Policy & Objects
The Policy menu provides options for configuring policies, proxy options, SSL inspection options, and firewall objects.
Policy
The policy list displays web cache policies in their order of matching precedence. Web cache policy order affects policy matching. For details about arranging policies in the policy list, see Managing the policy list .
You can add web cache policies that match HTTP traffic to be cached according to source and destination addresses, and the destination port of the traffic.
Various right-click menus are hidden throughout the policy list. The columns displayed in the policy list can be customized, and filters can be added in a variety of ways to filter the information that is displayed. See .
To view the policy list, go to Policy & Objects > Policy > Policy.
Configure the following settings:
Create New | Add a new policy. New policies are added to the bottom of the list. |
Edit | Edit the selected policy. |
Delete | Delete the selected policy. |
Section/Global View | Select whether to view the policies based on sections, or in a single list (Global View). |
Search | Enter a search term to search the policy list. |
Seq.# | The policy sequence number. |
Source Address | The source address or address range that the policy matches. For more information, see Web cache policy address formats on page 68. |
Destination | The destination address or address range that the policy matches. For more information, see Web cache policy address formats on page 68. |
Schedule | The policy schedule. See Schedules on page 77. |
Service | The service affected by the policy. See Services on page 75. |
Authentication | |
Action | The action to be taken by the policy, such as ACCEPT or DENY. |
AV | The antivirus profile used by the policy. See Antivirus on page 86. |
CA | The certificate used by the policy. |
Comments | Comments about the policy. |
DLP | The DLP sensor used by the policy. See Data Leak Prevention on page 93. |
From | |
ICAP | The ICAP profile used by the policy. See ICAP on page 98. |
ID | The policy identifier. Policies are numbered in the order they are added to the configuration. |
Last Used | |
Log | The logging level of the policy. Options vary depending on the policy type. |
NAT | Whether or not NAT is enabled. |
Proxy Options | The proxy options used by the policy. See Proxy options on page 69. |
Security Profiles | All the profiles used by the policy, such as AntiVirus, Web Filter, DLP Sensor, ICAP, SSL Inspection, and Content Analysis options. See Security Profiles on page 86. |
Sessions | The number of sessions. |
SSL Inspection | The SSL inspection options used by the policy. See SSL inspection on page 70. |
Status | Select to enable a policy or clear to disable a policy. A disabled policy is out of service. |
To | |
Web Filter | The web filter profile used be the policy. See Web Filter on page 87. |
Managing the policy list
To customize the displayed columns, right-click on any column heading, then select the columns that are to be added or removed. Select Reset All Columns to return to the default column view.
The displayed policies can be filtered by either using the search field in the toolbar, or by selecting the filter icon in a column heading. The available filter options will vary depending on the type of data that the selected column contains.
How list order affects policy matching
The FortiCache unit uses the first-matching technique to select which policy to apply to a communication session.
When policies have been added, each time the FortiCache unit accepts a communication session, it then searches the policy list for a matching policy. Matching policies are determined by comparing the policy with the session source and destination addresses, and the destination port. The search begins at the top of the policy list and progresses in order towards the bottom. Each policy in the policy list is compared with the communication session until a match is found. When the FortiCache unit finds the first matching policy, it applies that policy and disregards subsequent policies.
If no policy matches, the session is accepted.
As a general rule, you should order the policy list from most specific to most general because of the order in which policies are evaluated for a match, and because only the first matching policy is applied to a session. Subsequent possible matches are not considered or applied. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions.
Configuring policies
Policies can be added, edited, copied, moved, and deleted. To help organize your policies, you can also create sections to group policies together.
Policies can be inserted above or below existing policies, and can also be disabled if needed.
Creating a new policy
New policies can be created at the bottom of the policy list by selecting Create New in the toolbar. New policies can be created above or below an existing policy by right-clicking a policy sequence number and selecting Insert Policy Above or Insert Policy Below, or by copying or cutting an existing policy and then selecting Paste Before or Paste After from the right-click menu.
To create a new address policy:
- From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens.
- Select Address in the Policy Subtype
- Configure the following settings:
Incoming Interface | Select the name of the network interface on which IP packets are received.
For more information, see Interfaces on page 22. You can also create a web proxy by selecting web-proxy in Incoming Interface. For more information, see Web proxy global on page 84. Multiple incoming interfaces can be added to a policy. If you select any, the policy matches all interfaces as sources, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. When any is used as the incoming interface, the implicit security policy includes any as well. |
Source Address
Source IPv6 Address |
Select a source address or address group.
Only packets whose header contains an IPv4/IPv6 address matching the selected address will be subject to this policy. For more information, see Web cache policy address formats on page 68. You can also create addresses by selecting Create New from this list. For more information, see Addresses on page 72. Multiple addresses or address groups can be added to the policy. |
Outgoing Interface | Select the name of the network interface to which IP packets are forwarded. For more information, see Interfaces on page 22.
Multiple outgoing interfaces can be added to a policy. If you select any, the policy matches all interfaces as destination, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. |
Destination Address
Destination IPv6 Address |
Select a destination address or address group.
Only packets whose header contains an IPv4/IPv6 address matching the selected address will be subject to this policy. For more information, see Web cache policy address formats on page 68. You can also create addresses by selecting Create New from this list. For more information, see Addresses on page 72. Multiple destination addresses can be added. |
Schedule | Select a schedule from the drop down list. Select Create New to create a new schedule. For more information see Schedules on page 77. |
Service | Select a service or service group that packets must match to trigger this policy. Select Create New to create a new servicelist. See Services on page 75.
Multiple services can be added. |
Action | Select how you want the policy to respond when a packet matches the conditions of the policy. The options available will vary widely depending on this selection.
ACCEPT – Accept traffic matched by the policy. DENY – Reject traffic matched by the policy. |
Enable NAT | Select to enable NAT.
This option is only available if Action is set to ACCEPT. |
Logging Options | If Action is set to ACCEPT, select one of the following options: No Log, Log Security Events, or Log All Sessions.
If Action is set to DENY, enable Log Violation Traffic to log violation traffic. |
Security Profiles | Select the security profiles to apply to the policy.
This option is only available if Action is set to ACCEPT. |
AntiVirus | Enable antivirus and select or create a new profile from the drop-down list. See Antivirus on page 86. |
Web Filter | Enable web filter and select or create a new profile from the drop-down list. See Web Filter on page 87. |
DLP Sensor | Enable DLP sensors and select or create a new sensor from the drop-down list. See Data Leak Prevention on page 93. |
ICAP | Enable ICAP and select or create a new profile from the drop-down list. See ICAP on page 98. |
SSL Inspection | Enable SSL inspection and select or create a new option from the dropdown list. See SSL inspection on page 70. |
Enable Web cache | Select to enable web caching.
This option is only available if Action is set to ACCEPT. |
Enable WAN Optimization | Select to enable WAN Optimization for traffic accepted by the policy. If enabled, select active or passive from the drop down list, then select or create a new profile to use for the optimization. See WAN Optimization and Web Caching on page 121.
This option is only available if Action is set to ACCEPT. |
Comments | Enter a description up to 1023 characters to describe the policy. |
- Select OK to create the new address policy.
To create a new user identity policy:
- From the policy list, select Create New from the toolbar, or right-click on a sequence number and select Insert Policy Above, Insert Policy Below or, if applicable, Paste Before or Paste After. The New Policy window opens.
- Select UserIdentity in the Policy Subtype
- Configure the following settings:
Incoming Interface Select the name of the network interface on which IP packets are received.
For more information, see Interfaces on page 22. You can also create a web proxy by selecting web-proxy in Incoming Interface. For more information, see Web proxy on page 1. Multiple incoming interfaces can be added to a policy. If you select any, the policy matches all interfaces as sources, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. When any is used as the incoming interface, the implicit security policy includes any as well. |
|
Source Address Select a source address or address group.
Only packets whose header contains an IPv4/IPv6 address matching the Source IPv6 Address selected address will be subject to this policy. For more information, see Web cache policy address formats on page 68. You can also create addresses by selecting Create New from this list. For more information, see Address on page 1. Multiple addresses or address groups can be added to the policy. |
|
Outgoing Interface Select the name of the network interface to which IP packets are forwarded. For more information, see Interfaces on page 22.
Multiple outgoing interfaces can be added to a policy. If you select any, the policy matches all interfaces as sources, and the policy list is then displayed only in global view. Fortinet does not recommend this option, because it can have unexpected results. It should be used rarely, and only by a knowledgeable administrator. |
|
Destination Address Select a destination address or address group.
Only packets whose header contains an IPv4/IPv6 address matching the Destination IPv6 Address selected address will be subject to this policy. For more information, see Web cache policy address formats on page 68. You can also create addresses by selecting Create New from this list. For more information, see Address on page 1. Multiple destination addresses can be added. |
|
Service Select a service or service group that packets must match to trigger this policy. Select Create New to create a new servicelist. See Service on page
1. Multiple services can be added. |
|
Enable Web cache Select to enable web caching.
This option is only available if Action is set to ACCEPT. |
|
Web Proxy Forwarding Enable a web proxy forwarding server, then select a server from the drop-
Server down list. See Forwarding servers on page 1. |
|
Explicit Proxy Authentication Options | |
Enable IP based Select to enable IP based authentication, then select the single sign-on Authentication method from the Single Sign-On Method drop-down list. | |
Default
Authentication Method |
Select the default authentication method from the drop-down list. |
Comments | Enter a description up to 1023 characters to describe the policy. |
- Select OK to create the new user identity policy.
Creating a section
Sections can be used to help organize your policy list.
To create a new section:
- Right-click on the sequence number of a policy in the policy list and select Insert Section. The Insert Section dialog box opens.
- Enter a name for the section title in the Section Title
- Select OK to create the section.
Editing policies
Policy information can be edited as required by either double clicking on the policy, selecting a policy then selecting Edit from the toolbar, or by right-clicking on the sequence number of the the policy and selecting Edit from the right-click menu.
The editing window for regular policies contains the same information as when creating new policies. See Creating a new policy on page 62.
There are only two options that can be edited for the implicit policy rule:
l enabling or disabling violation traffic logging by selecting or deselecting Log Violation Traffic l the Action field
Policies can also be edited inline, by right and left clicking on the text or blank space within specific cells. For example, you can right-click in the blank space in a Schedule cell to select a new schedule from the right-click menu, but if you right or left-click on the text in the cell and then select Edit Schedule from the pop-up menu, the Edit Recurring Schedule window opens, allowing you to edit the selected schedule, or create a new one.
Moving policies
When more than one policy has been defined, the first matching policy is applied to the traffic session. You can arrange the policy list to influence the order in which policies are evaluated for matches with incoming traffic. See How list order affects policy matching on page 62 for more information.
Moving a policy in the policy list does not change its ID, which only indicates the order in which the policies were created.
To move a policy, click and drag the policy to a new location. You can also move a policy by cutting and pasting it into a new location.
Copy and paste
Policies can be copied and pasted to create clones. Right-click on the policy sequence number then select Copy
Policy from the pop-up menu. Right-click in the sequence number cell of the policy that the new clone policy will be placed next to and select Paste Before or Paste After to insert the new policy before or after the selected policy.
Web cache policy address formats
A source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be:
- a single computer, for example, 45.46.45 l a subnetwork, for example, 192.168.1.* for a class C subnet l 0.0.0.0, matches any IP address.
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiCache unit automatically converts CIDR-formatted netmasks to dotted decimal format. Example formats:
- netmask for a single computer: 255.255.255, or /32 l netmask for a class A subnet: 255.0.0.0, or /8 l netmask for a class B subnet: 255.255.0.0, or /16 l netmask for a class C subnet: 255.255.255.0, or /24 l netmask including all IP addresses: 0.0.0.0 Valid IP address and netmask formats include:
- x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 l x.x.x.x/x, such as 192.168.1.0/24
When representing hosts by an IP range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. You can also indicate the complete range of hosts on a subnet by entering 192.168.1.[0-255] or 192.168.1.0192.168.1.255. Valid IP range formats include:
- x.x.x-x.x.x.x, for example, 192.168.110.100-192.168.110.120 l x.x.x.[x-x], for example, 192.168.110.[100-120] l x.x.x.*, for a complete subnet, for example: 192.168.110.* l x.x.x.[0-255] for a complete subnet, such as 192.168.110.[0-255]
- x.x.0 -x.x.x.255 for a complete subnet, such as 192.168.110.0 – 192.168.110.255
You cannot use square brackets [ ] or asterisks * when adding addresses to the CLI. Instead you must enter the start and end addresses of the subnet range separated by a dash -. For example, 192.168.20.0-192.168.20.255 for a complete subnet and 192.168.10.10-192.168.10.100 for a range of addresses.