[]
- Names of user groups that can authenticate with this policy.
- gtp
Profile string - GTP profile.
- http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http
Tunnel stringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia
Profiles string[] - Ia-Profile.
- icap
Profile string - Name of an existing ICAP profile.
- identity
Based string - Identity-Based. Valid values:
disable,enable. - identity
Based stringRoute - Name of identity-based routing rule.
- identity
From string - Identity-From. Valid values:
auth,device. - implicit
Proxy stringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom string[]Groups - Custom Internet Service6 group name.
- internet
Service6Customs string[] - Custom IPv6 Internet Service name.
- internet
Service6Groups string[] - Internet Service group name.
- internet
Service6Names string[] - IPv6 Internet Service name.
- internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src string[]Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src string[]Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src string[]Groups - Internet Service6 source group name.
- internet
Service6Src string[]Names - IPv6 Internet Service source name.
- internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringCustom - Custom Internet Service name.
- internet
Service stringCustom Group - Custom Internet Service group name.
- internet
Service stringGroup - Internet Service group name.
- internet
Service stringId - Internet Service ID.
- internet
Service stringName - Internet-Service-Name.
- internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service stringSrc Custom - Custom Internet Service source name.
- internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- internet
Service stringSrc Group - Internet Service source group name.
- internet
Service stringSrc Id - Internet Service source ID.
- internet
Service stringSrc Name - Internet-Service-Src-Name.
- internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Based string - Ip-Based. Valid values:
disable,enable. - ip
Version stringType - IP version of the policy.
- ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- isolator
Profiles string[] - Isolator-Profile.
- isolator
Servers string[] - Isolator-Server.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Learning-Mode. Valid values:
disable,enable. - log
Http stringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - log
Unmatched stringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
App string - Logtraffic-App. Valid values:
disable,enable. - logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max
Session numberPer User - Max-Session-Per-User.
- mms
Profile string - Name of an existing MMS profile.
- name string
- Policy name.
- nat string
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips string[]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service string[]Dynamics - Dynamic Network Service name.
- network
Service string[]Src Dynamics - Dynamic Network Service source name.
- np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled string[]Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Global stringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- pass
Through string - Pass-Through. Valid values:
disable,enable. - passive
Wan stringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames string[] - PCP pool names.
- per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile string - PFCP profile.
- pkg string
- Package.
- pkg
Folder stringPath - Pkg Folder Path.
- policy
Behaviour stringType - Behaviour of the policy.
- policy
Expiry string - Policy-Expiry. Valid values:
disable,enable. - policy
Expiry stringDate - Policy-Expiry-Date.
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid number
- Policy ID (0 - 4294967294).
- poolname string
- IP Pool names.
- poolname6 string
- Poolname6.
- port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Profiles string[] - Redirect-Profile.
- redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Group string - Replacemsg-Group.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- require
Tfa string - Require-Tfa. Valid values:
disable,enable. - reverse
Cache string - Reverse-Cache. Valid values:
disable,enable. - rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr string - Address names if this is an RTP NAT policy.
- rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet stringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule string
- Schedule name.
- schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services string[]
- Service and service group names.
- session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions string
- Sessions. Valid values:
disable,enable. - sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts number[]
- Security group tags.
- spamfilter
Profile string - Spamfilter-Profile.
- src
Vendor string[]Macs - Src-Vendor-Mac.
- srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s string[]
- Srcaddr6.
- srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs string[]
- Source address and address group names.
- srcintfs string[]
- Incoming (ingress) interface.
- ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror stringIntf - SSL mirror interface name.
- ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- sslvpn
Auth string - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn
Ccert string - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn
Cipher string - Sslvpn-Cipher. Valid values:
any,high,medium. - sso
Auth stringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status string
- Enable or disable this policy. Valid values:
disable,enable. - string
- Tags.
- tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Reset string - Tcp-Reset. Valid values:
disable,enable. - tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout stringPid - TCP timeout profile ID
- timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- transaction
Based string - Transaction-Based. Valid values:
disable,enable. - transparent string
- Transparent. Valid values:
disable,enable. - type string
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp
Timeout stringPid - UDP timeout profile ID
- url
Category string - URL category ID list.
- url
Risks string[] - Url-Risk.
- users string[]
- Names of individual users that can authenticate with this policy.
- utm
Inspection stringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid
Idx number - Uuid-Idx.
- vendor
Mac string - Vendor-Mac.
- videofilter
Profile string - Videofilter-Profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP profile.
- vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - string
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache string
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Webproxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - string[]
- Source ztna-ems-tag-secondary names.
- string[]
- Ztna-Ems-Tag.
- string[]
- Ztna-Geo-Tag.
- ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status string - Ztna-Status. Valid values:
disable,enable. - string
- Ztna-Tags-Match-Logic. Valid values:
or,and.
- _
policy_ floatblock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access_
proxies Sequence[str] - Access-Proxy.
- action str
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active_
auth_ strmethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti_
replay str - Enable/disable anti-replay check. Valid values:
disable,enable. - app_
category str - Application category ID list.
- app_
group str - Application group names.
- application_
charts Sequence[str] - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application_
list str - Name of an existing Application list.
- applications Sequence[float]
- Application ID list.
- auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
method str - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth_
path str - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth_
portal str - Auth-Portal. Valid values:
disable,enable. - auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av_
profile str - Name of an existing Antivirus profile.
- bandwidth str
- Bandwidth. Valid values:
disable,enable. - best_
route str - Best-Route. Valid values:
disable,enable. - block_
notification str - Enable/disable block notification. Valid values:
disable,enable. - captive_
portal_ strexempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture_
packet str - Enable/disable capture packets. Valid values:
disable,enable. - casb_
profile str - Name of an existing CASB profile.
- casi_
profile str - Casi-Profile.
- central_
nat str - Central-Nat. Valid values:
disable,enable. - cgn_
eif str - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn_
eim str - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn_
log_ strserver_ grp - NP log server group name
- cgn_
resource_ floatquota - resource quota
- cgn_
session_ floatquota - session quota
- cgn_
sw_ streif_ ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs_
profile str - Name of an existing CIFS profile.
- client_
reputation str - Client-Reputation. Valid values:
disable,enable. - client_
reputation_ strmode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments str
- Comment.
- custom_
log_ Sequence[str]fields - Custom fields to append to log messages for this policy.
- decrypted_
traffic_ strmirror - Decrypted-Traffic-Mirror.
- deep_
inspection_ stroptions - Deep-Inspection-Options.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay_
tcp_ strnpu_ sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect_
https_ strin_ http_ request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device_
detection_ strportal - Device-Detection-Portal. Valid values:
disable,enable. - device_
ownership str - Device-Ownership. Valid values:
disable,enable. - devices str
- Devices.
- diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp_
profiles Sequence[str] - Dlp-Profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dponly str
- Dponly. Valid values:
disable,enable. - dscp_
match str - Dscp-Match. Valid values:
disable,enable. - dscp_
negate str - Dscp-Negate. Valid values:
disable,enable. - dscp_
value str - Dscp-Value.
- dsri str
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s Sequence[str]
- Dstaddr6.
- dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs Sequence[str]
- Destination address and address group names.
- dstintfs Sequence[str]
- Outgoing (egress) interface.
- dynamic_
bypass str - Dynamic-Bypass. Valid values:
disable,enable. - dynamic_
profile str - Dynamic-Profile. Valid values:
disable,enable. - dynamic_
profile_ Sequence[str]accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic_
profile_ strfallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic_
profile_ strgroup - Dynamic-Profile-Group.
- dynamic_
shaping str - Dynamic-Shaping. Valid values:
disable,enable. - eif_
check str - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif_
learn str - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email_
collect str - Enable/disable email collection. Valid values:
disable,enable. - email_
collection_ strportal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter_
profile str - Name of an existing email filter profile.
- endpoint_
check str - Endpoint-Check. Valid values:
disable,enable. - endpoint_
compliance str - Endpoint-Compliance. Valid values:
disable,enable. - endpoint_
keepalive_ strinterface - Endpoint-Keepalive-Interface.
- endpoint_
profile str - Endpoint-Profile.
- extended_
log str - Extended-Log. Valid values:
disable,enable. - failed_
connection str - Failed-Connection. Valid values:
disable,enable. - fall_
through_ strunauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file_
filter_ strprofile - File-Filter-Profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport str
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force_
proxy str - Force-Proxy. Valid values:
disable,enable. - forticlient_
compliance_ Sequence[str]devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient_
compliance_ strenforcement_ portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae str
- Fsae. Valid values:
disable,enable. - fsae_
server_ strfor_ ntlm - Fsae-Server-For-Ntlm.
- fsso str
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[str] - Names of FSSO groups.
- geo_
location str - Geo-Location. Valid values:
disable,enable. - geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip_
match str - Geoip-Match. Valid values:
physical-location,registered-location. - global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups Sequence[str]
- Names of user groups that can authenticate with this policy.
- gtp_
profile str - GTP profile.
- http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http_
tunnel_ strauth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia_
profiles Sequence[str] - Ia-Profile.
- icap_
profile str - Name of an existing ICAP profile.
- identity_
based str - Identity-Based. Valid values:
disable,enable. - identity_
based_ strroute - Name of identity-based routing rule.
- identity_
from str - Identity-From. Valid values:
auth,device. - implicit_
proxy_ strdetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]custom_ groups - Custom Internet Service6 group name.
- internet_
service6_ Sequence[str]customs - Custom IPv6 Internet Service name.
- internet_
service6_ Sequence[str]groups - Internet Service group name.
- internet_
service6_ Sequence[str]names - IPv6 Internet Service name.
- internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]src_ custom_ groups - Custom Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ customs - Custom IPv6 Internet Service source name.
- internet_
service6_ Sequence[str]src_ groups - Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ names - IPv6 Internet Service source name.
- internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strcustom - Custom Internet Service name.
- internet_
service_ strcustom_ group - Custom Internet Service group name.
- internet_
service_ strgroup - Internet Service group name.
- internet_
service_ strid - Internet Service ID.
- internet_
service_ strname - Internet-Service-Name.
- internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service_ strsrc_ custom - Custom Internet Service source name.
- internet_
service_ strsrc_ custom_ group - Custom Internet Service source group name.
- internet_
service_ strsrc_ group - Internet Service source group name.
- internet_
service_ strsrc_ id - Internet Service source ID.
- internet_
service_ strsrc_ name - Internet-Service-Src-Name.
- internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip_
based str - Ip-Based. Valid values:
disable,enable. - ip_
version_ strtype - IP version of the policy.
- ippool str
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- isolator_
profiles Sequence[str] - Isolator-Profile.
- isolator_
servers Sequence[str] - Isolator-Server.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Learning-Mode. Valid values:
disable,enable. - log_
http_ strtransaction - Log-Http-Transaction. Valid values:
disable,enable. - log_
unmatched_ strtraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic_
app str - Logtraffic-App. Valid values:
disable,enable. - logtraffic_
start str - Record logs when a session starts. Valid values:
disable,enable. - match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max_
session_ floatper_ user - Max-Session-Per-User.
- mms_
profile str - Name of an existing MMS profile.
- name str
- Policy name.
- nat str
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 str
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 str
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips Sequence[str]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network_
service_ Sequence[str]dynamics - Dynamic Network Service name.
- network_
service_ Sequence[str]src_ dynamics - Dynamic Network Service source name.
- np_
acceleration str - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm str
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm_
enabled_ Sequence[str]browsers - HTTP-User-Agent value of supported browsers.
- ntlm_
guest str - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages_
global_ strheader_ policy_ id - an identifier for the resource with format {{policyid}}.
- pass_
through str - Pass-Through. Valid values:
disable,enable. - passive_
wan_ strhealth_ measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp_
inbound str - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp_
outbound str - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp_
poolnames Sequence[str] - PCP pool names.
- per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host. Valid values:
disable,enable. - permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp_
profile str - PFCP profile.
- pkg str
- Package.
- pkg_
folder_ strpath - Pkg Folder Path.
- policy_
behaviour_ strtype - Behaviour of the policy.
- policy_
expiry str - Policy-Expiry. Valid values:
disable,enable. - policy_
expiry_ strdate - Policy-Expiry-Date.
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policy_
offload str - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid float
- Policy ID (0 - 4294967294).
- poolname str
- IP Pool names.
- poolname6 str
- Poolname6.
- port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius_
ip_ strauth_ bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect_
profiles Sequence[str] - Redirect-Profile.
- redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
group str - Replacemsg-Group.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation_
minimum float - Minimum Reputation to take action.
- reputation_
minimum6 float - IPv6 Minimum Reputation to take action.
- require_
tfa str - Require-Tfa. Valid values:
disable,enable. - reverse_
cache str - Reverse-Cache. Valid values:
disable,enable. - rsso str
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp_
addr str - Address names if this is an RTP NAT policy.
- rtp_
nat str - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan_
botnet_ strconnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule str
- Schedule name.
- schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service_
negate str - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services Sequence[str]
- Service and service group names.
- session_
ttl str - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions str
- Sessions. Valid values:
disable,enable. - sgt_
check str - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts Sequence[float]
- Security group tags.
- spamfilter_
profile str - Spamfilter-Profile.
- src_
vendor_ Sequence[str]macs - Src-Vendor-Mac.
- srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s Sequence[str]
- Srcaddr6.
- srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs Sequence[str]
- Source address and address group names.
- srcintfs Sequence[str]
- Incoming (ingress) interface.
- ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strcheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl_
mirror_ strintf - SSL mirror interface name.
- ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- sslvpn_
auth str - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn_
ccert str - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn_
cipher str - Sslvpn-Cipher. Valid values:
any,high,medium. - sso_
auth_ strmethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status str
- Enable or disable this policy. Valid values:
disable,enable. - str
- Tags.
- tcp_
mss_ floatreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ floatsender - Sender TCP maximum segment size (MSS).
- tcp_
reset str - Tcp-Reset. Valid values:
disable,enable. - tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp_
timeout_ strpid - TCP timeout profile ID
- timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match. Valid values:
disable,enable. - traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- transaction_
based str - Transaction-Based. Valid values:
disable,enable. - transparent str
- Transparent. Valid values:
disable,enable. - type str
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp_
timeout_ strpid - UDP timeout profile ID
- url_
category str - URL category ID list.
- url_
risks Sequence[str] - Url-Risk.
- users Sequence[str]
- Names of individual users that can authenticate with this policy.
- utm_
inspection_ strmode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid_
idx float - Uuid-Idx.
- vendor_
mac str - Vendor-Mac.
- videofilter_
profile str - Videofilter-Profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ floatfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ floatrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP profile.
- vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt_
detection str - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - str
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache str
- Enable/disable web cache. Valid values:
disable,enable. - webcache_
https str - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Webproxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna_
device_ strownership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna_
ems_ Sequence[str]tag_ secondaries - Source ztna-ems-tag-secondary names.
- Sequence[str]
- Ztna-Ems-Tag.
- Sequence[str]
- Ztna-Geo-Tag.
- ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna_
status str - Ztna-Status. Valid values:
disable,enable. - str
- Ztna-Tags-Match-Logic. Valid values:
or,and.
- _
policy NumberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- access
Proxies List<String> - Access-Proxy.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - active
Auth StringMethod - Active-Auth-Method. Valid values:
ntlm,basic,digest,form. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- application
Charts List<String> - Application-Charts. Valid values:
top10-app,top10-p2p-user,top10-media-user. - application
List String - Name of an existing Application list.
- applications List<Number>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Method String - Auth-Method. Valid values:
basic,digest,ntlm,fsae,form,fsso,rsso. - auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Portal String - Auth-Portal. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- bandwidth String
- Bandwidth. Valid values:
disable,enable. - best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- casi
Profile String - Casi-Profile.
- central
Nat String - Central-Nat. Valid values:
disable,enable. - cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource NumberQuota - resource quota
- cgn
Session NumberQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- client
Reputation String - Client-Reputation. Valid values:
disable,enable. - client
Reputation StringMode - Client-Reputation-Mode. Valid values:
learning,monitoring. - comments String
- Comment.
- custom
Log List<String>Fields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted-Traffic-Mirror.
- deep
Inspection StringOptions - Deep-Inspection-Options.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - delay
Tcp StringNpu Sessoin - Delay-Tcp-Npu-Sessoin. Valid values:
disable,enable. - detect
Https StringIn Http Request - Detect-Https-In-Http-Request. Valid values:
disable,enable. - device
Detection StringPortal - Device-Detection-Portal. Valid values:
disable,enable. - device
Ownership String - Device-Ownership. Valid values:
disable,enable. - devices String
- Devices.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profiles List<String> - Dlp-Profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dponly String
- Dponly. Valid values:
disable,enable. - dscp
Match String - Dscp-Match. Valid values:
disable,enable. - dscp
Negate String - Dscp-Negate. Valid values:
disable,enable. - dscp
Value String - Dscp-Value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Dstaddr6.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Bypass String - Dynamic-Bypass. Valid values:
disable,enable. - dynamic
Profile String - Dynamic-Profile. Valid values:
disable,enable. - dynamic
Profile List<String>Accesses - Dynamic-Profile-Access. Valid values:
imap,smtp,pop3,http,ftp,im,nntp,imaps,smtps,pop3s,https,ftps,ssh. - dynamic
Profile StringFallthrough - Dynamic-Profile-Fallthrough. Valid values:
disable,enable. - dynamic
Profile StringGroup - Dynamic-Profile-Group.
- dynamic
Shaping String - Dynamic-Shaping. Valid values:
disable,enable. - eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - email
Collection StringPortal - Email-Collection-Portal. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- endpoint
Check String - Endpoint-Check. Valid values:
disable,enable. - endpoint
Compliance String - Endpoint-Compliance. Valid values:
disable,enable. - endpoint
Keepalive StringInterface - Endpoint-Keepalive-Interface.
- endpoint
Profile String - Endpoint-Profile.
- extended
Log String - Extended-Log. Valid values:
disable,enable. - failed
Connection String - Failed-Connection. Valid values:
disable,enable. - fall
Through StringUnauthenticated - Fall-Through-Unauthenticated. Valid values:
disable,enable. - fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - File-Filter-Profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - force
Proxy String - Force-Proxy. Valid values:
disable,enable. - forticlient
Compliance List<String>Devices - Forticlient-Compliance-Devices. Valid values:
windows-pc,mac,iphone-ipad,android. - forticlient
Compliance StringEnforcement Portal - Forticlient-Compliance-Enforcement-Portal. Valid values:
disable,enable. - fsae String
- Fsae. Valid values:
disable,enable. - fsae
Server StringFor Ntlm - Fsae-Server-For-Ntlm.
- fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geo
Location String - Geo-Location. Valid values:
disable,enable. - geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Geoip-Match. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - http
Tunnel StringAuth - Http-Tunnel-Auth. Valid values:
disable,enable. - ia
Profiles List<String> - Ia-Profile.
- icap
Profile String - Name of an existing ICAP profile.
- identity
Based String - Identity-Based. Valid values:
disable,enable. - identity
Based StringRoute - Name of identity-based routing rule.
- identity
From String - Identity-From. Valid values:
auth,device. - implicit
Proxy StringDetection - Implicit-Proxy-Detection. Valid values:
disable,enable. - inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service StringId - Internet Service ID.
- internet
Service StringName - Internet-Service-Name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet-Service-Src-Name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Based String - Ip-Based. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- isolator
Profiles List<String> - Isolator-Profile.
- isolator
Servers List<String> - Isolator-Server.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Learning-Mode. Valid values:
disable,enable. - log
Http StringTransaction - Log-Http-Transaction. Valid values:
disable,enable. - log
Unmatched StringTraffic - Log-Unmatched-Traffic. Valid values:
disable,enable. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
App String - Logtraffic-App. Valid values:
disable,enable. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - max
Session NumberPer User - Max-Session-Per-User.
- mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Global StringHeader Policy Id - an identifier for the resource with format {{policyid}}.
- pass
Through String - Pass-Through. Valid values:
disable,enable. - passive
Wan StringHealth Measurement - Passive-Wan-Health-Measurement. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg String
- Package.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Policy-Expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy-Expiry-Date.
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Number
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- Poolname6.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Profiles List<String> - Redirect-Profile.
- redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Group String - Replacemsg-Group.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- require
Tfa String - Require-Tfa. Valid values:
disable,enable. - reverse
Cache String - Reverse-Cache. Valid values:
disable,enable. - rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Scan-Botnet-Connections. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sessions String
- Sessions. Valid values:
disable,enable. - sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Number>
- Security group tags.
- spamfilter
Profile String - Spamfilter-Profile.
- src
Vendor List<String>Macs - Src-Vendor-Mac.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Srcaddr6.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringCheck - Ssh-Policy-Check. Valid values:
disable,enable. - ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- sslvpn
Auth String - Sslvpn-Auth. Valid values:
any,local,radius,ldap,tacacs+. - sslvpn
Ccert String - Sslvpn-Ccert. Valid values:
disable,enable. - sslvpn
Cipher String - Sslvpn-Cipher. Valid values:
any,high,medium. - sso
Auth StringMethod - Sso-Auth-Method. Valid values:
fsso,rsso. - status String
- Enable or disable this policy. Valid values:
disable,enable. - String
- Tags.
- tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Reset String - Tcp-Reset. Valid values:
disable,enable. - tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- transaction
Based String - Transaction-Based. Valid values:
disable,enable. - transparent String
- Transparent. Valid values:
disable,enable. - type String
- Type. Valid values:
explicit-web,transparent,explicit-ftp,ssh-tunnel,ssh,wanopt,access-proxy. - udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- url
Risks List<String> - Url-Risk.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Inspection StringMode - Utm-Inspection-Mode. Valid values:
proxy,flow. - utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- uuid
Idx Number - Uuid-Idx.
- vendor
Mac String - Vendor-Mac.
- videofilter
Profile String - Videofilter-Profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - String
- Web-Auth-Cookie. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- List<String>
- Ztna-Ems-Tag.
- List<String>
- Ztna-Geo-Tag.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Ztna-Status. Valid values:
disable,enable. - String
- Ztna-Tags-Match-Logic. Valid values:
or,and.
Import
Packages GlobalHeaderPolicy can be imported using any of these accepted formats:
Set import_options = [“pkg_folder_path=YOUR_VALUE”, “pkg=YOUR_VALUE”] in the provider section.
$ export “FORTIMANAGER_IMPORT_TABLE”=“true”
$ pulumi import fortimanager:index/packagesGlobalHeaderPolicy:PackagesGlobalHeaderPolicy labelname {{policyid}}
$ unset “FORTIMANAGER_IMPORT_TABLE”
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortimanager fortinetdev/terraform-provider-fortimanager
- License
- Notes
- This Pulumi package is based on the
fortimanagerTerraform Provider.
fortimanager 1.13.0 published on Thursday, Mar 13, 2025 by fortinetdev