fortimanager 1.14.0 published on Tuesday, Apr 15, 2025 by fortinetdev
fortimanager.PackagesFirewallPolicy
fortimanager 1.14.0 published on Tuesday, Apr 15, 2025 by fortinetdev
Configure IPv4 policies.
The following variables have sub resource. Avoid using them together, otherwise conflicts and overwrites may occur.
vpn_dst_node:fortimanager_packages_firewall_policy_vpn_dst_nodevpn_src_node:fortimanager_packages_firewall_policy_vpn_src_node
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as fortimanager from "@pulumi/fortimanager";
const labelname = new fortimanager.PackagesFirewallPolicy("labelname", {
action: "deny",
antiReplay: "enable",
blockNotification: "disable",
captivePortalExempt: "disable",
delayTcpNpuSession: "disable",
diffservForward: "disable",
diffservReverse: "disable",
dsri: "disable",
dstaddrs: ["all"],
dstaddrNegate: "disable",
dstintfs: ["any"],
emailCollect: "disable",
geoipAnycast: "disable",
geoipMatch: "physical-location",
internetService: "disable",
internetServiceSrc: "disable",
logtraffic: "all",
logtrafficStart: "disable",
matchVip: "disable",
matchVipOnly: "disable",
natips: [
"1.0.0.1",
"255.255.255.255",
],
npAcceleration: "enable",
ntlmEnabledBrowsers: [],
permitAnyHost: "disable",
pkg: "default",
policyid: 146,
profileType: "single",
radiusMacAuthBypass: "disable",
reputationMinimum: 0,
rtpNat: "disable",
schedule: "always",
scheduleTimeout: "disable",
sendDenyPacket: "disable",
services: ["ALL"],
serviceNegate: "disable",
sessionTtl: "0",
srcaddrs: ["all"],
srcaddrNegate: "disable",
srcintfs: ["any"],
status: "enable",
tcpMssReceiver: 0,
tcpMssSender: 0,
tcpSessionWithoutSyn: "disable",
tos: "0x00",
tosMask: "0x00",
tosNegate: "disable",
vlanCosFwd: 255,
vlanCosRev: 255,
wccp: "disable",
});
import pulumi
import pulumi_fortimanager as fortimanager
labelname = fortimanager.PackagesFirewallPolicy("labelname",
action="deny",
anti_replay="enable",
block_notification="disable",
captive_portal_exempt="disable",
delay_tcp_npu_session="disable",
diffserv_forward="disable",
diffserv_reverse="disable",
dsri="disable",
dstaddrs=["all"],
dstaddr_negate="disable",
dstintfs=["any"],
email_collect="disable",
geoip_anycast="disable",
geoip_match="physical-location",
internet_service="disable",
internet_service_src="disable",
logtraffic="all",
logtraffic_start="disable",
match_vip="disable",
match_vip_only="disable",
natips=[
"1.0.0.1",
"255.255.255.255",
],
np_acceleration="enable",
ntlm_enabled_browsers=[],
permit_any_host="disable",
pkg="default",
policyid=146,
profile_type="single",
radius_mac_auth_bypass="disable",
reputation_minimum=0,
rtp_nat="disable",
schedule="always",
schedule_timeout="disable",
send_deny_packet="disable",
services=["ALL"],
service_negate="disable",
session_ttl="0",
srcaddrs=["all"],
srcaddr_negate="disable",
srcintfs=["any"],
status="enable",
tcp_mss_receiver=0,
tcp_mss_sender=0,
tcp_session_without_syn="disable",
tos="0x00",
tos_mask="0x00",
tos_negate="disable",
vlan_cos_fwd=255,
vlan_cos_rev=255,
wccp="disable")
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/fortimanager/fortimanager"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := fortimanager.NewPackagesFirewallPolicy(ctx, "labelname", &fortimanager.PackagesFirewallPolicyArgs{
Action: pulumi.String("deny"),
AntiReplay: pulumi.String("enable"),
BlockNotification: pulumi.String("disable"),
CaptivePortalExempt: pulumi.String("disable"),
DelayTcpNpuSession: pulumi.String("disable"),
DiffservForward: pulumi.String("disable"),
DiffservReverse: pulumi.String("disable"),
Dsri: pulumi.String("disable"),
Dstaddrs: pulumi.StringArray{
pulumi.String("all"),
},
DstaddrNegate: pulumi.String("disable"),
Dstintfs: pulumi.StringArray{
pulumi.String("any"),
},
EmailCollect: pulumi.String("disable"),
GeoipAnycast: pulumi.String("disable"),
GeoipMatch: pulumi.String("physical-location"),
InternetService: pulumi.String("disable"),
InternetServiceSrc: pulumi.String("disable"),
Logtraffic: pulumi.String("all"),
LogtrafficStart: pulumi.String("disable"),
MatchVip: pulumi.String("disable"),
MatchVipOnly: pulumi.String("disable"),
Natips: pulumi.StringArray{
pulumi.String("1.0.0.1"),
pulumi.String("255.255.255.255"),
},
NpAcceleration: pulumi.String("enable"),
NtlmEnabledBrowsers: pulumi.StringArray{},
PermitAnyHost: pulumi.String("disable"),
Pkg: pulumi.String("default"),
Policyid: pulumi.Float64(146),
ProfileType: pulumi.String("single"),
RadiusMacAuthBypass: pulumi.String("disable"),
ReputationMinimum: pulumi.Float64(0),
RtpNat: pulumi.String("disable"),
Schedule: pulumi.String("always"),
ScheduleTimeout: pulumi.String("disable"),
SendDenyPacket: pulumi.String("disable"),
Services: pulumi.StringArray{
pulumi.String("ALL"),
},
ServiceNegate: pulumi.String("disable"),
SessionTtl: pulumi.String("0"),
Srcaddrs: pulumi.StringArray{
pulumi.String("all"),
},
SrcaddrNegate: pulumi.String("disable"),
Srcintfs: pulumi.StringArray{
pulumi.String("any"),
},
Status: pulumi.String("enable"),
TcpMssReceiver: pulumi.Float64(0),
TcpMssSender: pulumi.Float64(0),
TcpSessionWithoutSyn: pulumi.String("disable"),
Tos: pulumi.String("0x00"),
TosMask: pulumi.String("0x00"),
TosNegate: pulumi.String("disable"),
VlanCosFwd: pulumi.Float64(255),
VlanCosRev: pulumi.Float64(255),
Wccp: pulumi.String("disable"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Fortimanager = Pulumi.Fortimanager;
return await Deployment.RunAsync(() =>
{
var labelname = new Fortimanager.PackagesFirewallPolicy("labelname", new()
{
Action = "deny",
AntiReplay = "enable",
BlockNotification = "disable",
CaptivePortalExempt = "disable",
DelayTcpNpuSession = "disable",
DiffservForward = "disable",
DiffservReverse = "disable",
Dsri = "disable",
Dstaddrs = new[]
{
"all",
},
DstaddrNegate = "disable",
Dstintfs = new[]
{
"any",
},
EmailCollect = "disable",
GeoipAnycast = "disable",
GeoipMatch = "physical-location",
InternetService = "disable",
InternetServiceSrc = "disable",
Logtraffic = "all",
LogtrafficStart = "disable",
MatchVip = "disable",
MatchVipOnly = "disable",
Natips = new[]
{
"1.0.0.1",
"255.255.255.255",
},
NpAcceleration = "enable",
NtlmEnabledBrowsers = new[] {},
PermitAnyHost = "disable",
Pkg = "default",
Policyid = 146,
ProfileType = "single",
RadiusMacAuthBypass = "disable",
ReputationMinimum = 0,
RtpNat = "disable",
Schedule = "always",
ScheduleTimeout = "disable",
SendDenyPacket = "disable",
Services = new[]
{
"ALL",
},
ServiceNegate = "disable",
SessionTtl = "0",
Srcaddrs = new[]
{
"all",
},
SrcaddrNegate = "disable",
Srcintfs = new[]
{
"any",
},
Status = "enable",
TcpMssReceiver = 0,
TcpMssSender = 0,
TcpSessionWithoutSyn = "disable",
Tos = "0x00",
TosMask = "0x00",
TosNegate = "disable",
VlanCosFwd = 255,
VlanCosRev = 255,
Wccp = "disable",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.fortimanager.PackagesFirewallPolicy;
import com.pulumi.fortimanager.PackagesFirewallPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var labelname = new PackagesFirewallPolicy("labelname", PackagesFirewallPolicyArgs.builder()
.action("deny")
.antiReplay("enable")
.blockNotification("disable")
.captivePortalExempt("disable")
.delayTcpNpuSession("disable")
.diffservForward("disable")
.diffservReverse("disable")
.dsri("disable")
.dstaddrs("all")
.dstaddrNegate("disable")
.dstintfs("any")
.emailCollect("disable")
.geoipAnycast("disable")
.geoipMatch("physical-location")
.internetService("disable")
.internetServiceSrc("disable")
.logtraffic("all")
.logtrafficStart("disable")
.matchVip("disable")
.matchVipOnly("disable")
.natips(
"1.0.0.1",
"255.255.255.255")
.npAcceleration("enable")
.ntlmEnabledBrowsers()
.permitAnyHost("disable")
.pkg("default")
.policyid(146)
.profileType("single")
.radiusMacAuthBypass("disable")
.reputationMinimum(0)
.rtpNat("disable")
.schedule("always")
.scheduleTimeout("disable")
.sendDenyPacket("disable")
.services("ALL")
.serviceNegate("disable")
.sessionTtl("0")
.srcaddrs("all")
.srcaddrNegate("disable")
.srcintfs("any")
.status("enable")
.tcpMssReceiver(0)
.tcpMssSender(0)
.tcpSessionWithoutSyn("disable")
.tos("0x00")
.tosMask("0x00")
.tosNegate("disable")
.vlanCosFwd(255)
.vlanCosRev(255)
.wccp("disable")
.build());
}
}
resources:
labelname:
type: fortimanager:PackagesFirewallPolicy
properties:
action: deny
antiReplay: enable
blockNotification: disable
captivePortalExempt: disable
delayTcpNpuSession: disable
diffservForward: disable
diffservReverse: disable
dsri: disable
dstaddrs:
- all
dstaddrNegate: disable
dstintfs:
- any
emailCollect: disable
geoipAnycast: disable
geoipMatch: physical-location
internetService: disable
internetServiceSrc: disable
logtraffic: all
logtrafficStart: disable
matchVip: disable
matchVipOnly: disable
natips:
- 1.0.0.1
- 255.255.255.255
npAcceleration: enable
ntlmEnabledBrowsers: []
permitAnyHost: disable
pkg: default
policyid: 146
profileType: single
radiusMacAuthBypass: disable
reputationMinimum: 0
rtpNat: disable
schedule: always
scheduleTimeout: disable
sendDenyPacket: disable
services:
- ALL
serviceNegate: disable
sessionTtl: '0'
srcaddrs:
- all
srcaddrNegate: disable
srcintfs:
- any
status: enable
tcpMssReceiver: 0
tcpMssSender: 0
tcpSessionWithoutSyn: disable
tos: 0x00
tosMask: 0x00
tosNegate: disable
vlanCosFwd: 255
vlanCosRev: 255
wccp: disable
Create PackagesFirewallPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PackagesFirewallPolicy(name: string, args: PackagesFirewallPolicyArgs, opts?: CustomResourceOptions);@overload
def PackagesFirewallPolicy(resource_name: str,
args: PackagesFirewallPolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def PackagesFirewallPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
pkg: Optional[str] = None,
_policy_block: Optional[float] = None,
action: Optional[str] = None,
adom: Optional[str] = None,
anti_replay: Optional[str] = None,
app_category: Optional[str] = None,
app_group: Optional[str] = None,
app_monitor: Optional[str] = None,
application_list: Optional[str] = None,
applications: Optional[Sequence[float]] = None,
auth_cert: Optional[str] = None,
auth_path: Optional[str] = None,
auth_redirect_addr: Optional[str] = None,
auto_asic_offload: Optional[str] = None,
av_profile: Optional[str] = None,
best_route: Optional[str] = None,
block_notification: Optional[str] = None,
captive_portal_exempt: Optional[str] = None,
capture_packet: Optional[str] = None,
casb_profile: Optional[str] = None,
cgn_eif: Optional[str] = None,
cgn_eim: Optional[str] = None,
cgn_log_server_grp: Optional[str] = None,
cgn_resource_quota: Optional[float] = None,
cgn_session_quota: Optional[float] = None,
cgn_sw_eif_ctrl: Optional[str] = None,
cifs_profile: Optional[str] = None,
comments: Optional[str] = None,
custom_log_fields: Optional[str] = None,
decrypted_traffic_mirror: Optional[str] = None,
delay_tcp_npu_session: Optional[str] = None,
devices: Optional[str] = None,
diameter_filter_profile: Optional[str] = None,
diffserv_copy: Optional[str] = None,
diffserv_forward: Optional[str] = None,
diffserv_reverse: Optional[str] = None,
diffservcode_forward: Optional[str] = None,
diffservcode_rev: Optional[str] = None,
disclaimer: Optional[str] = None,
dlp_profile: Optional[str] = None,
dlp_sensor: Optional[str] = None,
dnsfilter_profile: Optional[str] = None,
dscp_match: Optional[str] = None,
dscp_negate: Optional[str] = None,
dscp_value: Optional[str] = None,
dsri: Optional[str] = None,
dstaddr6_negate: Optional[str] = None,
dstaddr6s: Optional[Sequence[str]] = None,
dstaddr_negate: Optional[str] = None,
dstaddrs: Optional[Sequence[str]] = None,
dstintfs: Optional[Sequence[str]] = None,
dynamic_shaping: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
eif_check: Optional[str] = None,
eif_learn: Optional[str] = None,
email_collect: Optional[str] = None,
emailfilter_profile: Optional[str] = None,
fec: Optional[str] = None,
file_filter_profile: Optional[str] = None,
firewall_session_dirty: Optional[str] = None,
fixedport: Optional[str] = None,
fsso: Optional[str] = None,
fsso_agent_for_ntlm: Optional[str] = None,
fsso_groups: Optional[Sequence[str]] = None,
geoip_anycast: Optional[str] = None,
geoip_match: Optional[str] = None,
global_label: Optional[str] = None,
groups: Optional[Sequence[str]] = None,
gtp_profile: Optional[str] = None,
http_policy_redirect: Optional[str] = None,
icap_profile: Optional[str] = None,
identity_based_route: Optional[str] = None,
inbound: Optional[str] = None,
inspection_mode: Optional[str] = None,
internet_service: Optional[str] = None,
internet_service6: Optional[str] = None,
internet_service6_custom_groups: Optional[Sequence[str]] = None,
internet_service6_customs: Optional[Sequence[str]] = None,
internet_service6_groups: Optional[Sequence[str]] = None,
internet_service6_names: Optional[Sequence[str]] = None,
internet_service6_negate: Optional[str] = None,
internet_service6_src: Optional[str] = None,
internet_service6_src_custom_groups: Optional[Sequence[str]] = None,
internet_service6_src_customs: Optional[Sequence[str]] = None,
internet_service6_src_groups: Optional[Sequence[str]] = None,
internet_service6_src_names: Optional[Sequence[str]] = None,
internet_service6_src_negate: Optional[str] = None,
internet_service_custom: Optional[str] = None,
internet_service_custom_group: Optional[str] = None,
internet_service_group: Optional[str] = None,
internet_service_ids: Optional[Sequence[str]] = None,
internet_service_name: Optional[str] = None,
internet_service_negate: Optional[str] = None,
internet_service_src: Optional[str] = None,
internet_service_src_custom: Optional[str] = None,
internet_service_src_custom_group: Optional[str] = None,
internet_service_src_group: Optional[str] = None,
internet_service_src_id: Optional[str] = None,
internet_service_src_name: Optional[str] = None,
internet_service_src_negate: Optional[str] = None,
ip_version_type: Optional[str] = None,
ippool: Optional[str] = None,
ips_sensor: Optional[str] = None,
ips_voip_filter: Optional[str] = None,
label: Optional[str] = None,
learning_mode: Optional[str] = None,
log_http_transaction: Optional[str] = None,
logtraffic: Optional[str] = None,
logtraffic_start: Optional[str] = None,
match_vip: Optional[str] = None,
match_vip_only: Optional[str] = None,
mms_profile: Optional[str] = None,
name: Optional[str] = None,
nat: Optional[str] = None,
nat46: Optional[str] = None,
nat64: Optional[str] = None,
natinbound: Optional[str] = None,
natips: Optional[Sequence[str]] = None,
natoutbound: Optional[str] = None,
network_service_dynamics: Optional[Sequence[str]] = None,
network_service_src_dynamics: Optional[Sequence[str]] = None,
np_acceleration: Optional[str] = None,
ntlm: Optional[str] = None,
ntlm_enabled_browsers: Optional[Sequence[str]] = None,
ntlm_guest: Optional[str] = None,
outbound: Optional[str] = None,
packages_firewall_policy_id: Optional[str] = None,
passive_wan_health_measurement: Optional[str] = None,
pcp_inbound: Optional[str] = None,
pcp_outbound: Optional[str] = None,
pcp_poolnames: Optional[Sequence[str]] = None,
per_ip_shaper: Optional[str] = None,
permit_any_host: Optional[str] = None,
permit_stun_host: Optional[str] = None,
pfcp_profile: Optional[str] = None,
pkg_folder_path: Optional[str] = None,
policy_behaviour_type: Optional[str] = None,
policy_expiry: Optional[str] = None,
policy_expiry_date: Optional[str] = None,
policy_expiry_date_utc: Optional[str] = None,
policy_offload: Optional[str] = None,
policyid: Optional[float] = None,
poolname: Optional[str] = None,
poolname6: Optional[str] = None,
port_preserve: Optional[str] = None,
port_random: Optional[str] = None,
profile_group: Optional[str] = None,
profile_protocol_options: Optional[str] = None,
profile_type: Optional[str] = None,
radius_ip_auth_bypass: Optional[str] = None,
radius_mac_auth_bypass: Optional[str] = None,
redirect_url: Optional[str] = None,
replacemsg_override_group: Optional[str] = None,
reputation_direction: Optional[str] = None,
reputation_direction6: Optional[str] = None,
reputation_minimum: Optional[float] = None,
reputation_minimum6: Optional[float] = None,
rsso: Optional[str] = None,
rtp_addr: Optional[str] = None,
rtp_nat: Optional[str] = None,
scan_botnet_connections: Optional[str] = None,
schedule: Optional[str] = None,
schedule_timeout: Optional[str] = None,
scopetype: Optional[str] = None,
sctp_filter_profile: Optional[str] = None,
send_deny_packet: Optional[str] = None,
service_negate: Optional[str] = None,
services: Optional[Sequence[str]] = None,
session_ttl: Optional[str] = None,
sgt_check: Optional[str] = None,
sgts: Optional[Sequence[float]] = None,
spamfilter_profile: Optional[str] = None,
src_vendor_macs: Optional[Sequence[str]] = None,
srcaddr6_negate: Optional[str] = None,
srcaddr6s: Optional[Sequence[str]] = None,
srcaddr_negate: Optional[str] = None,
srcaddrs: Optional[Sequence[str]] = None,
srcintfs: Optional[Sequence[str]] = None,
ssh_filter_profile: Optional[str] = None,
ssh_policy_redirect: Optional[str] = None,
ssl_mirror: Optional[str] = None,
ssl_mirror_intf: Optional[str] = None,
ssl_ssh_profile: Optional[str] = None,
status: Optional[str] = None,
tcp_mss_receiver: Optional[float] = None,
tcp_mss_sender: Optional[float] = None,
tcp_session_without_syn: Optional[str] = None,
tcp_timeout_pid: Optional[str] = None,
timeout_send_rst: Optional[str] = None,
tos: Optional[str] = None,
tos_mask: Optional[str] = None,
tos_negate: Optional[str] = None,
traffic_shaper: Optional[str] = None,
traffic_shaper_reverse: Optional[str] = None,
udp_timeout_pid: Optional[str] = None,
url_category: Optional[str] = None,
users: Optional[Sequence[str]] = None,
utm_status: Optional[str] = None,
uuid: Optional[str] = None,
videofilter_profile: Optional[str] = None,
virtual_patch_profile: Optional[str] = None,
vlan_cos_fwd: Optional[float] = None,
vlan_cos_rev: Optional[float] = None,
vlan_filter: Optional[str] = None,
voip_profile: Optional[str] = None,
vpn_dst_nodes: Optional[Sequence[PackagesFirewallPolicyVpnDstNodeArgs]] = None,
vpn_src_nodes: Optional[Sequence[PackagesFirewallPolicyVpnSrcNodeArgs]] = None,
vpntunnel: Optional[str] = None,
waf_profile: Optional[str] = None,
wanopt: Optional[str] = None,
wanopt_detection: Optional[str] = None,
wanopt_passive_opt: Optional[str] = None,
wanopt_peer: Optional[str] = None,
wanopt_profile: Optional[str] = None,
wccp: Optional[str] = None,
webcache: Optional[str] = None,
webcache_https: Optional[str] = None,
webfilter_profile: Optional[str] = None,
webproxy_forward_server: Optional[str] = None,
webproxy_profile: Optional[str] = None,
wsso: Optional[str] = None,
ztna_device_ownership: Optional[str] = None,
ztna_ems_tag: Optional[str] = None,
ztna_ems_tag_negate: Optional[str] = None,
ztna_ems_tag_secondaries: Optional[Sequence[str]] = None,
ztna_geo_tag: Optional[str] = None,
ztna_policy_redirect: Optional[str] = None,
ztna_status: Optional[str] = None,
ztna_tags_match_logic: Optional[str] = None)func NewPackagesFirewallPolicy(ctx *Context, name string, args PackagesFirewallPolicyArgs, opts ...ResourceOption) (*PackagesFirewallPolicy, error)public PackagesFirewallPolicy(string name, PackagesFirewallPolicyArgs args, CustomResourceOptions? opts = null)
public PackagesFirewallPolicy(String name, PackagesFirewallPolicyArgs args)
public PackagesFirewallPolicy(String name, PackagesFirewallPolicyArgs args, CustomResourceOptions options)
type: fortimanager:PackagesFirewallPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PackagesFirewallPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PackagesFirewallPolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PackagesFirewallPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PackagesFirewallPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PackagesFirewallPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var packagesFirewallPolicyResource = new Fortimanager.PackagesFirewallPolicy("packagesFirewallPolicyResource", new()
{
Pkg = "string",
_policyBlock = 0,
Action = "string",
Adom = "string",
AntiReplay = "string",
AppCategory = "string",
AppGroup = "string",
AppMonitor = "string",
ApplicationList = "string",
Applications = new[]
{
0,
},
AuthCert = "string",
AuthPath = "string",
AuthRedirectAddr = "string",
AutoAsicOffload = "string",
AvProfile = "string",
BestRoute = "string",
BlockNotification = "string",
CaptivePortalExempt = "string",
CapturePacket = "string",
CasbProfile = "string",
CgnEif = "string",
CgnEim = "string",
CgnLogServerGrp = "string",
CgnResourceQuota = 0,
CgnSessionQuota = 0,
CgnSwEifCtrl = "string",
CifsProfile = "string",
Comments = "string",
CustomLogFields = "string",
DecryptedTrafficMirror = "string",
DelayTcpNpuSession = "string",
Devices = "string",
DiameterFilterProfile = "string",
DiffservCopy = "string",
DiffservForward = "string",
DiffservReverse = "string",
DiffservcodeForward = "string",
DiffservcodeRev = "string",
Disclaimer = "string",
DlpProfile = "string",
DlpSensor = "string",
DnsfilterProfile = "string",
DscpMatch = "string",
DscpNegate = "string",
DscpValue = "string",
Dsri = "string",
Dstaddr6Negate = "string",
Dstaddr6s = new[]
{
"string",
},
DstaddrNegate = "string",
Dstaddrs = new[]
{
"string",
},
Dstintfs = new[]
{
"string",
},
DynamicShaping = "string",
DynamicSortSubtable = "string",
EifCheck = "string",
EifLearn = "string",
EmailCollect = "string",
EmailfilterProfile = "string",
Fec = "string",
FileFilterProfile = "string",
FirewallSessionDirty = "string",
Fixedport = "string",
Fsso = "string",
FssoAgentForNtlm = "string",
FssoGroups = new[]
{
"string",
},
GeoipAnycast = "string",
GeoipMatch = "string",
GlobalLabel = "string",
Groups = new[]
{
"string",
},
GtpProfile = "string",
HttpPolicyRedirect = "string",
IcapProfile = "string",
IdentityBasedRoute = "string",
Inbound = "string",
InspectionMode = "string",
InternetService = "string",
InternetService6 = "string",
InternetService6CustomGroups = new[]
{
"string",
},
InternetService6Customs = new[]
{
"string",
},
InternetService6Groups = new[]
{
"string",
},
InternetService6Names = new[]
{
"string",
},
InternetService6Negate = "string",
InternetService6Src = "string",
InternetService6SrcCustomGroups = new[]
{
"string",
},
InternetService6SrcCustoms = new[]
{
"string",
},
InternetService6SrcGroups = new[]
{
"string",
},
InternetService6SrcNames = new[]
{
"string",
},
InternetService6SrcNegate = "string",
InternetServiceCustom = "string",
InternetServiceCustomGroup = "string",
InternetServiceGroup = "string",
InternetServiceIds = new[]
{
"string",
},
InternetServiceName = "string",
InternetServiceNegate = "string",
InternetServiceSrc = "string",
InternetServiceSrcCustom = "string",
InternetServiceSrcCustomGroup = "string",
InternetServiceSrcGroup = "string",
InternetServiceSrcId = "string",
InternetServiceSrcName = "string",
InternetServiceSrcNegate = "string",
IpVersionType = "string",
Ippool = "string",
IpsSensor = "string",
IpsVoipFilter = "string",
Label = "string",
LearningMode = "string",
LogHttpTransaction = "string",
Logtraffic = "string",
LogtrafficStart = "string",
MatchVip = "string",
MatchVipOnly = "string",
MmsProfile = "string",
Name = "string",
Nat = "string",
Nat46 = "string",
Nat64 = "string",
Natinbound = "string",
Natips = new[]
{
"string",
},
Natoutbound = "string",
NetworkServiceDynamics = new[]
{
"string",
},
NetworkServiceSrcDynamics = new[]
{
"string",
},
NpAcceleration = "string",
Ntlm = "string",
NtlmEnabledBrowsers = new[]
{
"string",
},
NtlmGuest = "string",
Outbound = "string",
PackagesFirewallPolicyId = "string",
PassiveWanHealthMeasurement = "string",
PcpInbound = "string",
PcpOutbound = "string",
PcpPoolnames = new[]
{
"string",
},
PerIpShaper = "string",
PermitAnyHost = "string",
PermitStunHost = "string",
PfcpProfile = "string",
PkgFolderPath = "string",
PolicyBehaviourType = "string",
PolicyExpiry = "string",
PolicyExpiryDate = "string",
PolicyExpiryDateUtc = "string",
PolicyOffload = "string",
Policyid = 0,
Poolname = "string",
Poolname6 = "string",
PortPreserve = "string",
PortRandom = "string",
ProfileGroup = "string",
ProfileProtocolOptions = "string",
ProfileType = "string",
RadiusIpAuthBypass = "string",
RadiusMacAuthBypass = "string",
RedirectUrl = "string",
ReplacemsgOverrideGroup = "string",
ReputationDirection = "string",
ReputationDirection6 = "string",
ReputationMinimum = 0,
ReputationMinimum6 = 0,
Rsso = "string",
RtpAddr = "string",
RtpNat = "string",
ScanBotnetConnections = "string",
Schedule = "string",
ScheduleTimeout = "string",
Scopetype = "string",
SctpFilterProfile = "string",
SendDenyPacket = "string",
ServiceNegate = "string",
Services = new[]
{
"string",
},
SessionTtl = "string",
SgtCheck = "string",
Sgts = new[]
{
0,
},
SpamfilterProfile = "string",
SrcVendorMacs = new[]
{
"string",
},
Srcaddr6Negate = "string",
Srcaddr6s = new[]
{
"string",
},
SrcaddrNegate = "string",
Srcaddrs = new[]
{
"string",
},
Srcintfs = new[]
{
"string",
},
SshFilterProfile = "string",
SshPolicyRedirect = "string",
SslMirror = "string",
SslMirrorIntf = "string",
SslSshProfile = "string",
Status = "string",
TcpMssReceiver = 0,
TcpMssSender = 0,
TcpSessionWithoutSyn = "string",
TcpTimeoutPid = "string",
TimeoutSendRst = "string",
Tos = "string",
TosMask = "string",
TosNegate = "string",
TrafficShaper = "string",
TrafficShaperReverse = "string",
UdpTimeoutPid = "string",
UrlCategory = "string",
Users = new[]
{
"string",
},
UtmStatus = "string",
Uuid = "string",
VideofilterProfile = "string",
VirtualPatchProfile = "string",
VlanCosFwd = 0,
VlanCosRev = 0,
VlanFilter = "string",
VoipProfile = "string",
VpnDstNodes = new[]
{
new Fortimanager.Inputs.PackagesFirewallPolicyVpnDstNodeArgs
{
Host = "string",
Seq = 0,
Subnet = "string",
},
},
VpnSrcNodes = new[]
{
new Fortimanager.Inputs.PackagesFirewallPolicyVpnSrcNodeArgs
{
Host = "string",
Seq = 0,
Subnet = "string",
},
},
Vpntunnel = "string",
WafProfile = "string",
Wanopt = "string",
WanoptDetection = "string",
WanoptPassiveOpt = "string",
WanoptPeer = "string",
WanoptProfile = "string",
Wccp = "string",
Webcache = "string",
WebcacheHttps = "string",
WebfilterProfile = "string",
WebproxyForwardServer = "string",
WebproxyProfile = "string",
Wsso = "string",
ZtnaDeviceOwnership = "string",
ZtnaEmsTag = "string",
ZtnaEmsTagNegate = "string",
ZtnaEmsTagSecondaries = new[]
{
"string",
},
ZtnaGeoTag = "string",
ZtnaPolicyRedirect = "string",
ZtnaStatus = "string",
ZtnaTagsMatchLogic = "string",
});
example, err := fortimanager.NewPackagesFirewallPolicy(ctx, "packagesFirewallPolicyResource", &fortimanager.PackagesFirewallPolicyArgs{
Pkg: pulumi.String("string"),
_policyBlock: pulumi.Float64(0),
Action: pulumi.String("string"),
Adom: pulumi.String("string"),
AntiReplay: pulumi.String("string"),
AppCategory: pulumi.String("string"),
AppGroup: pulumi.String("string"),
AppMonitor: pulumi.String("string"),
ApplicationList: pulumi.String("string"),
Applications: pulumi.Float64Array{
pulumi.Float64(0),
},
AuthCert: pulumi.String("string"),
AuthPath: pulumi.String("string"),
AuthRedirectAddr: pulumi.String("string"),
AutoAsicOffload: pulumi.String("string"),
AvProfile: pulumi.String("string"),
BestRoute: pulumi.String("string"),
BlockNotification: pulumi.String("string"),
CaptivePortalExempt: pulumi.String("string"),
CapturePacket: pulumi.String("string"),
CasbProfile: pulumi.String("string"),
CgnEif: pulumi.String("string"),
CgnEim: pulumi.String("string"),
CgnLogServerGrp: pulumi.String("string"),
CgnResourceQuota: pulumi.Float64(0),
CgnSessionQuota: pulumi.Float64(0),
CgnSwEifCtrl: pulumi.String("string"),
CifsProfile: pulumi.String("string"),
Comments: pulumi.String("string"),
CustomLogFields: pulumi.String("string"),
DecryptedTrafficMirror: pulumi.String("string"),
DelayTcpNpuSession: pulumi.String("string"),
Devices: pulumi.String("string"),
DiameterFilterProfile: pulumi.String("string"),
DiffservCopy: pulumi.String("string"),
DiffservForward: pulumi.String("string"),
DiffservReverse: pulumi.String("string"),
DiffservcodeForward: pulumi.String("string"),
DiffservcodeRev: pulumi.String("string"),
Disclaimer: pulumi.String("string"),
DlpProfile: pulumi.String("string"),
DlpSensor: pulumi.String("string"),
DnsfilterProfile: pulumi.String("string"),
DscpMatch: pulumi.String("string"),
DscpNegate: pulumi.String("string"),
DscpValue: pulumi.String("string"),
Dsri: pulumi.String("string"),
Dstaddr6Negate: pulumi.String("string"),
Dstaddr6s: pulumi.StringArray{
pulumi.String("string"),
},
DstaddrNegate: pulumi.String("string"),
Dstaddrs: pulumi.StringArray{
pulumi.String("string"),
},
Dstintfs: pulumi.StringArray{
pulumi.String("string"),
},
DynamicShaping: pulumi.String("string"),
DynamicSortSubtable: pulumi.String("string"),
EifCheck: pulumi.String("string"),
EifLearn: pulumi.String("string"),
EmailCollect: pulumi.String("string"),
EmailfilterProfile: pulumi.String("string"),
Fec: pulumi.String("string"),
FileFilterProfile: pulumi.String("string"),
FirewallSessionDirty: pulumi.String("string"),
Fixedport: pulumi.String("string"),
Fsso: pulumi.String("string"),
FssoAgentForNtlm: pulumi.String("string"),
FssoGroups: pulumi.StringArray{
pulumi.String("string"),
},
GeoipAnycast: pulumi.String("string"),
GeoipMatch: pulumi.String("string"),
GlobalLabel: pulumi.String("string"),
Groups: pulumi.StringArray{
pulumi.String("string"),
},
GtpProfile: pulumi.String("string"),
HttpPolicyRedirect: pulumi.String("string"),
IcapProfile: pulumi.String("string"),
IdentityBasedRoute: pulumi.String("string"),
Inbound: pulumi.String("string"),
InspectionMode: pulumi.String("string"),
InternetService: pulumi.String("string"),
InternetService6: pulumi.String("string"),
InternetService6CustomGroups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Customs: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Groups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Names: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6Negate: pulumi.String("string"),
InternetService6Src: pulumi.String("string"),
InternetService6SrcCustomGroups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcCustoms: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcGroups: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcNames: pulumi.StringArray{
pulumi.String("string"),
},
InternetService6SrcNegate: pulumi.String("string"),
InternetServiceCustom: pulumi.String("string"),
InternetServiceCustomGroup: pulumi.String("string"),
InternetServiceGroup: pulumi.String("string"),
InternetServiceIds: pulumi.StringArray{
pulumi.String("string"),
},
InternetServiceName: pulumi.String("string"),
InternetServiceNegate: pulumi.String("string"),
InternetServiceSrc: pulumi.String("string"),
InternetServiceSrcCustom: pulumi.String("string"),
InternetServiceSrcCustomGroup: pulumi.String("string"),
InternetServiceSrcGroup: pulumi.String("string"),
InternetServiceSrcId: pulumi.String("string"),
InternetServiceSrcName: pulumi.String("string"),
InternetServiceSrcNegate: pulumi.String("string"),
IpVersionType: pulumi.String("string"),
Ippool: pulumi.String("string"),
IpsSensor: pulumi.String("string"),
IpsVoipFilter: pulumi.String("string"),
Label: pulumi.String("string"),
LearningMode: pulumi.String("string"),
LogHttpTransaction: pulumi.String("string"),
Logtraffic: pulumi.String("string"),
LogtrafficStart: pulumi.String("string"),
MatchVip: pulumi.String("string"),
MatchVipOnly: pulumi.String("string"),
MmsProfile: pulumi.String("string"),
Name: pulumi.String("string"),
Nat: pulumi.String("string"),
Nat46: pulumi.String("string"),
Nat64: pulumi.String("string"),
Natinbound: pulumi.String("string"),
Natips: pulumi.StringArray{
pulumi.String("string"),
},
Natoutbound: pulumi.String("string"),
NetworkServiceDynamics: pulumi.StringArray{
pulumi.String("string"),
},
NetworkServiceSrcDynamics: pulumi.StringArray{
pulumi.String("string"),
},
NpAcceleration: pulumi.String("string"),
Ntlm: pulumi.String("string"),
NtlmEnabledBrowsers: pulumi.StringArray{
pulumi.String("string"),
},
NtlmGuest: pulumi.String("string"),
Outbound: pulumi.String("string"),
PackagesFirewallPolicyId: pulumi.String("string"),
PassiveWanHealthMeasurement: pulumi.String("string"),
PcpInbound: pulumi.String("string"),
PcpOutbound: pulumi.String("string"),
PcpPoolnames: pulumi.StringArray{
pulumi.String("string"),
},
PerIpShaper: pulumi.String("string"),
PermitAnyHost: pulumi.String("string"),
PermitStunHost: pulumi.String("string"),
PfcpProfile: pulumi.String("string"),
PkgFolderPath: pulumi.String("string"),
PolicyBehaviourType: pulumi.String("string"),
PolicyExpiry: pulumi.String("string"),
PolicyExpiryDate: pulumi.String("string"),
PolicyExpiryDateUtc: pulumi.String("string"),
PolicyOffload: pulumi.String("string"),
Policyid: pulumi.Float64(0),
Poolname: pulumi.String("string"),
Poolname6: pulumi.String("string"),
PortPreserve: pulumi.String("string"),
PortRandom: pulumi.String("string"),
ProfileGroup: pulumi.String("string"),
ProfileProtocolOptions: pulumi.String("string"),
ProfileType: pulumi.String("string"),
RadiusIpAuthBypass: pulumi.String("string"),
RadiusMacAuthBypass: pulumi.String("string"),
RedirectUrl: pulumi.String("string"),
ReplacemsgOverrideGroup: pulumi.String("string"),
ReputationDirection: pulumi.String("string"),
ReputationDirection6: pulumi.String("string"),
ReputationMinimum: pulumi.Float64(0),
ReputationMinimum6: pulumi.Float64(0),
Rsso: pulumi.String("string"),
RtpAddr: pulumi.String("string"),
RtpNat: pulumi.String("string"),
ScanBotnetConnections: pulumi.String("string"),
Schedule: pulumi.String("string"),
ScheduleTimeout: pulumi.String("string"),
Scopetype: pulumi.String("string"),
SctpFilterProfile: pulumi.String("string"),
SendDenyPacket: pulumi.String("string"),
ServiceNegate: pulumi.String("string"),
Services: pulumi.StringArray{
pulumi.String("string"),
},
SessionTtl: pulumi.String("string"),
SgtCheck: pulumi.String("string"),
Sgts: pulumi.Float64Array{
pulumi.Float64(0),
},
SpamfilterProfile: pulumi.String("string"),
SrcVendorMacs: pulumi.StringArray{
pulumi.String("string"),
},
Srcaddr6Negate: pulumi.String("string"),
Srcaddr6s: pulumi.StringArray{
pulumi.String("string"),
},
SrcaddrNegate: pulumi.String("string"),
Srcaddrs: pulumi.StringArray{
pulumi.String("string"),
},
Srcintfs: pulumi.StringArray{
pulumi.String("string"),
},
SshFilterProfile: pulumi.String("string"),
SshPolicyRedirect: pulumi.String("string"),
SslMirror: pulumi.String("string"),
SslMirrorIntf: pulumi.String("string"),
SslSshProfile: pulumi.String("string"),
Status: pulumi.String("string"),
TcpMssReceiver: pulumi.Float64(0),
TcpMssSender: pulumi.Float64(0),
TcpSessionWithoutSyn: pulumi.String("string"),
TcpTimeoutPid: pulumi.String("string"),
TimeoutSendRst: pulumi.String("string"),
Tos: pulumi.String("string"),
TosMask: pulumi.String("string"),
TosNegate: pulumi.String("string"),
TrafficShaper: pulumi.String("string"),
TrafficShaperReverse: pulumi.String("string"),
UdpTimeoutPid: pulumi.String("string"),
UrlCategory: pulumi.String("string"),
Users: pulumi.StringArray{
pulumi.String("string"),
},
UtmStatus: pulumi.String("string"),
Uuid: pulumi.String("string"),
VideofilterProfile: pulumi.String("string"),
VirtualPatchProfile: pulumi.String("string"),
VlanCosFwd: pulumi.Float64(0),
VlanCosRev: pulumi.Float64(0),
VlanFilter: pulumi.String("string"),
VoipProfile: pulumi.String("string"),
VpnDstNodes: fortimanager.PackagesFirewallPolicyVpnDstNodeArray{
&fortimanager.PackagesFirewallPolicyVpnDstNodeArgs{
Host: pulumi.String("string"),
Seq: pulumi.Float64(0),
Subnet: pulumi.String("string"),
},
},
VpnSrcNodes: fortimanager.PackagesFirewallPolicyVpnSrcNodeArray{
&fortimanager.PackagesFirewallPolicyVpnSrcNodeArgs{
Host: pulumi.String("string"),
Seq: pulumi.Float64(0),
Subnet: pulumi.String("string"),
},
},
Vpntunnel: pulumi.String("string"),
WafProfile: pulumi.String("string"),
Wanopt: pulumi.String("string"),
WanoptDetection: pulumi.String("string"),
WanoptPassiveOpt: pulumi.String("string"),
WanoptPeer: pulumi.String("string"),
WanoptProfile: pulumi.String("string"),
Wccp: pulumi.String("string"),
Webcache: pulumi.String("string"),
WebcacheHttps: pulumi.String("string"),
WebfilterProfile: pulumi.String("string"),
WebproxyForwardServer: pulumi.String("string"),
WebproxyProfile: pulumi.String("string"),
Wsso: pulumi.String("string"),
ZtnaDeviceOwnership: pulumi.String("string"),
ZtnaEmsTag: pulumi.String("string"),
ZtnaEmsTagNegate: pulumi.String("string"),
ZtnaEmsTagSecondaries: pulumi.StringArray{
pulumi.String("string"),
},
ZtnaGeoTag: pulumi.String("string"),
ZtnaPolicyRedirect: pulumi.String("string"),
ZtnaStatus: pulumi.String("string"),
ZtnaTagsMatchLogic: pulumi.String("string"),
})
var packagesFirewallPolicyResource = new PackagesFirewallPolicy("packagesFirewallPolicyResource", PackagesFirewallPolicyArgs.builder()
.pkg("string")
._policyBlock(0.0)
.action("string")
.adom("string")
.antiReplay("string")
.appCategory("string")
.appGroup("string")
.appMonitor("string")
.applicationList("string")
.applications(0.0)
.authCert("string")
.authPath("string")
.authRedirectAddr("string")
.autoAsicOffload("string")
.avProfile("string")
.bestRoute("string")
.blockNotification("string")
.captivePortalExempt("string")
.capturePacket("string")
.casbProfile("string")
.cgnEif("string")
.cgnEim("string")
.cgnLogServerGrp("string")
.cgnResourceQuota(0.0)
.cgnSessionQuota(0.0)
.cgnSwEifCtrl("string")
.cifsProfile("string")
.comments("string")
.customLogFields("string")
.decryptedTrafficMirror("string")
.delayTcpNpuSession("string")
.devices("string")
.diameterFilterProfile("string")
.diffservCopy("string")
.diffservForward("string")
.diffservReverse("string")
.diffservcodeForward("string")
.diffservcodeRev("string")
.disclaimer("string")
.dlpProfile("string")
.dlpSensor("string")
.dnsfilterProfile("string")
.dscpMatch("string")
.dscpNegate("string")
.dscpValue("string")
.dsri("string")
.dstaddr6Negate("string")
.dstaddr6s("string")
.dstaddrNegate("string")
.dstaddrs("string")
.dstintfs("string")
.dynamicShaping("string")
.dynamicSortSubtable("string")
.eifCheck("string")
.eifLearn("string")
.emailCollect("string")
.emailfilterProfile("string")
.fec("string")
.fileFilterProfile("string")
.firewallSessionDirty("string")
.fixedport("string")
.fsso("string")
.fssoAgentForNtlm("string")
.fssoGroups("string")
.geoipAnycast("string")
.geoipMatch("string")
.globalLabel("string")
.groups("string")
.gtpProfile("string")
.httpPolicyRedirect("string")
.icapProfile("string")
.identityBasedRoute("string")
.inbound("string")
.inspectionMode("string")
.internetService("string")
.internetService6("string")
.internetService6CustomGroups("string")
.internetService6Customs("string")
.internetService6Groups("string")
.internetService6Names("string")
.internetService6Negate("string")
.internetService6Src("string")
.internetService6SrcCustomGroups("string")
.internetService6SrcCustoms("string")
.internetService6SrcGroups("string")
.internetService6SrcNames("string")
.internetService6SrcNegate("string")
.internetServiceCustom("string")
.internetServiceCustomGroup("string")
.internetServiceGroup("string")
.internetServiceIds("string")
.internetServiceName("string")
.internetServiceNegate("string")
.internetServiceSrc("string")
.internetServiceSrcCustom("string")
.internetServiceSrcCustomGroup("string")
.internetServiceSrcGroup("string")
.internetServiceSrcId("string")
.internetServiceSrcName("string")
.internetServiceSrcNegate("string")
.ipVersionType("string")
.ippool("string")
.ipsSensor("string")
.ipsVoipFilter("string")
.label("string")
.learningMode("string")
.logHttpTransaction("string")
.logtraffic("string")
.logtrafficStart("string")
.matchVip("string")
.matchVipOnly("string")
.mmsProfile("string")
.name("string")
.nat("string")
.nat46("string")
.nat64("string")
.natinbound("string")
.natips("string")
.natoutbound("string")
.networkServiceDynamics("string")
.networkServiceSrcDynamics("string")
.npAcceleration("string")
.ntlm("string")
.ntlmEnabledBrowsers("string")
.ntlmGuest("string")
.outbound("string")
.packagesFirewallPolicyId("string")
.passiveWanHealthMeasurement("string")
.pcpInbound("string")
.pcpOutbound("string")
.pcpPoolnames("string")
.perIpShaper("string")
.permitAnyHost("string")
.permitStunHost("string")
.pfcpProfile("string")
.pkgFolderPath("string")
.policyBehaviourType("string")
.policyExpiry("string")
.policyExpiryDate("string")
.policyExpiryDateUtc("string")
.policyOffload("string")
.policyid(0.0)
.poolname("string")
.poolname6("string")
.portPreserve("string")
.portRandom("string")
.profileGroup("string")
.profileProtocolOptions("string")
.profileType("string")
.radiusIpAuthBypass("string")
.radiusMacAuthBypass("string")
.redirectUrl("string")
.replacemsgOverrideGroup("string")
.reputationDirection("string")
.reputationDirection6("string")
.reputationMinimum(0.0)
.reputationMinimum6(0.0)
.rsso("string")
.rtpAddr("string")
.rtpNat("string")
.scanBotnetConnections("string")
.schedule("string")
.scheduleTimeout("string")
.scopetype("string")
.sctpFilterProfile("string")
.sendDenyPacket("string")
.serviceNegate("string")
.services("string")
.sessionTtl("string")
.sgtCheck("string")
.sgts(0.0)
.spamfilterProfile("string")
.srcVendorMacs("string")
.srcaddr6Negate("string")
.srcaddr6s("string")
.srcaddrNegate("string")
.srcaddrs("string")
.srcintfs("string")
.sshFilterProfile("string")
.sshPolicyRedirect("string")
.sslMirror("string")
.sslMirrorIntf("string")
.sslSshProfile("string")
.status("string")
.tcpMssReceiver(0.0)
.tcpMssSender(0.0)
.tcpSessionWithoutSyn("string")
.tcpTimeoutPid("string")
.timeoutSendRst("string")
.tos("string")
.tosMask("string")
.tosNegate("string")
.trafficShaper("string")
.trafficShaperReverse("string")
.udpTimeoutPid("string")
.urlCategory("string")
.users("string")
.utmStatus("string")
.uuid("string")
.videofilterProfile("string")
.virtualPatchProfile("string")
.vlanCosFwd(0.0)
.vlanCosRev(0.0)
.vlanFilter("string")
.voipProfile("string")
.vpnDstNodes(PackagesFirewallPolicyVpnDstNodeArgs.builder()
.host("string")
.seq(0.0)
.subnet("string")
.build())
.vpnSrcNodes(PackagesFirewallPolicyVpnSrcNodeArgs.builder()
.host("string")
.seq(0.0)
.subnet("string")
.build())
.vpntunnel("string")
.wafProfile("string")
.wanopt("string")
.wanoptDetection("string")
.wanoptPassiveOpt("string")
.wanoptPeer("string")
.wanoptProfile("string")
.wccp("string")
.webcache("string")
.webcacheHttps("string")
.webfilterProfile("string")
.webproxyForwardServer("string")
.webproxyProfile("string")
.wsso("string")
.ztnaDeviceOwnership("string")
.ztnaEmsTag("string")
.ztnaEmsTagNegate("string")
.ztnaEmsTagSecondaries("string")
.ztnaGeoTag("string")
.ztnaPolicyRedirect("string")
.ztnaStatus("string")
.ztnaTagsMatchLogic("string")
.build());
packages_firewall_policy_resource = fortimanager.PackagesFirewallPolicy("packagesFirewallPolicyResource",
pkg="string",
_policy_block=0,
action="string",
adom="string",
anti_replay="string",
app_category="string",
app_group="string",
app_monitor="string",
application_list="string",
applications=[0],
auth_cert="string",
auth_path="string",
auth_redirect_addr="string",
auto_asic_offload="string",
av_profile="string",
best_route="string",
block_notification="string",
captive_portal_exempt="string",
capture_packet="string",
casb_profile="string",
cgn_eif="string",
cgn_eim="string",
cgn_log_server_grp="string",
cgn_resource_quota=0,
cgn_session_quota=0,
cgn_sw_eif_ctrl="string",
cifs_profile="string",
comments="string",
custom_log_fields="string",
decrypted_traffic_mirror="string",
delay_tcp_npu_session="string",
devices="string",
diameter_filter_profile="string",
diffserv_copy="string",
diffserv_forward="string",
diffserv_reverse="string",
diffservcode_forward="string",
diffservcode_rev="string",
disclaimer="string",
dlp_profile="string",
dlp_sensor="string",
dnsfilter_profile="string",
dscp_match="string",
dscp_negate="string",
dscp_value="string",
dsri="string",
dstaddr6_negate="string",
dstaddr6s=["string"],
dstaddr_negate="string",
dstaddrs=["string"],
dstintfs=["string"],
dynamic_shaping="string",
dynamic_sort_subtable="string",
eif_check="string",
eif_learn="string",
email_collect="string",
emailfilter_profile="string",
fec="string",
file_filter_profile="string",
firewall_session_dirty="string",
fixedport="string",
fsso="string",
fsso_agent_for_ntlm="string",
fsso_groups=["string"],
geoip_anycast="string",
geoip_match="string",
global_label="string",
groups=["string"],
gtp_profile="string",
http_policy_redirect="string",
icap_profile="string",
identity_based_route="string",
inbound="string",
inspection_mode="string",
internet_service="string",
internet_service6="string",
internet_service6_custom_groups=["string"],
internet_service6_customs=["string"],
internet_service6_groups=["string"],
internet_service6_names=["string"],
internet_service6_negate="string",
internet_service6_src="string",
internet_service6_src_custom_groups=["string"],
internet_service6_src_customs=["string"],
internet_service6_src_groups=["string"],
internet_service6_src_names=["string"],
internet_service6_src_negate="string",
internet_service_custom="string",
internet_service_custom_group="string",
internet_service_group="string",
internet_service_ids=["string"],
internet_service_name="string",
internet_service_negate="string",
internet_service_src="string",
internet_service_src_custom="string",
internet_service_src_custom_group="string",
internet_service_src_group="string",
internet_service_src_id="string",
internet_service_src_name="string",
internet_service_src_negate="string",
ip_version_type="string",
ippool="string",
ips_sensor="string",
ips_voip_filter="string",
label="string",
learning_mode="string",
log_http_transaction="string",
logtraffic="string",
logtraffic_start="string",
match_vip="string",
match_vip_only="string",
mms_profile="string",
name="string",
nat="string",
nat46="string",
nat64="string",
natinbound="string",
natips=["string"],
natoutbound="string",
network_service_dynamics=["string"],
network_service_src_dynamics=["string"],
np_acceleration="string",
ntlm="string",
ntlm_enabled_browsers=["string"],
ntlm_guest="string",
outbound="string",
packages_firewall_policy_id="string",
passive_wan_health_measurement="string",
pcp_inbound="string",
pcp_outbound="string",
pcp_poolnames=["string"],
per_ip_shaper="string",
permit_any_host="string",
permit_stun_host="string",
pfcp_profile="string",
pkg_folder_path="string",
policy_behaviour_type="string",
policy_expiry="string",
policy_expiry_date="string",
policy_expiry_date_utc="string",
policy_offload="string",
policyid=0,
poolname="string",
poolname6="string",
port_preserve="string",
port_random="string",
profile_group="string",
profile_protocol_options="string",
profile_type="string",
radius_ip_auth_bypass="string",
radius_mac_auth_bypass="string",
redirect_url="string",
replacemsg_override_group="string",
reputation_direction="string",
reputation_direction6="string",
reputation_minimum=0,
reputation_minimum6=0,
rsso="string",
rtp_addr="string",
rtp_nat="string",
scan_botnet_connections="string",
schedule="string",
schedule_timeout="string",
scopetype="string",
sctp_filter_profile="string",
send_deny_packet="string",
service_negate="string",
services=["string"],
session_ttl="string",
sgt_check="string",
sgts=[0],
spamfilter_profile="string",
src_vendor_macs=["string"],
srcaddr6_negate="string",
srcaddr6s=["string"],
srcaddr_negate="string",
srcaddrs=["string"],
srcintfs=["string"],
ssh_filter_profile="string",
ssh_policy_redirect="string",
ssl_mirror="string",
ssl_mirror_intf="string",
ssl_ssh_profile="string",
status="string",
tcp_mss_receiver=0,
tcp_mss_sender=0,
tcp_session_without_syn="string",
tcp_timeout_pid="string",
timeout_send_rst="string",
tos="string",
tos_mask="string",
tos_negate="string",
traffic_shaper="string",
traffic_shaper_reverse="string",
udp_timeout_pid="string",
url_category="string",
users=["string"],
utm_status="string",
uuid="string",
videofilter_profile="string",
virtual_patch_profile="string",
vlan_cos_fwd=0,
vlan_cos_rev=0,
vlan_filter="string",
voip_profile="string",
vpn_dst_nodes=[{
"host": "string",
"seq": 0,
"subnet": "string",
}],
vpn_src_nodes=[{
"host": "string",
"seq": 0,
"subnet": "string",
}],
vpntunnel="string",
waf_profile="string",
wanopt="string",
wanopt_detection="string",
wanopt_passive_opt="string",
wanopt_peer="string",
wanopt_profile="string",
wccp="string",
webcache="string",
webcache_https="string",
webfilter_profile="string",
webproxy_forward_server="string",
webproxy_profile="string",
wsso="string",
ztna_device_ownership="string",
ztna_ems_tag="string",
ztna_ems_tag_negate="string",
ztna_ems_tag_secondaries=["string"],
ztna_geo_tag="string",
ztna_policy_redirect="string",
ztna_status="string",
ztna_tags_match_logic="string")
const packagesFirewallPolicyResource = new fortimanager.PackagesFirewallPolicy("packagesFirewallPolicyResource", {
pkg: "string",
_policyBlock: 0,
action: "string",
adom: "string",
antiReplay: "string",
appCategory: "string",
appGroup: "string",
appMonitor: "string",
applicationList: "string",
applications: [0],
authCert: "string",
authPath: "string",
authRedirectAddr: "string",
autoAsicOffload: "string",
avProfile: "string",
bestRoute: "string",
blockNotification: "string",
captivePortalExempt: "string",
capturePacket: "string",
casbProfile: "string",
cgnEif: "string",
cgnEim: "string",
cgnLogServerGrp: "string",
cgnResourceQuota: 0,
cgnSessionQuota: 0,
cgnSwEifCtrl: "string",
cifsProfile: "string",
comments: "string",
customLogFields: "string",
decryptedTrafficMirror: "string",
delayTcpNpuSession: "string",
devices: "string",
diameterFilterProfile: "string",
diffservCopy: "string",
diffservForward: "string",
diffservReverse: "string",
diffservcodeForward: "string",
diffservcodeRev: "string",
disclaimer: "string",
dlpProfile: "string",
dlpSensor: "string",
dnsfilterProfile: "string",
dscpMatch: "string",
dscpNegate: "string",
dscpValue: "string",
dsri: "string",
dstaddr6Negate: "string",
dstaddr6s: ["string"],
dstaddrNegate: "string",
dstaddrs: ["string"],
dstintfs: ["string"],
dynamicShaping: "string",
dynamicSortSubtable: "string",
eifCheck: "string",
eifLearn: "string",
emailCollect: "string",
emailfilterProfile: "string",
fec: "string",
fileFilterProfile: "string",
firewallSessionDirty: "string",
fixedport: "string",
fsso: "string",
fssoAgentForNtlm: "string",
fssoGroups: ["string"],
geoipAnycast: "string",
geoipMatch: "string",
globalLabel: "string",
groups: ["string"],
gtpProfile: "string",
httpPolicyRedirect: "string",
icapProfile: "string",
identityBasedRoute: "string",
inbound: "string",
inspectionMode: "string",
internetService: "string",
internetService6: "string",
internetService6CustomGroups: ["string"],
internetService6Customs: ["string"],
internetService6Groups: ["string"],
internetService6Names: ["string"],
internetService6Negate: "string",
internetService6Src: "string",
internetService6SrcCustomGroups: ["string"],
internetService6SrcCustoms: ["string"],
internetService6SrcGroups: ["string"],
internetService6SrcNames: ["string"],
internetService6SrcNegate: "string",
internetServiceCustom: "string",
internetServiceCustomGroup: "string",
internetServiceGroup: "string",
internetServiceIds: ["string"],
internetServiceName: "string",
internetServiceNegate: "string",
internetServiceSrc: "string",
internetServiceSrcCustom: "string",
internetServiceSrcCustomGroup: "string",
internetServiceSrcGroup: "string",
internetServiceSrcId: "string",
internetServiceSrcName: "string",
internetServiceSrcNegate: "string",
ipVersionType: "string",
ippool: "string",
ipsSensor: "string",
ipsVoipFilter: "string",
label: "string",
learningMode: "string",
logHttpTransaction: "string",
logtraffic: "string",
logtrafficStart: "string",
matchVip: "string",
matchVipOnly: "string",
mmsProfile: "string",
name: "string",
nat: "string",
nat46: "string",
nat64: "string",
natinbound: "string",
natips: ["string"],
natoutbound: "string",
networkServiceDynamics: ["string"],
networkServiceSrcDynamics: ["string"],
npAcceleration: "string",
ntlm: "string",
ntlmEnabledBrowsers: ["string"],
ntlmGuest: "string",
outbound: "string",
packagesFirewallPolicyId: "string",
passiveWanHealthMeasurement: "string",
pcpInbound: "string",
pcpOutbound: "string",
pcpPoolnames: ["string"],
perIpShaper: "string",
permitAnyHost: "string",
permitStunHost: "string",
pfcpProfile: "string",
pkgFolderPath: "string",
policyBehaviourType: "string",
policyExpiry: "string",
policyExpiryDate: "string",
policyExpiryDateUtc: "string",
policyOffload: "string",
policyid: 0,
poolname: "string",
poolname6: "string",
portPreserve: "string",
portRandom: "string",
profileGroup: "string",
profileProtocolOptions: "string",
profileType: "string",
radiusIpAuthBypass: "string",
radiusMacAuthBypass: "string",
redirectUrl: "string",
replacemsgOverrideGroup: "string",
reputationDirection: "string",
reputationDirection6: "string",
reputationMinimum: 0,
reputationMinimum6: 0,
rsso: "string",
rtpAddr: "string",
rtpNat: "string",
scanBotnetConnections: "string",
schedule: "string",
scheduleTimeout: "string",
scopetype: "string",
sctpFilterProfile: "string",
sendDenyPacket: "string",
serviceNegate: "string",
services: ["string"],
sessionTtl: "string",
sgtCheck: "string",
sgts: [0],
spamfilterProfile: "string",
srcVendorMacs: ["string"],
srcaddr6Negate: "string",
srcaddr6s: ["string"],
srcaddrNegate: "string",
srcaddrs: ["string"],
srcintfs: ["string"],
sshFilterProfile: "string",
sshPolicyRedirect: "string",
sslMirror: "string",
sslMirrorIntf: "string",
sslSshProfile: "string",
status: "string",
tcpMssReceiver: 0,
tcpMssSender: 0,
tcpSessionWithoutSyn: "string",
tcpTimeoutPid: "string",
timeoutSendRst: "string",
tos: "string",
tosMask: "string",
tosNegate: "string",
trafficShaper: "string",
trafficShaperReverse: "string",
udpTimeoutPid: "string",
urlCategory: "string",
users: ["string"],
utmStatus: "string",
uuid: "string",
videofilterProfile: "string",
virtualPatchProfile: "string",
vlanCosFwd: 0,
vlanCosRev: 0,
vlanFilter: "string",
voipProfile: "string",
vpnDstNodes: [{
host: "string",
seq: 0,
subnet: "string",
}],
vpnSrcNodes: [{
host: "string",
seq: 0,
subnet: "string",
}],
vpntunnel: "string",
wafProfile: "string",
wanopt: "string",
wanoptDetection: "string",
wanoptPassiveOpt: "string",
wanoptPeer: "string",
wanoptProfile: "string",
wccp: "string",
webcache: "string",
webcacheHttps: "string",
webfilterProfile: "string",
webproxyForwardServer: "string",
webproxyProfile: "string",
wsso: "string",
ztnaDeviceOwnership: "string",
ztnaEmsTag: "string",
ztnaEmsTagNegate: "string",
ztnaEmsTagSecondaries: ["string"],
ztnaGeoTag: "string",
ztnaPolicyRedirect: "string",
ztnaStatus: "string",
ztnaTagsMatchLogic: "string",
});
type: fortimanager:PackagesFirewallPolicy
properties:
_policyBlock: 0
action: string
adom: string
antiReplay: string
appCategory: string
appGroup: string
appMonitor: string
applicationList: string
applications:
- 0
authCert: string
authPath: string
authRedirectAddr: string
autoAsicOffload: string
avProfile: string
bestRoute: string
blockNotification: string
captivePortalExempt: string
capturePacket: string
casbProfile: string
cgnEif: string
cgnEim: string
cgnLogServerGrp: string
cgnResourceQuota: 0
cgnSessionQuota: 0
cgnSwEifCtrl: string
cifsProfile: string
comments: string
customLogFields: string
decryptedTrafficMirror: string
delayTcpNpuSession: string
devices: string
diameterFilterProfile: string
diffservCopy: string
diffservForward: string
diffservReverse: string
diffservcodeForward: string
diffservcodeRev: string
disclaimer: string
dlpProfile: string
dlpSensor: string
dnsfilterProfile: string
dscpMatch: string
dscpNegate: string
dscpValue: string
dsri: string
dstaddr6Negate: string
dstaddr6s:
- string
dstaddrNegate: string
dstaddrs:
- string
dstintfs:
- string
dynamicShaping: string
dynamicSortSubtable: string
eifCheck: string
eifLearn: string
emailCollect: string
emailfilterProfile: string
fec: string
fileFilterProfile: string
firewallSessionDirty: string
fixedport: string
fsso: string
fssoAgentForNtlm: string
fssoGroups:
- string
geoipAnycast: string
geoipMatch: string
globalLabel: string
groups:
- string
gtpProfile: string
httpPolicyRedirect: string
icapProfile: string
identityBasedRoute: string
inbound: string
inspectionMode: string
internetService: string
internetService6: string
internetService6CustomGroups:
- string
internetService6Customs:
- string
internetService6Groups:
- string
internetService6Names:
- string
internetService6Negate: string
internetService6Src: string
internetService6SrcCustomGroups:
- string
internetService6SrcCustoms:
- string
internetService6SrcGroups:
- string
internetService6SrcNames:
- string
internetService6SrcNegate: string
internetServiceCustom: string
internetServiceCustomGroup: string
internetServiceGroup: string
internetServiceIds:
- string
internetServiceName: string
internetServiceNegate: string
internetServiceSrc: string
internetServiceSrcCustom: string
internetServiceSrcCustomGroup: string
internetServiceSrcGroup: string
internetServiceSrcId: string
internetServiceSrcName: string
internetServiceSrcNegate: string
ipVersionType: string
ippool: string
ipsSensor: string
ipsVoipFilter: string
label: string
learningMode: string
logHttpTransaction: string
logtraffic: string
logtrafficStart: string
matchVip: string
matchVipOnly: string
mmsProfile: string
name: string
nat: string
nat46: string
nat64: string
natinbound: string
natips:
- string
natoutbound: string
networkServiceDynamics:
- string
networkServiceSrcDynamics:
- string
npAcceleration: string
ntlm: string
ntlmEnabledBrowsers:
- string
ntlmGuest: string
outbound: string
packagesFirewallPolicyId: string
passiveWanHealthMeasurement: string
pcpInbound: string
pcpOutbound: string
pcpPoolnames:
- string
perIpShaper: string
permitAnyHost: string
permitStunHost: string
pfcpProfile: string
pkg: string
pkgFolderPath: string
policyBehaviourType: string
policyExpiry: string
policyExpiryDate: string
policyExpiryDateUtc: string
policyOffload: string
policyid: 0
poolname: string
poolname6: string
portPreserve: string
portRandom: string
profileGroup: string
profileProtocolOptions: string
profileType: string
radiusIpAuthBypass: string
radiusMacAuthBypass: string
redirectUrl: string
replacemsgOverrideGroup: string
reputationDirection: string
reputationDirection6: string
reputationMinimum: 0
reputationMinimum6: 0
rsso: string
rtpAddr: string
rtpNat: string
scanBotnetConnections: string
schedule: string
scheduleTimeout: string
scopetype: string
sctpFilterProfile: string
sendDenyPacket: string
serviceNegate: string
services:
- string
sessionTtl: string
sgtCheck: string
sgts:
- 0
spamfilterProfile: string
srcVendorMacs:
- string
srcaddr6Negate: string
srcaddr6s:
- string
srcaddrNegate: string
srcaddrs:
- string
srcintfs:
- string
sshFilterProfile: string
sshPolicyRedirect: string
sslMirror: string
sslMirrorIntf: string
sslSshProfile: string
status: string
tcpMssReceiver: 0
tcpMssSender: 0
tcpSessionWithoutSyn: string
tcpTimeoutPid: string
timeoutSendRst: string
tos: string
tosMask: string
tosNegate: string
trafficShaper: string
trafficShaperReverse: string
udpTimeoutPid: string
urlCategory: string
users:
- string
utmStatus: string
uuid: string
videofilterProfile: string
virtualPatchProfile: string
vlanCosFwd: 0
vlanCosRev: 0
vlanFilter: string
voipProfile: string
vpnDstNodes:
- host: string
seq: 0
subnet: string
vpnSrcNodes:
- host: string
seq: 0
subnet: string
vpntunnel: string
wafProfile: string
wanopt: string
wanoptDetection: string
wanoptPassiveOpt: string
wanoptPeer: string
wanoptProfile: string
wccp: string
webcache: string
webcacheHttps: string
webfilterProfile: string
webproxyForwardServer: string
webproxyProfile: string
wsso: string
ztnaDeviceOwnership: string
ztnaEmsTag: string
ztnaEmsTagNegate: string
ztnaEmsTagSecondaries:
- string
ztnaGeoTag: string
ztnaPolicyRedirect: string
ztnaStatus: string
ztnaTagsMatchLogic: string
PackagesFirewallPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The PackagesFirewallPolicy resource accepts the following input properties:
- Pkg string
- Package.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Adom string
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- App
Monitor string - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Application
List string - Name of an existing Application list.
- Applications List<double>
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource doubleQuota - resource quota
- Cgn
Session doubleQuota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log stringFields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Devices string
- Names of devices or device groups that can be matched by the policy.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dscp
Match string - Enable DSCP check. Valid values:
disable,enable. - Dscp
Negate string - Enable negated DSCP match. Valid values:
disable,enable. - Dscp
Value string - DSCP value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s List<string>
- Destination IPv6 address name and address group names.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs List<string>
- Destination address and address group names.
- Dstintfs List<string>
- Outgoing (egress) interface.
- Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - Dynamic
Sort stringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<string> - Names of FSSO groups.
- Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups List<string>
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom List<string>Groups - Custom Internet Service6 group name.
- Internet
Service6Customs List<string> - Custom IPv6 Internet Service name.
- Internet
Service6Groups List<string> - Internet Service group name.
- Internet
Service6Names List<string> - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src List<string>Custom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src List<string>Customs - Custom IPv6 Internet Service source name.
- Internet
Service6Src List<string>Groups - Internet Service6 source group name.
- Internet
Service6Src List<string>Names - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service List<string>Ids - Internet Service ID.
- Internet
Service stringName - Internet Service name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet Service source name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - Log
Http stringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips List<string>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service List<string>Dynamics - Dynamic Network Service name.
- Network
Service List<string>Src Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled List<string>Browsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Firewall stringPolicy Id - an identifier for the resource with format {{policyid}}.
- Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames List<string> - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Enable/disable policy expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid double
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- IPv6 pool names.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Port
Random string - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum double - Minimum Reputation to take action.
- Reputation
Minimum6 double - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Scopetype string
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services List<string>
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts List<double>
- Security group tags.
- Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor List<string>Macs - Vendor MAC source ID.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s List<string>
- Source IPv6 address name and address group names.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs List<string>
- Source address and address group names.
- Srcintfs List<string>
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
disable,enable. - Tcp
Mss doubleReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss doubleSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Users List<string>
- Names of individual users that can authenticate with this policy.
- Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos doubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos doubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpn
Dst List<PackagesNodes Firewall Policy Vpn Dst Node> - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - Vpn
Src List<PackagesNodes Firewall Policy Vpn Src Node> - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - Ztna
Ems stringTag - Source ztna-ems-tag names.
- Ztna
Ems stringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - List<string>
- Source ztna-ems-tag-secondary names.
- Ztna
Geo stringTag - Source ztna-geo-tag names.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Enable/disable zero trust access. Valid values:
disable,enable. - string
- ZTNA tag matching logic. Valid values:
or,and. - _
policy doubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- Pkg string
- Package.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Adom string
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- App
Monitor string - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Application
List string - Name of an existing Application list.
- Applications []float64
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource float64Quota - resource quota
- Cgn
Session float64Quota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log stringFields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Devices string
- Names of devices or device groups that can be matched by the policy.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dscp
Match string - Enable DSCP check. Valid values:
disable,enable. - Dscp
Negate string - Enable negated DSCP match. Valid values:
disable,enable. - Dscp
Value string - DSCP value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s []string
- Destination IPv6 address name and address group names.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs []string
- Destination address and address group names.
- Dstintfs []string
- Outgoing (egress) interface.
- Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - Dynamic
Sort stringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []string - Names of FSSO groups.
- Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups []string
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom []stringGroups - Custom Internet Service6 group name.
- Internet
Service6Customs []string - Custom IPv6 Internet Service name.
- Internet
Service6Groups []string - Internet Service group name.
- Internet
Service6Names []string - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src []stringCustom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src []stringCustoms - Custom IPv6 Internet Service source name.
- Internet
Service6Src []stringGroups - Internet Service6 source group name.
- Internet
Service6Src []stringNames - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service []stringIds - Internet Service ID.
- Internet
Service stringName - Internet Service name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet Service source name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - Log
Http stringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips []string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service []stringDynamics - Dynamic Network Service name.
- Network
Service []stringSrc Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled []stringBrowsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Firewall stringPolicy Id - an identifier for the resource with format {{policyid}}.
- Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames []string - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Enable/disable policy expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid float64
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- IPv6 pool names.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Port
Random string - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum float64 - Minimum Reputation to take action.
- Reputation
Minimum6 float64 - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Scopetype string
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services []string
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts []float64
- Security group tags.
- Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor []stringMacs - Vendor MAC source ID.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s []string
- Source IPv6 address name and address group names.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs []string
- Source address and address group names.
- Srcintfs []string
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
disable,enable. - Tcp
Mss float64Receiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss float64Sender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Users []string
- Names of individual users that can authenticate with this policy.
- Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos float64Fwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos float64Rev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpn
Dst []PackagesNodes Firewall Policy Vpn Dst Node Args - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - Vpn
Src []PackagesNodes Firewall Policy Vpn Src Node Args - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - Ztna
Ems stringTag - Source ztna-ems-tag names.
- Ztna
Ems stringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - []string
- Source ztna-ems-tag-secondary names.
- Ztna
Geo stringTag - Source ztna-geo-tag names.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Enable/disable zero trust access. Valid values:
disable,enable. - string
- ZTNA tag matching logic. Valid values:
or,and. - _
policy float64Block - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- pkg String
- Package.
- _
policy DoubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom String
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- app
Monitor String - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application
List String - Name of an existing Application list.
- applications List<Double>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource DoubleQuota - resource quota
- cgn
Session DoubleQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log StringFields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices String
- Names of devices or device groups that can be matched by the policy.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dscp
Match String - Enable DSCP check. Valid values:
disable,enable. - dscp
Negate String - Enable negated DSCP match. Valid values:
disable,enable. - dscp
Value String - DSCP value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Destination IPv6 address name and address group names.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic
Sort StringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service List<String>Ids - Internet Service ID.
- internet
Service StringName - Internet Service name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet Service source name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log
Http StringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Firewall StringPolicy Id - an identifier for the resource with format {{policyid}}.
- passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Enable/disable policy expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Double
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- IPv6 pool names.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port
Random String - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Double - Minimum Reputation to take action.
- reputation
Minimum6 Double - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype String
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Double>
- Security group tags.
- spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<String>Macs - Vendor MAC source ID.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Source IPv6 address name and address group names.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
disable,enable. - tcp
Mss DoubleReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss DoubleSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos DoubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos DoubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpn
Dst List<PackagesNodes Firewall Policy Vpn Dst Node> - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn
Src List<PackagesNodes Firewall Policy Vpn Src Node> - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna
Ems StringTag - Source ztna-ems-tag names.
- ztna
Ems StringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- ztna
Geo StringTag - Source ztna-geo-tag names.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Enable/disable zero trust access. Valid values:
disable,enable. - String
- ZTNA tag matching logic. Valid values:
or,and.
- pkg string
- Package.
- _
policy numberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom string
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category string - Application category ID list.
- app
Group string - Application group names.
- app
Monitor string - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application
List string - Name of an existing Application list.
- applications number[]
- Application ID list.
- auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile string - Name of an existing Antivirus profile.
- best
Route string - Best-Route. Valid values:
disable,enable. - block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile string - Name of an existing CASB profile.
- cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log stringServer Grp - NP log server group name
- cgn
Resource numberQuota - resource quota
- cgn
Session numberQuota - session quota
- cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile string - Name of an existing CIFS profile.
- comments string
- Comment.
- custom
Log stringFields - Custom fields to append to log messages for this policy.
- decrypted
Traffic stringMirror - Decrypted traffic mirror.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices string
- Names of devices or device groups that can be matched by the policy.
- diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profile string - Name of an existing DLP profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dscp
Match string - Enable DSCP check. Valid values:
disable,enable. - dscp
Negate string - Enable negated DSCP match. Valid values:
disable,enable. - dscp
Value string - DSCP value.
- dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s string[]
- Destination IPv6 address name and address group names.
- dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs string[]
- Destination address and address group names.
- dstintfs string[]
- Outgoing (egress) interface.
- dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic
Sort stringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - emailfilter
Profile string - Name of an existing email filter profile.
- fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter stringProfile - Name of an existing file-filter profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups string[] - Names of FSSO groups.
- geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups string[]
- Names of user groups that can authenticate with this policy.
- gtp
Profile string - GTP profile.
- http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap
Profile string - Name of an existing ICAP profile.
- identity
Based stringRoute - Name of identity-based routing rule.
- inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom string[]Groups - Custom Internet Service6 group name.
- internet
Service6Customs string[] - Custom IPv6 Internet Service name.
- internet
Service6Groups string[] - Internet Service group name.
- internet
Service6Names string[] - IPv6 Internet Service name.
- internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src string[]Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src string[]Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src string[]Groups - Internet Service6 source group name.
- internet
Service6Src string[]Names - IPv6 Internet Service source name.
- internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringCustom - Custom Internet Service name.
- internet
Service stringCustom Group - Custom Internet Service group name.
- internet
Service stringGroup - Internet Service group name.
- internet
Service string[]Ids - Internet Service ID.
- internet
Service stringName - Internet Service name.
- internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service stringSrc Custom - Custom Internet Service source name.
- internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- internet
Service stringSrc Group - Internet Service source group name.
- internet
Service stringSrc Id - Internet Service source ID.
- internet
Service stringSrc Name - Internet Service source name.
- internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Version stringType - IP version of the policy.
- ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log
Http stringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms
Profile string - Name of an existing MMS profile.
- name string
- Policy name.
- nat string
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips string[]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service string[]Dynamics - Dynamic Network Service name.
- network
Service string[]Src Dynamics - Dynamic Network Service source name.
- np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled string[]Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Firewall stringPolicy Id - an identifier for the resource with format {{policyid}}.
- passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames string[] - PCP pool names.
- per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile string - PFCP profile.
- pkg
Folder stringPath - Pkg Folder Path.
- policy
Behaviour stringType - Behaviour of the policy.
- policy
Expiry string - Enable/disable policy expiry. Valid values:
disable,enable. - policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid number
- Policy ID (0 - 4294967294).
- poolname string
- IP Pool names.
- poolname6 string
- IPv6 pool names.
- port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port
Random string - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr string - Address names if this is an RTP NAT policy.
- rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule string
- Schedule name.
- schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype string
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services string[]
- Service and service group names.
- session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts number[]
- Security group tags.
- spamfilter
Profile string - Name of an existing Spam filter profile.
- src
Vendor string[]Macs - Vendor MAC source ID.
- srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s string[]
- Source IPv6 address name and address group names.
- srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs string[]
- Source address and address group names.
- srcintfs string[]
- Incoming (ingress) interface.
- ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror stringIntf - SSL mirror interface name.
- ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- status string
- Enable or disable this policy. Valid values:
disable,enable. - tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout stringPid - TCP timeout profile ID
- timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- udp
Timeout stringPid - UDP timeout profile ID
- url
Category string - URL category ID list.
- users string[]
- Names of individual users that can authenticate with this policy.
- utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile string - Name of an existing VideoFilter profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP profile.
- vpn
Dst PackagesNodes Firewall Policy Vpn Dst Node[] - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn
Src PackagesNodes Firewall Policy Vpn Src Node[] - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache string
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Webproxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna
Ems stringTag - Source ztna-ems-tag names.
- ztna
Ems stringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - string[]
- Source ztna-ems-tag-secondary names.
- ztna
Geo stringTag - Source ztna-geo-tag names.
- ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status string - Enable/disable zero trust access. Valid values:
disable,enable. - string
- ZTNA tag matching logic. Valid values:
or,and.
- pkg str
- Package.
- _
policy_ floatblock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action str
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom str
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti_
replay str - Enable/disable anti-replay check. Valid values:
disable,enable. - app_
category str - Application category ID list.
- app_
group str - Application group names.
- app_
monitor str - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application_
list str - Name of an existing Application list.
- applications Sequence[float]
- Application ID list.
- auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
path str - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av_
profile str - Name of an existing Antivirus profile.
- best_
route str - Best-Route. Valid values:
disable,enable. - block_
notification str - Enable/disable block notification. Valid values:
disable,enable. - captive_
portal_ strexempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture_
packet str - Enable/disable capture packets. Valid values:
disable,enable. - casb_
profile str - Name of an existing CASB profile.
- cgn_
eif str - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn_
eim str - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn_
log_ strserver_ grp - NP log server group name
- cgn_
resource_ floatquota - resource quota
- cgn_
session_ floatquota - session quota
- cgn_
sw_ streif_ ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs_
profile str - Name of an existing CIFS profile.
- comments str
- Comment.
- custom_
log_ strfields - Custom fields to append to log messages for this policy.
- decrypted_
traffic_ strmirror - Decrypted traffic mirror.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices str
- Names of devices or device groups that can be matched by the policy.
- diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp_
profile str - Name of an existing DLP profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dscp_
match str - Enable DSCP check. Valid values:
disable,enable. - dscp_
negate str - Enable negated DSCP match. Valid values:
disable,enable. - dscp_
value str - DSCP value.
- dsri str
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s Sequence[str]
- Destination IPv6 address name and address group names.
- dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs Sequence[str]
- Destination address and address group names.
- dstintfs Sequence[str]
- Outgoing (egress) interface.
- dynamic_
shaping str - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic_
sort_ strsubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif_
check str - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif_
learn str - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email_
collect str - Enable/disable email collection. Valid values:
disable,enable. - emailfilter_
profile str - Name of an existing email filter profile.
- fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file_
filter_ strprofile - Name of an existing file-filter profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport str
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso str
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[str] - Names of FSSO groups.
- geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip_
match str - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups Sequence[str]
- Names of user groups that can authenticate with this policy.
- gtp_
profile str - GTP profile.
- http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap_
profile str - Name of an existing ICAP profile.
- identity_
based_ strroute - Name of identity-based routing rule.
- inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]custom_ groups - Custom Internet Service6 group name.
- internet_
service6_ Sequence[str]customs - Custom IPv6 Internet Service name.
- internet_
service6_ Sequence[str]groups - Internet Service group name.
- internet_
service6_ Sequence[str]names - IPv6 Internet Service name.
- internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]src_ custom_ groups - Custom Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ customs - Custom IPv6 Internet Service source name.
- internet_
service6_ Sequence[str]src_ groups - Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ names - IPv6 Internet Service source name.
- internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strcustom - Custom Internet Service name.
- internet_
service_ strcustom_ group - Custom Internet Service group name.
- internet_
service_ strgroup - Internet Service group name.
- internet_
service_ Sequence[str]ids - Internet Service ID.
- internet_
service_ strname - Internet Service name.
- internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service_ strsrc_ custom - Custom Internet Service source name.
- internet_
service_ strsrc_ custom_ group - Custom Internet Service source group name.
- internet_
service_ strsrc_ group - Internet Service source group name.
- internet_
service_ strsrc_ id - Internet Service source ID.
- internet_
service_ strsrc_ name - Internet Service source name.
- internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip_
version_ strtype - IP version of the policy.
- ippool str
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log_
http_ strtransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic_
start str - Record logs when a session starts. Valid values:
disable,enable. - match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms_
profile str - Name of an existing MMS profile.
- name str
- Policy name.
- nat str
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 str
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 str
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips Sequence[str]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network_
service_ Sequence[str]dynamics - Dynamic Network Service name.
- network_
service_ Sequence[str]src_ dynamics - Dynamic Network Service source name.
- np_
acceleration str - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm str
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm_
enabled_ Sequence[str]browsers - HTTP-User-Agent value of supported browsers.
- ntlm_
guest str - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages_
firewall_ strpolicy_ id - an identifier for the resource with format {{policyid}}.
- passive_
wan_ strhealth_ measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp_
inbound str - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp_
outbound str - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp_
poolnames Sequence[str] - PCP pool names.
- per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host. Valid values:
disable,enable. - permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp_
profile str - PFCP profile.
- pkg_
folder_ strpath - Pkg Folder Path.
- policy_
behaviour_ strtype - Behaviour of the policy.
- policy_
expiry str - Enable/disable policy expiry. Valid values:
disable,enable. - policy_
expiry_ strdate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policy_
offload str - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid float
- Policy ID (0 - 4294967294).
- poolname str
- IP Pool names.
- poolname6 str
- IPv6 pool names.
- port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port_
random str - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius_
ip_ strauth_ bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation_
minimum float - Minimum Reputation to take action.
- reputation_
minimum6 float - IPv6 Minimum Reputation to take action.
- rsso str
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp_
addr str - Address names if this is an RTP NAT policy.
- rtp_
nat str - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan_
botnet_ strconnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule str
- Schedule name.
- schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype str
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service_
negate str - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services Sequence[str]
- Service and service group names.
- session_
ttl str - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt_
check str - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts Sequence[float]
- Security group tags.
- spamfilter_
profile str - Name of an existing Spam filter profile.
- src_
vendor_ Sequence[str]macs - Vendor MAC source ID.
- srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s Sequence[str]
- Source IPv6 address name and address group names.
- srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs Sequence[str]
- Source address and address group names.
- srcintfs Sequence[str]
- Incoming (ingress) interface.
- ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl_
mirror_ strintf - SSL mirror interface name.
- ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- status str
- Enable or disable this policy. Valid values:
disable,enable. - tcp_
mss_ floatreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ floatsender - Sender TCP maximum segment size (MSS).
- tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp_
timeout_ strpid - TCP timeout profile ID
- timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match. Valid values:
disable,enable. - traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- udp_
timeout_ strpid - UDP timeout profile ID
- url_
category str - URL category ID list.
- users Sequence[str]
- Names of individual users that can authenticate with this policy.
- utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter_
profile str - Name of an existing VideoFilter profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ floatfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ floatrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP profile.
- vpn_
dst_ Sequence[Packagesnodes Firewall Policy Vpn Dst Node Args] - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn_
src_ Sequence[Packagesnodes Firewall Policy Vpn Src Node Args] - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt_
detection str - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache str
- Enable/disable web cache. Valid values:
disable,enable. - webcache_
https str - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Webproxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna_
device_ strownership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna_
ems_ strtag - Source ztna-ems-tag names.
- ztna_
ems_ strtag_ negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - ztna_
ems_ Sequence[str]tag_ secondaries - Source ztna-ems-tag-secondary names.
- ztna_
geo_ strtag - Source ztna-geo-tag names.
- ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna_
status str - Enable/disable zero trust access. Valid values:
disable,enable. - str
- ZTNA tag matching logic. Valid values:
or,and.
- pkg String
- Package.
- _
policy NumberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom String
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- app
Monitor String - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application
List String - Name of an existing Application list.
- applications List<Number>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource NumberQuota - resource quota
- cgn
Session NumberQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log StringFields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices String
- Names of devices or device groups that can be matched by the policy.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dscp
Match String - Enable DSCP check. Valid values:
disable,enable. - dscp
Negate String - Enable negated DSCP match. Valid values:
disable,enable. - dscp
Value String - DSCP value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Destination IPv6 address name and address group names.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic
Sort StringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service List<String>Ids - Internet Service ID.
- internet
Service StringName - Internet Service name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet Service source name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log
Http StringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Firewall StringPolicy Id - an identifier for the resource with format {{policyid}}.
- passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Enable/disable policy expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Number
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- IPv6 pool names.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port
Random String - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype String
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Number>
- Security group tags.
- spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<String>Macs - Vendor MAC source ID.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Source IPv6 address name and address group names.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
disable,enable. - tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpn
Dst List<Property Map>Nodes - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn
Src List<Property Map>Nodes - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna
Ems StringTag - Source ztna-ems-tag names.
- ztna
Ems StringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- ztna
Geo StringTag - Source ztna-geo-tag names.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Enable/disable zero trust access. Valid values:
disable,enable. - String
- ZTNA tag matching logic. Valid values:
or,and.
Outputs
All input properties are implicitly available as output properties. Additionally, the PackagesFirewallPolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing PackagesFirewallPolicy Resource
Get an existing PackagesFirewallPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PackagesFirewallPolicyState, opts?: CustomResourceOptions): PackagesFirewallPolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
_policy_block: Optional[float] = None,
action: Optional[str] = None,
adom: Optional[str] = None,
anti_replay: Optional[str] = None,
app_category: Optional[str] = None,
app_group: Optional[str] = None,
app_monitor: Optional[str] = None,
application_list: Optional[str] = None,
applications: Optional[Sequence[float]] = None,
auth_cert: Optional[str] = None,
auth_path: Optional[str] = None,
auth_redirect_addr: Optional[str] = None,
auto_asic_offload: Optional[str] = None,
av_profile: Optional[str] = None,
best_route: Optional[str] = None,
block_notification: Optional[str] = None,
captive_portal_exempt: Optional[str] = None,
capture_packet: Optional[str] = None,
casb_profile: Optional[str] = None,
cgn_eif: Optional[str] = None,
cgn_eim: Optional[str] = None,
cgn_log_server_grp: Optional[str] = None,
cgn_resource_quota: Optional[float] = None,
cgn_session_quota: Optional[float] = None,
cgn_sw_eif_ctrl: Optional[str] = None,
cifs_profile: Optional[str] = None,
comments: Optional[str] = None,
custom_log_fields: Optional[str] = None,
decrypted_traffic_mirror: Optional[str] = None,
delay_tcp_npu_session: Optional[str] = None,
devices: Optional[str] = None,
diameter_filter_profile: Optional[str] = None,
diffserv_copy: Optional[str] = None,
diffserv_forward: Optional[str] = None,
diffserv_reverse: Optional[str] = None,
diffservcode_forward: Optional[str] = None,
diffservcode_rev: Optional[str] = None,
disclaimer: Optional[str] = None,
dlp_profile: Optional[str] = None,
dlp_sensor: Optional[str] = None,
dnsfilter_profile: Optional[str] = None,
dscp_match: Optional[str] = None,
dscp_negate: Optional[str] = None,
dscp_value: Optional[str] = None,
dsri: Optional[str] = None,
dstaddr6_negate: Optional[str] = None,
dstaddr6s: Optional[Sequence[str]] = None,
dstaddr_negate: Optional[str] = None,
dstaddrs: Optional[Sequence[str]] = None,
dstintfs: Optional[Sequence[str]] = None,
dynamic_shaping: Optional[str] = None,
dynamic_sort_subtable: Optional[str] = None,
eif_check: Optional[str] = None,
eif_learn: Optional[str] = None,
email_collect: Optional[str] = None,
emailfilter_profile: Optional[str] = None,
fec: Optional[str] = None,
file_filter_profile: Optional[str] = None,
firewall_session_dirty: Optional[str] = None,
fixedport: Optional[str] = None,
fsso: Optional[str] = None,
fsso_agent_for_ntlm: Optional[str] = None,
fsso_groups: Optional[Sequence[str]] = None,
geoip_anycast: Optional[str] = None,
geoip_match: Optional[str] = None,
global_label: Optional[str] = None,
groups: Optional[Sequence[str]] = None,
gtp_profile: Optional[str] = None,
http_policy_redirect: Optional[str] = None,
icap_profile: Optional[str] = None,
identity_based_route: Optional[str] = None,
inbound: Optional[str] = None,
inspection_mode: Optional[str] = None,
internet_service: Optional[str] = None,
internet_service6: Optional[str] = None,
internet_service6_custom_groups: Optional[Sequence[str]] = None,
internet_service6_customs: Optional[Sequence[str]] = None,
internet_service6_groups: Optional[Sequence[str]] = None,
internet_service6_names: Optional[Sequence[str]] = None,
internet_service6_negate: Optional[str] = None,
internet_service6_src: Optional[str] = None,
internet_service6_src_custom_groups: Optional[Sequence[str]] = None,
internet_service6_src_customs: Optional[Sequence[str]] = None,
internet_service6_src_groups: Optional[Sequence[str]] = None,
internet_service6_src_names: Optional[Sequence[str]] = None,
internet_service6_src_negate: Optional[str] = None,
internet_service_custom: Optional[str] = None,
internet_service_custom_group: Optional[str] = None,
internet_service_group: Optional[str] = None,
internet_service_ids: Optional[Sequence[str]] = None,
internet_service_name: Optional[str] = None,
internet_service_negate: Optional[str] = None,
internet_service_src: Optional[str] = None,
internet_service_src_custom: Optional[str] = None,
internet_service_src_custom_group: Optional[str] = None,
internet_service_src_group: Optional[str] = None,
internet_service_src_id: Optional[str] = None,
internet_service_src_name: Optional[str] = None,
internet_service_src_negate: Optional[str] = None,
ip_version_type: Optional[str] = None,
ippool: Optional[str] = None,
ips_sensor: Optional[str] = None,
ips_voip_filter: Optional[str] = None,
label: Optional[str] = None,
learning_mode: Optional[str] = None,
log_http_transaction: Optional[str] = None,
logtraffic: Optional[str] = None,
logtraffic_start: Optional[str] = None,
match_vip: Optional[str] = None,
match_vip_only: Optional[str] = None,
mms_profile: Optional[str] = None,
name: Optional[str] = None,
nat: Optional[str] = None,
nat46: Optional[str] = None,
nat64: Optional[str] = None,
natinbound: Optional[str] = None,
natips: Optional[Sequence[str]] = None,
natoutbound: Optional[str] = None,
network_service_dynamics: Optional[Sequence[str]] = None,
network_service_src_dynamics: Optional[Sequence[str]] = None,
np_acceleration: Optional[str] = None,
ntlm: Optional[str] = None,
ntlm_enabled_browsers: Optional[Sequence[str]] = None,
ntlm_guest: Optional[str] = None,
outbound: Optional[str] = None,
packages_firewall_policy_id: Optional[str] = None,
passive_wan_health_measurement: Optional[str] = None,
pcp_inbound: Optional[str] = None,
pcp_outbound: Optional[str] = None,
pcp_poolnames: Optional[Sequence[str]] = None,
per_ip_shaper: Optional[str] = None,
permit_any_host: Optional[str] = None,
permit_stun_host: Optional[str] = None,
pfcp_profile: Optional[str] = None,
pkg: Optional[str] = None,
pkg_folder_path: Optional[str] = None,
policy_behaviour_type: Optional[str] = None,
policy_expiry: Optional[str] = None,
policy_expiry_date: Optional[str] = None,
policy_expiry_date_utc: Optional[str] = None,
policy_offload: Optional[str] = None,
policyid: Optional[float] = None,
poolname: Optional[str] = None,
poolname6: Optional[str] = None,
port_preserve: Optional[str] = None,
port_random: Optional[str] = None,
profile_group: Optional[str] = None,
profile_protocol_options: Optional[str] = None,
profile_type: Optional[str] = None,
radius_ip_auth_bypass: Optional[str] = None,
radius_mac_auth_bypass: Optional[str] = None,
redirect_url: Optional[str] = None,
replacemsg_override_group: Optional[str] = None,
reputation_direction: Optional[str] = None,
reputation_direction6: Optional[str] = None,
reputation_minimum: Optional[float] = None,
reputation_minimum6: Optional[float] = None,
rsso: Optional[str] = None,
rtp_addr: Optional[str] = None,
rtp_nat: Optional[str] = None,
scan_botnet_connections: Optional[str] = None,
schedule: Optional[str] = None,
schedule_timeout: Optional[str] = None,
scopetype: Optional[str] = None,
sctp_filter_profile: Optional[str] = None,
send_deny_packet: Optional[str] = None,
service_negate: Optional[str] = None,
services: Optional[Sequence[str]] = None,
session_ttl: Optional[str] = None,
sgt_check: Optional[str] = None,
sgts: Optional[Sequence[float]] = None,
spamfilter_profile: Optional[str] = None,
src_vendor_macs: Optional[Sequence[str]] = None,
srcaddr6_negate: Optional[str] = None,
srcaddr6s: Optional[Sequence[str]] = None,
srcaddr_negate: Optional[str] = None,
srcaddrs: Optional[Sequence[str]] = None,
srcintfs: Optional[Sequence[str]] = None,
ssh_filter_profile: Optional[str] = None,
ssh_policy_redirect: Optional[str] = None,
ssl_mirror: Optional[str] = None,
ssl_mirror_intf: Optional[str] = None,
ssl_ssh_profile: Optional[str] = None,
status: Optional[str] = None,
tcp_mss_receiver: Optional[float] = None,
tcp_mss_sender: Optional[float] = None,
tcp_session_without_syn: Optional[str] = None,
tcp_timeout_pid: Optional[str] = None,
timeout_send_rst: Optional[str] = None,
tos: Optional[str] = None,
tos_mask: Optional[str] = None,
tos_negate: Optional[str] = None,
traffic_shaper: Optional[str] = None,
traffic_shaper_reverse: Optional[str] = None,
udp_timeout_pid: Optional[str] = None,
url_category: Optional[str] = None,
users: Optional[Sequence[str]] = None,
utm_status: Optional[str] = None,
uuid: Optional[str] = None,
videofilter_profile: Optional[str] = None,
virtual_patch_profile: Optional[str] = None,
vlan_cos_fwd: Optional[float] = None,
vlan_cos_rev: Optional[float] = None,
vlan_filter: Optional[str] = None,
voip_profile: Optional[str] = None,
vpn_dst_nodes: Optional[Sequence[PackagesFirewallPolicyVpnDstNodeArgs]] = None,
vpn_src_nodes: Optional[Sequence[PackagesFirewallPolicyVpnSrcNodeArgs]] = None,
vpntunnel: Optional[str] = None,
waf_profile: Optional[str] = None,
wanopt: Optional[str] = None,
wanopt_detection: Optional[str] = None,
wanopt_passive_opt: Optional[str] = None,
wanopt_peer: Optional[str] = None,
wanopt_profile: Optional[str] = None,
wccp: Optional[str] = None,
webcache: Optional[str] = None,
webcache_https: Optional[str] = None,
webfilter_profile: Optional[str] = None,
webproxy_forward_server: Optional[str] = None,
webproxy_profile: Optional[str] = None,
wsso: Optional[str] = None,
ztna_device_ownership: Optional[str] = None,
ztna_ems_tag: Optional[str] = None,
ztna_ems_tag_negate: Optional[str] = None,
ztna_ems_tag_secondaries: Optional[Sequence[str]] = None,
ztna_geo_tag: Optional[str] = None,
ztna_policy_redirect: Optional[str] = None,
ztna_status: Optional[str] = None,
ztna_tags_match_logic: Optional[str] = None) -> PackagesFirewallPolicyfunc GetPackagesFirewallPolicy(ctx *Context, name string, id IDInput, state *PackagesFirewallPolicyState, opts ...ResourceOption) (*PackagesFirewallPolicy, error)public static PackagesFirewallPolicy Get(string name, Input<string> id, PackagesFirewallPolicyState? state, CustomResourceOptions? opts = null)public static PackagesFirewallPolicy get(String name, Output<String> id, PackagesFirewallPolicyState state, CustomResourceOptions options)resources: _: type: fortimanager:PackagesFirewallPolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Adom string
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- App
Monitor string - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Application
List string - Name of an existing Application list.
- Applications List<double>
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource doubleQuota - resource quota
- Cgn
Session doubleQuota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log stringFields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Devices string
- Names of devices or device groups that can be matched by the policy.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dscp
Match string - Enable DSCP check. Valid values:
disable,enable. - Dscp
Negate string - Enable negated DSCP match. Valid values:
disable,enable. - Dscp
Value string - DSCP value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s List<string>
- Destination IPv6 address name and address group names.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs List<string>
- Destination address and address group names.
- Dstintfs List<string>
- Outgoing (egress) interface.
- Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - Dynamic
Sort stringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups List<string> - Names of FSSO groups.
- Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups List<string>
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom List<string>Groups - Custom Internet Service6 group name.
- Internet
Service6Customs List<string> - Custom IPv6 Internet Service name.
- Internet
Service6Groups List<string> - Internet Service group name.
- Internet
Service6Names List<string> - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src List<string>Custom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src List<string>Customs - Custom IPv6 Internet Service source name.
- Internet
Service6Src List<string>Groups - Internet Service6 source group name.
- Internet
Service6Src List<string>Names - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service List<string>Ids - Internet Service ID.
- Internet
Service stringName - Internet Service name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet Service source name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - Log
Http stringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips List<string>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service List<string>Dynamics - Dynamic Network Service name.
- Network
Service List<string>Src Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled List<string>Browsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Firewall stringPolicy Id - an identifier for the resource with format {{policyid}}.
- Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames List<string> - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg string
- Package.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Enable/disable policy expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid double
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- IPv6 pool names.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Port
Random string - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum double - Minimum Reputation to take action.
- Reputation
Minimum6 double - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Scopetype string
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services List<string>
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts List<double>
- Security group tags.
- Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor List<string>Macs - Vendor MAC source ID.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s List<string>
- Source IPv6 address name and address group names.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs List<string>
- Source address and address group names.
- Srcintfs List<string>
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
disable,enable. - Tcp
Mss doubleReceiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss doubleSender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Users List<string>
- Names of individual users that can authenticate with this policy.
- Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos doubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos doubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpn
Dst List<PackagesNodes Firewall Policy Vpn Dst Node> - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - Vpn
Src List<PackagesNodes Firewall Policy Vpn Src Node> - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - Ztna
Ems stringTag - Source ztna-ems-tag names.
- Ztna
Ems stringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - List<string>
- Source ztna-ems-tag-secondary names.
- Ztna
Geo stringTag - Source ztna-geo-tag names.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Enable/disable zero trust access. Valid values:
disable,enable. - string
- ZTNA tag matching logic. Valid values:
or,and. - _
policy doubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- Action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - Adom string
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - Anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - App
Category string - Application category ID list.
- App
Group string - Application group names.
- App
Monitor string - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Application
List string - Name of an existing Application list.
- Applications []float64
- Application ID list.
- Auth
Cert string - HTTPS server certificate for policy authentication.
- Auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - Auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- Auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - Av
Profile string - Name of an existing Antivirus profile.
- Best
Route string - Best-Route. Valid values:
disable,enable. - Block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - Captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - Capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - Casb
Profile string - Name of an existing CASB profile.
- Cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - Cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - Cgn
Log stringServer Grp - NP log server group name
- Cgn
Resource float64Quota - resource quota
- Cgn
Session float64Quota - session quota
- Cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - Cifs
Profile string - Name of an existing CIFS profile.
- Comments string
- Comment.
- Custom
Log stringFields - Custom fields to append to log messages for this policy.
- Decrypted
Traffic stringMirror - Decrypted traffic mirror.
- Delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - Devices string
- Names of devices or device groups that can be matched by the policy.
- Diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- Diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - Diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - Diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - Diffservcode
Forward string - Change packet's DiffServ to this value.
- Diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- Disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - Dlp
Profile string - Name of an existing DLP profile.
- Dlp
Sensor string - Name of an existing DLP sensor.
- Dnsfilter
Profile string - Name of an existing DNS filter profile.
- Dscp
Match string - Enable DSCP check. Valid values:
disable,enable. - Dscp
Negate string - Enable negated DSCP match. Valid values:
disable,enable. - Dscp
Value string - DSCP value.
- Dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - Dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddr6s []string
- Destination IPv6 address name and address group names.
- Dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - Dstaddrs []string
- Destination address and address group names.
- Dstintfs []string
- Outgoing (egress) interface.
- Dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - Dynamic
Sort stringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- Eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - Eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - Email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - Emailfilter
Profile string - Name of an existing email filter profile.
- Fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - File
Filter stringProfile - Name of an existing file-filter profile.
- Firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - Fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - Fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - Fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- Fsso
Groups []string - Names of FSSO groups.
- Geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - Geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - Global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- Groups []string
- Names of user groups that can authenticate with this policy.
- Gtp
Profile string - GTP profile.
- Http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - Icap
Profile string - Name of an existing ICAP profile.
- Identity
Based stringRoute - Name of identity-based routing rule.
- Inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - Inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - Internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - Internet
Service6Custom []stringGroups - Custom Internet Service6 group name.
- Internet
Service6Customs []string - Custom IPv6 Internet Service name.
- Internet
Service6Groups []string - Internet Service group name.
- Internet
Service6Names []string - IPv6 Internet Service name.
- Internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service6Src []stringCustom Groups - Custom Internet Service6 source group name.
- Internet
Service6Src []stringCustoms - Custom IPv6 Internet Service source name.
- Internet
Service6Src []stringGroups - Internet Service6 source group name.
- Internet
Service6Src []stringNames - IPv6 Internet Service source name.
- Internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringCustom - Custom Internet Service name.
- Internet
Service stringCustom Group - Custom Internet Service group name.
- Internet
Service stringGroup - Internet Service group name.
- Internet
Service []stringIds - Internet Service ID.
- Internet
Service stringName - Internet Service name.
- Internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - Internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - Internet
Service stringSrc Custom - Custom Internet Service source name.
- Internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- Internet
Service stringSrc Group - Internet Service source group name.
- Internet
Service stringSrc Id - Internet Service source ID.
- Internet
Service stringSrc Name - Internet Service source name.
- Internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - Ip
Version stringType - IP version of the policy.
- Ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - Ips
Sensor string - Name of an existing IPS sensor.
- Ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- Label string
- Label for the policy that appears when the GUI is in Section View mode.
- Learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - Log
Http stringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - Logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - Logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - Match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - Mms
Profile string - Name of an existing MMS profile.
- Name string
- Policy name.
- Nat string
- Enable/disable source NAT. Valid values:
disable,enable. - Nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - Nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - Natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - Natips []string
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- Natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - Network
Service []stringDynamics - Dynamic Network Service name.
- Network
Service []stringSrc Dynamics - Dynamic Network Service source name.
- Np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - Ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - Ntlm
Enabled []stringBrowsers - HTTP-User-Agent value of supported browsers.
- Ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - Outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - Packages
Firewall stringPolicy Id - an identifier for the resource with format {{policyid}}.
- Passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - Pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - Pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - Pcp
Poolnames []string - PCP pool names.
- Per
Ip stringShaper - Per-IP traffic shaper.
- Permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - Permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - Pfcp
Profile string - PFCP profile.
- Pkg string
- Package.
- Pkg
Folder stringPath - Pkg Folder Path.
- Policy
Behaviour stringType - Behaviour of the policy.
- Policy
Expiry string - Enable/disable policy expiry. Valid values:
disable,enable. - Policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- Policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- Policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - Policyid float64
- Policy ID (0 - 4294967294).
- Poolname string
- IP Pool names.
- Poolname6 string
- IPv6 pool names.
- Port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - Port
Random string - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - Profile
Group string - Name of profile group.
- Profile
Protocol stringOptions - Name of an existing Protocol options profile.
- Profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - Radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - Radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - Redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- Replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- Reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - Reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - Reputation
Minimum float64 - Minimum Reputation to take action.
- Reputation
Minimum6 float64 - IPv6 Minimum Reputation to take action.
- Rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - Rtp
Addr string - Address names if this is an RTP NAT policy.
- Rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - Scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - Schedule string
- Schedule name.
- Schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - Scopetype string
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - Sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- Send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - Service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - Services []string
- Service and service group names.
- Session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- Sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - Sgts []float64
- Security group tags.
- Spamfilter
Profile string - Name of an existing Spam filter profile.
- Src
Vendor []stringMacs - Vendor MAC source ID.
- Srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddr6s []string
- Source IPv6 address name and address group names.
- Srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - Srcaddrs []string
- Source address and address group names.
- Srcintfs []string
- Incoming (ingress) interface.
- Ssh
Filter stringProfile - Name of an existing SSH filter profile.
- Ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - Ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - Ssl
Mirror stringIntf - SSL mirror interface name.
- Ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- Status string
- Enable or disable this policy. Valid values:
disable,enable. - Tcp
Mss float64Receiver - Receiver TCP maximum segment size (MSS).
- Tcp
Mss float64Sender - Sender TCP maximum segment size (MSS).
- Tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - Tcp
Timeout stringPid - TCP timeout profile ID
- Timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - Tos string
- ToS (Type of Service) value used for comparison.
- Tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- Tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - Traffic
Shaper string - Traffic shaper.
- Traffic
Shaper stringReverse - Reverse traffic shaper.
- Udp
Timeout stringPid - UDP timeout profile ID
- Url
Category string - URL category ID list.
- Users []string
- Names of individual users that can authenticate with this policy.
- Utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - Uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- Videofilter
Profile string - Name of an existing VideoFilter profile.
- Virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- Vlan
Cos float64Fwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Cos float64Rev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- Vlan
Filter string - Set VLAN filters.
- Voip
Profile string - Name of an existing VoIP profile.
- Vpn
Dst []PackagesNodes Firewall Policy Vpn Dst Node Args - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - Vpn
Src []PackagesNodes Firewall Policy Vpn Src Node Args - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - Vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- Waf
Profile string - Name of an existing Web application firewall profile.
- Wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - Wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - Wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - Wanopt
Peer string - WAN optimization peer.
- Wanopt
Profile string - WAN optimization profile.
- Wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - Webcache string
- Enable/disable web cache. Valid values:
disable,enable. - Webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - Webfilter
Profile string - Name of an existing Web filter profile.
- Webproxy
Forward stringServer - Webproxy forward server name.
- Webproxy
Profile string - Webproxy profile name.
- Wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - Ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - Ztna
Ems stringTag - Source ztna-ems-tag names.
- Ztna
Ems stringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - []string
- Source ztna-ems-tag-secondary names.
- Ztna
Geo stringTag - Source ztna-geo-tag names.
- Ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - Ztna
Status string - Enable/disable zero trust access. Valid values:
disable,enable. - string
- ZTNA tag matching logic. Valid values:
or,and. - _
policy float64Block - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- _
policy DoubleBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom String
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- app
Monitor String - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application
List String - Name of an existing Application list.
- applications List<Double>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource DoubleQuota - resource quota
- cgn
Session DoubleQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log StringFields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices String
- Names of devices or device groups that can be matched by the policy.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dscp
Match String - Enable DSCP check. Valid values:
disable,enable. - dscp
Negate String - Enable negated DSCP match. Valid values:
disable,enable. - dscp
Value String - DSCP value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Destination IPv6 address name and address group names.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic
Sort StringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service List<String>Ids - Internet Service ID.
- internet
Service StringName - Internet Service name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet Service source name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log
Http StringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Firewall StringPolicy Id - an identifier for the resource with format {{policyid}}.
- passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg String
- Package.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Enable/disable policy expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Double
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- IPv6 pool names.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port
Random String - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Double - Minimum Reputation to take action.
- reputation
Minimum6 Double - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype String
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Double>
- Security group tags.
- spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<String>Macs - Vendor MAC source ID.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Source IPv6 address name and address group names.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
disable,enable. - tcp
Mss DoubleReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss DoubleSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos DoubleFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos DoubleRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpn
Dst List<PackagesNodes Firewall Policy Vpn Dst Node> - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn
Src List<PackagesNodes Firewall Policy Vpn Src Node> - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna
Ems StringTag - Source ztna-ems-tag names.
- ztna
Ems StringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- ztna
Geo StringTag - Source ztna-geo-tag names.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Enable/disable zero trust access. Valid values:
disable,enable. - String
- ZTNA tag matching logic. Valid values:
or,and.
- _
policy numberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action string
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom string
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti
Replay string - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category string - Application category ID list.
- app
Group string - Application group names.
- app
Monitor string - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application
List string - Name of an existing Application list.
- applications number[]
- Application ID list.
- auth
Cert string - HTTPS server certificate for policy authentication.
- auth
Path string - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Redirect stringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic stringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile string - Name of an existing Antivirus profile.
- best
Route string - Best-Route. Valid values:
disable,enable. - block
Notification string - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal stringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet string - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile string - Name of an existing CASB profile.
- cgn
Eif string - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim string - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log stringServer Grp - NP log server group name
- cgn
Resource numberQuota - resource quota
- cgn
Session numberQuota - session quota
- cgn
Sw stringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile string - Name of an existing CIFS profile.
- comments string
- Comment.
- custom
Log stringFields - Custom fields to append to log messages for this policy.
- decrypted
Traffic stringMirror - Decrypted traffic mirror.
- delay
Tcp stringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices string
- Names of devices or device groups that can be matched by the policy.
- diameter
Filter stringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy string - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward string - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse string - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward string - Change packet's DiffServ to this value.
- diffservcode
Rev string - Change packet's reverse (reply) DiffServ to this value.
- disclaimer string
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profile string - Name of an existing DLP profile.
- dlp
Sensor string - Name of an existing DLP sensor.
- dnsfilter
Profile string - Name of an existing DNS filter profile.
- dscp
Match string - Enable DSCP check. Valid values:
disable,enable. - dscp
Negate string - Enable negated DSCP match. Valid values:
disable,enable. - dscp
Value string - DSCP value.
- dsri string
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate string
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s string[]
- Destination IPv6 address name and address group names.
- dstaddr
Negate string - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs string[]
- Destination address and address group names.
- dstintfs string[]
- Outgoing (egress) interface.
- dynamic
Shaping string - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic
Sort stringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif
Check string - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn string - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect string - Enable/disable email collection. Valid values:
disable,enable. - emailfilter
Profile string - Name of an existing email filter profile.
- fec string
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter stringProfile - Name of an existing file-filter profile.
- firewall
Session stringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport string
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso string
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent stringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups string[] - Names of FSSO groups.
- geoip
Anycast string - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match string - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global
Label string - Label for the policy that appears when the GUI is in Global View mode.
- groups string[]
- Names of user groups that can authenticate with this policy.
- gtp
Profile string - GTP profile.
- http
Policy stringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap
Profile string - Name of an existing ICAP profile.
- identity
Based stringRoute - Name of identity-based routing rule.
- inbound string
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode string - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service string - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 string - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom string[]Groups - Custom Internet Service6 group name.
- internet
Service6Customs string[] - Custom IPv6 Internet Service name.
- internet
Service6Groups string[] - Internet Service group name.
- internet
Service6Names string[] - IPv6 Internet Service name.
- internet
Service6Negate string - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src string - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src string[]Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src string[]Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src string[]Groups - Internet Service6 source group name.
- internet
Service6Src string[]Names - IPv6 Internet Service source name.
- internet
Service6Src stringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringCustom - Custom Internet Service name.
- internet
Service stringCustom Group - Custom Internet Service group name.
- internet
Service stringGroup - Internet Service group name.
- internet
Service string[]Ids - Internet Service ID.
- internet
Service stringName - Internet Service name.
- internet
Service stringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service stringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service stringSrc Custom - Custom Internet Service source name.
- internet
Service stringSrc Custom Group - Custom Internet Service source group name.
- internet
Service stringSrc Group - Internet Service source group name.
- internet
Service stringSrc Id - Internet Service source ID.
- internet
Service stringSrc Name - Internet Service source name.
- internet
Service stringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Version stringType - IP version of the policy.
- ippool string
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor string - Name of an existing IPS sensor.
- ips
Voip stringFilter - Name of an existing VoIP (ips) profile.
- label string
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode string - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log
Http stringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic string
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
Start string - Record logs when a session starts. Valid values:
disable,enable. - match
Vip string - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip stringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms
Profile string - Name of an existing MMS profile.
- name string
- Policy name.
- nat string
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 string
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 string
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound string
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips string[]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound string
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service string[]Dynamics - Dynamic Network Service name.
- network
Service string[]Src Dynamics - Dynamic Network Service source name.
- np
Acceleration string - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm string
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled string[]Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest string - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound string
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Firewall stringPolicy Id - an identifier for the resource with format {{policyid}}.
- passive
Wan stringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp
Inbound string - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound string - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames string[] - PCP pool names.
- per
Ip stringShaper - Per-IP traffic shaper.
- permit
Any stringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun stringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile string - PFCP profile.
- pkg string
- Package.
- pkg
Folder stringPath - Pkg Folder Path.
- policy
Behaviour stringType - Behaviour of the policy.
- policy
Expiry string - Enable/disable policy expiry. Valid values:
disable,enable. - policy
Expiry stringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry stringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload string - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid number
- Policy ID (0 - 4294967294).
- poolname string
- IP Pool names.
- poolname6 string
- IPv6 pool names.
- port
Preserve string - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port
Random string - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile
Group string - Name of profile group.
- profile
Protocol stringOptions - Name of an existing Protocol options profile.
- profile
Type string - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip stringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac stringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Url string - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override stringGroup - Override the default replacement message group for this policy.
- reputation
Direction string - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 string - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum number - Minimum Reputation to take action.
- reputation
Minimum6 number - IPv6 Minimum Reputation to take action.
- rsso string
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr string - Address names if this is an RTP NAT policy.
- rtp
Nat string - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet stringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule string
- Schedule name.
- schedule
Timeout string - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype string
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp
Filter stringProfile - Name of an existing SCTP filter profile.
- send
Deny stringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate string - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services string[]
- Service and service group names.
- session
Ttl string - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check string - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts number[]
- Security group tags.
- spamfilter
Profile string - Name of an existing Spam filter profile.
- src
Vendor string[]Macs - Vendor MAC source ID.
- srcaddr6Negate string
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s string[]
- Source IPv6 address name and address group names.
- srcaddr
Negate string - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs string[]
- Source address and address group names.
- srcintfs string[]
- Incoming (ingress) interface.
- ssh
Filter stringProfile - Name of an existing SSH filter profile.
- ssh
Policy stringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror string - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror stringIntf - SSL mirror interface name.
- ssl
Ssh stringProfile - Name of an existing SSL SSH profile.
- status string
- Enable or disable this policy. Valid values:
disable,enable. - tcp
Mss numberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss numberSender - Sender TCP maximum segment size (MSS).
- tcp
Session stringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout stringPid - TCP timeout profile ID
- timeout
Send stringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos string
- ToS (Type of Service) value used for comparison.
- tos
Mask string - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate string - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper string - Traffic shaper.
- traffic
Shaper stringReverse - Reverse traffic shaper.
- udp
Timeout stringPid - UDP timeout profile ID
- url
Category string - URL category ID list.
- users string[]
- Names of individual users that can authenticate with this policy.
- utm
Status string - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid string
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile string - Name of an existing VideoFilter profile.
- virtual
Patch stringProfile - Name of an existing virtual-patch profile.
- vlan
Cos numberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos numberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter string - Set VLAN filters.
- voip
Profile string - Name of an existing VoIP profile.
- vpn
Dst PackagesNodes Firewall Policy Vpn Dst Node[] - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn
Src PackagesNodes Firewall Policy Vpn Src Node[] - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel string
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile string - Name of an existing Web application firewall profile.
- wanopt string
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection string - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive stringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer string - WAN optimization peer.
- wanopt
Profile string - WAN optimization profile.
- wccp string
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache string
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https string - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile string - Name of an existing Web filter profile.
- webproxy
Forward stringServer - Webproxy forward server name.
- webproxy
Profile string - Webproxy profile name.
- wsso string
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device stringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna
Ems stringTag - Source ztna-ems-tag names.
- ztna
Ems stringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - string[]
- Source ztna-ems-tag-secondary names.
- ztna
Geo stringTag - Source ztna-geo-tag names.
- ztna
Policy stringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status string - Enable/disable zero trust access. Valid values:
disable,enable. - string
- ZTNA tag matching logic. Valid values:
or,and.
- _
policy_ floatblock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action str
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom str
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti_
replay str - Enable/disable anti-replay check. Valid values:
disable,enable. - app_
category str - Application category ID list.
- app_
group str - Application group names.
- app_
monitor str - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application_
list str - Name of an existing Application list.
- applications Sequence[float]
- Application ID list.
- auth_
cert str - HTTPS server certificate for policy authentication.
- auth_
path str - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth_
redirect_ straddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto_
asic_ stroffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av_
profile str - Name of an existing Antivirus profile.
- best_
route str - Best-Route. Valid values:
disable,enable. - block_
notification str - Enable/disable block notification. Valid values:
disable,enable. - captive_
portal_ strexempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture_
packet str - Enable/disable capture packets. Valid values:
disable,enable. - casb_
profile str - Name of an existing CASB profile.
- cgn_
eif str - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn_
eim str - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn_
log_ strserver_ grp - NP log server group name
- cgn_
resource_ floatquota - resource quota
- cgn_
session_ floatquota - session quota
- cgn_
sw_ streif_ ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs_
profile str - Name of an existing CIFS profile.
- comments str
- Comment.
- custom_
log_ strfields - Custom fields to append to log messages for this policy.
- decrypted_
traffic_ strmirror - Decrypted traffic mirror.
- delay_
tcp_ strnpu_ session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices str
- Names of devices or device groups that can be matched by the policy.
- diameter_
filter_ strprofile - Name of an existing Diameter filter profile.
- diffserv_
copy str - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv_
forward str - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv_
reverse str - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode_
forward str - Change packet's DiffServ to this value.
- diffservcode_
rev str - Change packet's reverse (reply) DiffServ to this value.
- disclaimer str
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp_
profile str - Name of an existing DLP profile.
- dlp_
sensor str - Name of an existing DLP sensor.
- dnsfilter_
profile str - Name of an existing DNS filter profile.
- dscp_
match str - Enable DSCP check. Valid values:
disable,enable. - dscp_
negate str - Enable negated DSCP match. Valid values:
disable,enable. - dscp_
value str - DSCP value.
- dsri str
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6_
negate str - When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s Sequence[str]
- Destination IPv6 address name and address group names.
- dstaddr_
negate str - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs Sequence[str]
- Destination address and address group names.
- dstintfs Sequence[str]
- Outgoing (egress) interface.
- dynamic_
shaping str - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic_
sort_ strsubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif_
check str - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif_
learn str - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email_
collect str - Enable/disable email collection. Valid values:
disable,enable. - emailfilter_
profile str - Name of an existing email filter profile.
- fec str
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file_
filter_ strprofile - Name of an existing file-filter profile.
- firewall_
session_ strdirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport str
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso str
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso_
agent_ strfor_ ntlm - FSSO agent to use for NTLM authentication.
- fsso_
groups Sequence[str] - Names of FSSO groups.
- geoip_
anycast str - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip_
match str - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global_
label str - Label for the policy that appears when the GUI is in Global View mode.
- groups Sequence[str]
- Names of user groups that can authenticate with this policy.
- gtp_
profile str - GTP profile.
- http_
policy_ strredirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap_
profile str - Name of an existing ICAP profile.
- identity_
based_ strroute - Name of identity-based routing rule.
- inbound str
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection_
mode str - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet_
service str - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6 str - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]custom_ groups - Custom Internet Service6 group name.
- internet_
service6_ Sequence[str]customs - Custom IPv6 Internet Service name.
- internet_
service6_ Sequence[str]groups - Internet Service group name.
- internet_
service6_ Sequence[str]names - IPv6 Internet Service name.
- internet_
service6_ strnegate - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service6_ strsrc - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service6_ Sequence[str]src_ custom_ groups - Custom Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ customs - Custom IPv6 Internet Service source name.
- internet_
service6_ Sequence[str]src_ groups - Internet Service6 source group name.
- internet_
service6_ Sequence[str]src_ names - IPv6 Internet Service source name.
- internet_
service6_ strsrc_ negate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strcustom - Custom Internet Service name.
- internet_
service_ strcustom_ group - Custom Internet Service group name.
- internet_
service_ strgroup - Internet Service group name.
- internet_
service_ Sequence[str]ids - Internet Service ID.
- internet_
service_ strname - Internet Service name.
- internet_
service_ strnegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet_
service_ strsrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet_
service_ strsrc_ custom - Custom Internet Service source name.
- internet_
service_ strsrc_ custom_ group - Custom Internet Service source group name.
- internet_
service_ strsrc_ group - Internet Service source group name.
- internet_
service_ strsrc_ id - Internet Service source ID.
- internet_
service_ strsrc_ name - Internet Service source name.
- internet_
service_ strsrc_ negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip_
version_ strtype - IP version of the policy.
- ippool str
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips_
sensor str - Name of an existing IPS sensor.
- ips_
voip_ strfilter - Name of an existing VoIP (ips) profile.
- label str
- Label for the policy that appears when the GUI is in Section View mode.
- learning_
mode str - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log_
http_ strtransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic str
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic_
start str - Record logs when a session starts. Valid values:
disable,enable. - match_
vip str - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match_
vip_ stronly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms_
profile str - Name of an existing MMS profile.
- name str
- Policy name.
- nat str
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 str
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 str
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound str
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips Sequence[str]
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound str
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network_
service_ Sequence[str]dynamics - Dynamic Network Service name.
- network_
service_ Sequence[str]src_ dynamics - Dynamic Network Service source name.
- np_
acceleration str - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm str
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm_
enabled_ Sequence[str]browsers - HTTP-User-Agent value of supported browsers.
- ntlm_
guest str - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound str
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages_
firewall_ strpolicy_ id - an identifier for the resource with format {{policyid}}.
- passive_
wan_ strhealth_ measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp_
inbound str - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp_
outbound str - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp_
poolnames Sequence[str] - PCP pool names.
- per_
ip_ strshaper - Per-IP traffic shaper.
- permit_
any_ strhost - Accept UDP packets from any host. Valid values:
disable,enable. - permit_
stun_ strhost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp_
profile str - PFCP profile.
- pkg str
- Package.
- pkg_
folder_ strpath - Pkg Folder Path.
- policy_
behaviour_ strtype - Behaviour of the policy.
- policy_
expiry str - Enable/disable policy expiry. Valid values:
disable,enable. - policy_
expiry_ strdate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy_
expiry_ strdate_ utc - Policy expiry date and time, in epoch format.
- policy_
offload str - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid float
- Policy ID (0 - 4294967294).
- poolname str
- IP Pool names.
- poolname6 str
- IPv6 pool names.
- port_
preserve str - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port_
random str - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile_
group str - Name of profile group.
- profile_
protocol_ stroptions - Name of an existing Protocol options profile.
- profile_
type str - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius_
ip_ strauth_ bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius_
mac_ strauth_ bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect_
url str - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg_
override_ strgroup - Override the default replacement message group for this policy.
- reputation_
direction str - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation_
direction6 str - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation_
minimum float - Minimum Reputation to take action.
- reputation_
minimum6 float - IPv6 Minimum Reputation to take action.
- rsso str
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp_
addr str - Address names if this is an RTP NAT policy.
- rtp_
nat str - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan_
botnet_ strconnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule str
- Schedule name.
- schedule_
timeout str - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype str
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp_
filter_ strprofile - Name of an existing SCTP filter profile.
- send_
deny_ strpacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service_
negate str - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services Sequence[str]
- Service and service group names.
- session_
ttl str - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt_
check str - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts Sequence[float]
- Security group tags.
- spamfilter_
profile str - Name of an existing Spam filter profile.
- src_
vendor_ Sequence[str]macs - Vendor MAC source ID.
- srcaddr6_
negate str - When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s Sequence[str]
- Source IPv6 address name and address group names.
- srcaddr_
negate str - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs Sequence[str]
- Source address and address group names.
- srcintfs Sequence[str]
- Incoming (ingress) interface.
- ssh_
filter_ strprofile - Name of an existing SSH filter profile.
- ssh_
policy_ strredirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl_
mirror str - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl_
mirror_ strintf - SSL mirror interface name.
- ssl_
ssh_ strprofile - Name of an existing SSL SSH profile.
- status str
- Enable or disable this policy. Valid values:
disable,enable. - tcp_
mss_ floatreceiver - Receiver TCP maximum segment size (MSS).
- tcp_
mss_ floatsender - Sender TCP maximum segment size (MSS).
- tcp_
session_ strwithout_ syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp_
timeout_ strpid - TCP timeout profile ID
- timeout_
send_ strrst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos str
- ToS (Type of Service) value used for comparison.
- tos_
mask str - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos_
negate str - Enable negated TOS match. Valid values:
disable,enable. - traffic_
shaper str - Traffic shaper.
- traffic_
shaper_ strreverse - Reverse traffic shaper.
- udp_
timeout_ strpid - UDP timeout profile ID
- url_
category str - URL category ID list.
- users Sequence[str]
- Names of individual users that can authenticate with this policy.
- utm_
status str - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid str
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter_
profile str - Name of an existing VideoFilter profile.
- virtual_
patch_ strprofile - Name of an existing virtual-patch profile.
- vlan_
cos_ floatfwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
cos_ floatrev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan_
filter str - Set VLAN filters.
- voip_
profile str - Name of an existing VoIP profile.
- vpn_
dst_ Sequence[Packagesnodes Firewall Policy Vpn Dst Node Args] - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn_
src_ Sequence[Packagesnodes Firewall Policy Vpn Src Node Args] - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel str
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf_
profile str - Name of an existing Web application firewall profile.
- wanopt str
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt_
detection str - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt_
passive_ stropt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt_
peer str - WAN optimization peer.
- wanopt_
profile str - WAN optimization profile.
- wccp str
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache str
- Enable/disable web cache. Valid values:
disable,enable. - webcache_
https str - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter_
profile str - Name of an existing Web filter profile.
- webproxy_
forward_ strserver - Webproxy forward server name.
- webproxy_
profile str - Webproxy profile name.
- wsso str
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna_
device_ strownership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna_
ems_ strtag - Source ztna-ems-tag names.
- ztna_
ems_ strtag_ negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - ztna_
ems_ Sequence[str]tag_ secondaries - Source ztna-ems-tag-secondary names.
- ztna_
geo_ strtag - Source ztna-geo-tag names.
- ztna_
policy_ strredirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna_
status str - Enable/disable zero trust access. Valid values:
disable,enable. - str
- ZTNA tag matching logic. Valid values:
or,and.
- _
policy NumberBlock - Assigned policy block. When this attribute is set, the policy represent a policy block, and all other attributes are ignored. This attribute is not available when configuring policy inside a policy block.
- action String
- Policy action (allow/deny/ipsec). Valid values:
deny,accept,ipsec,ssl-vpn. - adom String
- Adom. This value is valid only when the
scopetypeisadom, otherwise the value of adom in the provider will be inherited. - anti
Replay String - Enable/disable anti-replay check. Valid values:
disable,enable. - app
Category String - Application category ID list.
- app
Group String - Application group names.
- app
Monitor String - Enable/disable application TCP metrics in session logs.When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - application
List String - Name of an existing Application list.
- applications List<Number>
- Application ID list.
- auth
Cert String - HTTPS server certificate for policy authentication.
- auth
Path String - Enable/disable authentication-based routing. Valid values:
disable,enable. - auth
Redirect StringAddr - HTTP-to-HTTPS redirect address for firewall authentication.
- auto
Asic StringOffload - Enable/disable policy traffic ASIC offloading. Valid values:
disable,enable. - av
Profile String - Name of an existing Antivirus profile.
- best
Route String - Best-Route. Valid values:
disable,enable. - block
Notification String - Enable/disable block notification. Valid values:
disable,enable. - captive
Portal StringExempt - Enable to exempt some users from the captive portal. Valid values:
disable,enable. - capture
Packet String - Enable/disable capture packets. Valid values:
disable,enable. - casb
Profile String - Name of an existing CASB profile.
- cgn
Eif String - Enable/Disable CGN endpoint independent filtering. Valid values:
disable,enable. - cgn
Eim String - Enable/Disable CGN endpoint independent mapping Valid values:
disable,enable. - cgn
Log StringServer Grp - NP log server group name
- cgn
Resource NumberQuota - resource quota
- cgn
Session NumberQuota - session quota
- cgn
Sw StringEif Ctrl - Enable/disable software endpoint independent filtering control. Valid values:
disable,enable. - cifs
Profile String - Name of an existing CIFS profile.
- comments String
- Comment.
- custom
Log StringFields - Custom fields to append to log messages for this policy.
- decrypted
Traffic StringMirror - Decrypted traffic mirror.
- delay
Tcp StringNpu Session - Enable TCP NPU session delay to guarantee packet order of 3-way handshake. Valid values:
disable,enable. - devices String
- Names of devices or device groups that can be matched by the policy.
- diameter
Filter StringProfile - Name of an existing Diameter filter profile.
- diffserv
Copy String - Enable to copy packet's DiffServ values from session's original direction to its reply direction. Valid values:
disable,enable. - diffserv
Forward String - Enable to change packet's DiffServ values to the specified diffservcode-forward value. Valid values:
disable,enable. - diffserv
Reverse String - Enable to change packet's reverse (reply) DiffServ values to the specified diffservcode-rev value. Valid values:
disable,enable. - diffservcode
Forward String - Change packet's DiffServ to this value.
- diffservcode
Rev String - Change packet's reverse (reply) DiffServ to this value.
- disclaimer String
- Enable/disable user authentication disclaimer. Valid values:
disable,enable. - dlp
Profile String - Name of an existing DLP profile.
- dlp
Sensor String - Name of an existing DLP sensor.
- dnsfilter
Profile String - Name of an existing DNS filter profile.
- dscp
Match String - Enable DSCP check. Valid values:
disable,enable. - dscp
Negate String - Enable negated DSCP match. Valid values:
disable,enable. - dscp
Value String - DSCP value.
- dsri String
- Enable DSRI to ignore HTTP server responses. Valid values:
disable,enable. - dstaddr6Negate String
- When enabled dstaddr6 specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddr6s List<String>
- Destination IPv6 address name and address group names.
- dstaddr
Negate String - When enabled dstaddr specifies what the destination address must NOT be. Valid values:
disable,enable. - dstaddrs List<String>
- Destination address and address group names.
- dstintfs List<String>
- Outgoing (egress) interface.
- dynamic
Shaping String - Enable/disable dynamic RADIUS defined traffic shaping. Valid values:
disable,enable. - dynamic
Sort StringSubtable - true or false, set this parameter to true when using dynamic for_each + toset to configure and sort sub-tables, please do not set this parameter when configuring static sub-tables.
- eif
Check String - Enable/Disable check endpoint-independent-filtering pinhole. Valid values:
disable,enable. - eif
Learn String - Enable/Disable learning of end-point-independent filtering pinhole. Valid values:
disable,enable. - email
Collect String - Enable/disable email collection. Valid values:
disable,enable. - emailfilter
Profile String - Name of an existing email filter profile.
- fec String
- Enable/disable Forward Error Correction on traffic matching this policy on a FEC device. Valid values:
disable,enable. - file
Filter StringProfile - Name of an existing file-filter profile.
- firewall
Session StringDirty - How to handle sessions if the configuration of this firewall policy changes. Valid values:
check-all,check-new. - fixedport String
- Enable to prevent source NAT from changing a session's source port. Valid values:
disable,enable. - fsso String
- Enable/disable Fortinet Single Sign-On. Valid values:
disable,enable. - fsso
Agent StringFor Ntlm - FSSO agent to use for NTLM authentication.
- fsso
Groups List<String> - Names of FSSO groups.
- geoip
Anycast String - Enable/disable recognition of anycast IP addresses using the geography IP database. Valid values:
disable,enable. - geoip
Match String - Match geography address based either on its physical location or registered location. Valid values:
physical-location,registered-location. - global
Label String - Label for the policy that appears when the GUI is in Global View mode.
- groups List<String>
- Names of user groups that can authenticate with this policy.
- gtp
Profile String - GTP profile.
- http
Policy StringRedirect - Redirect HTTP(S) traffic to matching transparent web proxy policy. Valid values:
disable,enable. - icap
Profile String - Name of an existing ICAP profile.
- identity
Based StringRoute - Name of identity-based routing rule.
- inbound String
- Policy-based IPsec VPN: only traffic from the remote network can initiate a VPN. Valid values:
disable,enable. - inspection
Mode String - Policy inspection mode (Flow/proxy). Default is Flow mode. Valid values:
proxy,flow. - internet
Service String - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6 String - Enable/disable use of IPv6 Internet Services for this policy. If enabled, destination address and service are not used. Valid values:
disable,enable. - internet
Service6Custom List<String>Groups - Custom Internet Service6 group name.
- internet
Service6Customs List<String> - Custom IPv6 Internet Service name.
- internet
Service6Groups List<String> - Internet Service group name.
- internet
Service6Names List<String> - IPv6 Internet Service name.
- internet
Service6Negate String - When enabled internet-service6 specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service6Src String - Enable/disable use of IPv6 Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service6Src List<String>Custom Groups - Custom Internet Service6 source group name.
- internet
Service6Src List<String>Customs - Custom IPv6 Internet Service source name.
- internet
Service6Src List<String>Groups - Internet Service6 source group name.
- internet
Service6Src List<String>Names - IPv6 Internet Service source name.
- internet
Service6Src StringNegate - When enabled internet-service6-src specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringCustom - Custom Internet Service name.
- internet
Service StringCustom Group - Custom Internet Service group name.
- internet
Service StringGroup - Internet Service group name.
- internet
Service List<String>Ids - Internet Service ID.
- internet
Service StringName - Internet Service name.
- internet
Service StringNegate - When enabled internet-service specifies what the service must NOT be. Valid values:
disable,enable. - internet
Service StringSrc - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used. Valid values:
disable,enable. - internet
Service StringSrc Custom - Custom Internet Service source name.
- internet
Service StringSrc Custom Group - Custom Internet Service source group name.
- internet
Service StringSrc Group - Internet Service source group name.
- internet
Service StringSrc Id - Internet Service source ID.
- internet
Service StringSrc Name - Internet Service source name.
- internet
Service StringSrc Negate - When enabled internet-service-src specifies what the service must NOT be. Valid values:
disable,enable. - ip
Version StringType - IP version of the policy.
- ippool String
- Enable to use IP Pools for source NAT. Valid values:
disable,enable. - ips
Sensor String - Name of an existing IPS sensor.
- ips
Voip StringFilter - Name of an existing VoIP (ips) profile.
- label String
- Label for the policy that appears when the GUI is in Section View mode.
- learning
Mode String - Enable to allow everything, but log all of the meaningful data for security information gathering. A learning report will be generated. Valid values:
disable,enable. - log
Http StringTransaction - Enable/disable HTTP transaction log. Valid values:
disable,enable,all,utm. - logtraffic String
- Enable or disable logging. Log all sessions or security profile sessions. Valid values:
disable,enable,all,utm. - logtraffic
Start String - Record logs when a session starts. Valid values:
disable,enable. - match
Vip String - Enable to match packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - match
Vip StringOnly - Enable/disable matching of only those packets that have had their destination addresses changed by a VIP. Valid values:
disable,enable. - mms
Profile String - Name of an existing MMS profile.
- name String
- Policy name.
- nat String
- Enable/disable source NAT. Valid values:
disable,enable. - nat46 String
- Enable/disable NAT46. Valid values:
disable,enable. - nat64 String
- Enable/disable NAT64. Valid values:
disable,enable. - natinbound String
- Policy-based IPsec VPN: apply destination NAT to inbound traffic. Valid values:
disable,enable. - natips List<String>
- Policy-based IPsec VPN: source NAT IP address for outgoing traffic.
- natoutbound String
- Policy-based IPsec VPN: apply source NAT to outbound traffic. Valid values:
disable,enable. - network
Service List<String>Dynamics - Dynamic Network Service name.
- network
Service List<String>Src Dynamics - Dynamic Network Service source name.
- np
Acceleration String - Enable/disable UTM Network Processor acceleration. Valid values:
disable,enable. - ntlm String
- Enable/disable NTLM authentication. Valid values:
disable,enable. - ntlm
Enabled List<String>Browsers - HTTP-User-Agent value of supported browsers.
- ntlm
Guest String - Enable/disable NTLM guest user access. Valid values:
disable,enable. - outbound String
- Policy-based IPsec VPN: only traffic from the internal network can initiate a VPN. Valid values:
disable,enable. - packages
Firewall StringPolicy Id - an identifier for the resource with format {{policyid}}.
- passive
Wan StringHealth Measurement - Enable/disable passive WAN health measurement. When enabled, auto-asic-offload is disabled. Valid values:
disable,enable. - pcp
Inbound String - Enable/disable PCP inbound DNAT. Valid values:
disable,enable. - pcp
Outbound String - Enable/disable PCP outbound SNAT. Valid values:
disable,enable. - pcp
Poolnames List<String> - PCP pool names.
- per
Ip StringShaper - Per-IP traffic shaper.
- permit
Any StringHost - Accept UDP packets from any host. Valid values:
disable,enable. - permit
Stun StringHost - Accept UDP packets from any Session Traversal Utilities for NAT (STUN) host. Valid values:
disable,enable. - pfcp
Profile String - PFCP profile.
- pkg String
- Package.
- pkg
Folder StringPath - Pkg Folder Path.
- policy
Behaviour StringType - Behaviour of the policy.
- policy
Expiry String - Enable/disable policy expiry. Valid values:
disable,enable. - policy
Expiry StringDate - Policy expiry date (YYYY-MM-DD HH:MM:SS).
- policy
Expiry StringDate Utc - Policy expiry date and time, in epoch format.
- policy
Offload String - Enable/Disable hardware session setup for CGNAT. Valid values:
disable,enable. - policyid Number
- Policy ID (0 - 4294967294).
- poolname String
- IP Pool names.
- poolname6 String
- IPv6 pool names.
- port
Preserve String - Enable/disable preservation of the original source port from source NAT if it has not been used. Valid values:
disable,enable. - port
Random String - Enable/disable random source port selection for source NAT. Valid values:
disable,enable. - profile
Group String - Name of profile group.
- profile
Protocol StringOptions - Name of an existing Protocol options profile.
- profile
Type String - Determine whether the firewall policy allows security profile groups or single profiles only. Valid values:
single,group. - radius
Ip StringAuth Bypass - Enable IP authentication bypass. The bypassed IP address must be received from RADIUS server. Valid values:
disable,enable. - radius
Mac StringAuth Bypass - Enable MAC authentication bypass. The bypassed MAC address must be received from RADIUS server. Valid values:
disable,enable. - redirect
Url String - URL users are directed to after seeing and accepting the disclaimer or authenticating.
- replacemsg
Override StringGroup - Override the default replacement message group for this policy.
- reputation
Direction String - Direction of the initial traffic for reputation to take effect. Valid values:
source,destination. - reputation
Direction6 String - Direction of the initial traffic for IPv6 reputation to take effect. Valid values:
source,destination. - reputation
Minimum Number - Minimum Reputation to take action.
- reputation
Minimum6 Number - IPv6 Minimum Reputation to take action.
- rsso String
- Enable/disable RADIUS single sign-on (RSSO). Valid values:
disable,enable. - rtp
Addr String - Address names if this is an RTP NAT policy.
- rtp
Nat String - Enable Real Time Protocol (RTP) NAT. Valid values:
disable,enable. - scan
Botnet StringConnections - Block or monitor connections to Botnet servers or disable Botnet scanning. Valid values:
disable,block,monitor. - schedule String
- Schedule name.
- schedule
Timeout String - Enable to force current sessions to end when the schedule object times out. Disable allows them to end from inactivity. Valid values:
disable,enable. - scopetype String
- The scope of application of the resource. Valid values:
inherit,adom. Theinheritmeans that the scopetype of the provider will be inherited, and adom will also be inherited. The default value isinherit. - sctp
Filter StringProfile - Name of an existing SCTP filter profile.
- send
Deny StringPacket - Enable to send a reply when a session is denied or blocked by a firewall policy. Valid values:
disable,enable. - service
Negate String - When enabled service specifies what the service must NOT be. Valid values:
disable,enable. - services List<String>
- Service and service group names.
- session
Ttl String - TTL in seconds for sessions accepted by this policy (0 means use the system default session TTL).
- sgt
Check String - Enable/disable security group tags (SGT) check. Valid values:
disable,enable. - sgts List<Number>
- Security group tags.
- spamfilter
Profile String - Name of an existing Spam filter profile.
- src
Vendor List<String>Macs - Vendor MAC source ID.
- srcaddr6Negate String
- When enabled srcaddr6 specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddr6s List<String>
- Source IPv6 address name and address group names.
- srcaddr
Negate String - When enabled srcaddr specifies what the source address must NOT be. Valid values:
disable,enable. - srcaddrs List<String>
- Source address and address group names.
- srcintfs List<String>
- Incoming (ingress) interface.
- ssh
Filter StringProfile - Name of an existing SSH filter profile.
- ssh
Policy StringRedirect - Redirect SSH traffic to matching transparent proxy policy. Valid values:
disable,enable. - ssl
Mirror String - Enable to copy decrypted SSL traffic to a FortiGate interface (called SSL mirroring). Valid values:
disable,enable. - ssl
Mirror StringIntf - SSL mirror interface name.
- ssl
Ssh StringProfile - Name of an existing SSL SSH profile.
- status String
- Enable or disable this policy. Valid values:
disable,enable. - tcp
Mss NumberReceiver - Receiver TCP maximum segment size (MSS).
- tcp
Mss NumberSender - Sender TCP maximum segment size (MSS).
- tcp
Session StringWithout Syn - Enable/disable creation of TCP session without SYN flag. Valid values:
all,data-only,disable. - tcp
Timeout StringPid - TCP timeout profile ID
- timeout
Send StringRst - Enable/disable sending RST packets when TCP sessions expire. Valid values:
disable,enable. - tos String
- ToS (Type of Service) value used for comparison.
- tos
Mask String - Non-zero bit positions are used for comparison while zero bit positions are ignored.
- tos
Negate String - Enable negated TOS match. Valid values:
disable,enable. - traffic
Shaper String - Traffic shaper.
- traffic
Shaper StringReverse - Reverse traffic shaper.
- udp
Timeout StringPid - UDP timeout profile ID
- url
Category String - URL category ID list.
- users List<String>
- Names of individual users that can authenticate with this policy.
- utm
Status String - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy. Valid values:
disable,enable. - uuid String
- Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
- videofilter
Profile String - Name of an existing VideoFilter profile.
- virtual
Patch StringProfile - Name of an existing virtual-patch profile.
- vlan
Cos NumberFwd - VLAN forward direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Cos NumberRev - VLAN reverse direction user priority: 255 passthrough, 0 lowest, 7 highest.
- vlan
Filter String - Set VLAN filters.
- voip
Profile String - Name of an existing VoIP profile.
- vpn
Dst List<Property Map>Nodes - Vpn_Dst_Node. The structure of
vpn_dst_nodeblock is documented below. - vpn
Src List<Property Map>Nodes - Vpn_Src_Node. The structure of
vpn_src_nodeblock is documented below. - vpntunnel String
- Policy-based IPsec VPN: name of the IPsec VPN Phase 1.
- waf
Profile String - Name of an existing Web application firewall profile.
- wanopt String
- Enable/disable WAN optimization. Valid values:
disable,enable. - wanopt
Detection String - WAN optimization auto-detection mode. Valid values:
active,passive,off. - wanopt
Passive StringOpt - WAN optimization passive mode options. This option decides what IP address will be used to connect server. Valid values:
default,transparent,non-transparent. - wanopt
Peer String - WAN optimization peer.
- wanopt
Profile String - WAN optimization profile.
- wccp String
- Enable/disable forwarding traffic matching this policy to a configured WCCP server. Valid values:
disable,enable. - webcache String
- Enable/disable web cache. Valid values:
disable,enable. - webcache
Https String - Enable/disable web cache for HTTPS. Valid values:
disable,ssl-server,any,enable. - webfilter
Profile String - Name of an existing Web filter profile.
- webproxy
Forward StringServer - Webproxy forward server name.
- webproxy
Profile String - Webproxy profile name.
- wsso String
- Enable/disable WiFi Single Sign On (WSSO). Valid values:
disable,enable. - ztna
Device StringOwnership - Enable/disable zero trust device ownership. Valid values:
disable,enable. - ztna
Ems StringTag - Source ztna-ems-tag names.
- ztna
Ems StringTag Negate - When enabled ztna-ems-tag specifies what the tags must NOT be. Valid values:
disable,enable. - List<String>
- Source ztna-ems-tag-secondary names.
- ztna
Geo StringTag - Source ztna-geo-tag names.
- ztna
Policy StringRedirect - Redirect ZTNA traffic to matching Access-Proxy proxy-policy. Valid values:
disable,enable. - ztna
Status String - Enable/disable zero trust access. Valid values:
disable,enable. - String
- ZTNA tag matching logic. Valid values:
or,and.
Supporting Types
PackagesFirewallPolicyVpnDstNode, PackagesFirewallPolicyVpnDstNodeArgs
PackagesFirewallPolicyVpnSrcNode, PackagesFirewallPolicyVpnSrcNodeArgs
Import
Packages FirewallPolicy can be imported using any of these accepted formats:
Set import_options = [“pkg_folder_path=YOUR_VALUE”, “pkg=YOUR_VALUE”] in the provider section.
$ export “FORTIMANAGER_IMPORT_TABLE”=“true”
$ pulumi import fortimanager:index/packagesFirewallPolicy:PackagesFirewallPolicy labelname {{policyid}}
$ unset “FORTIMANAGER_IMPORT_TABLE”
-> Hint: The scopetype and adom for import will directly inherit the scopetype and adom configuration of the provider.
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- fortimanager fortinetdev/terraform-provider-fortimanager
- License
- Notes
- This Pulumi package is based on the
fortimanagerTerraform Provider.
fortimanager 1.14.0 published on Tuesday, Apr 15, 2025 by fortinetdev
