Object Configuration

Object Configuration

As was mentioned earlier, the components of the FortiGate firewall go together like interlocking building blocks. The Firewall objects are a prime example of those building blocks. They are something that can be configured once and then used over and over again to build what you need. They can assist in making the administration of the FortiGate unit easier and more intuitive as well as easier to change. By configuring these objects with their future use in mind as well as building in accurate descriptions the firewall will become almost self documenting. That way, months later when a situation changes, you can take a look at a policy that needs to change and use a different firewall object to adapt to the new situation rather than build everything new from the ground up to accommodate the change.

This chapter includes information about the following Firewall objects:

l Addresses l “Virtual IPs” on page 181 l IP Pools l “Services” on page 194 l “Firewall schedules” on page 201

 

Multicast

UUID Support

A Universally Unique Identified (UUID) attribute has been added to some firewall objects, so that the logs can record these UUID to be used by a FortiManager or FortiAnalyzer unit. The objects currently include:

l Addresses, both IPv4 and IPv6 l Address Groups, both IPv4 and IPv6 l Virtual IPs, both IPv4 and IPv6 l Virtual IP groups, both IPv4 and IPv6 l Policies, IPv4,IPv6 and IP64

A UUID is a 16-octet (128-bit) number that is represented by 32 lowercase hexidecimal digits. The digits are displayed in five groups separated by hyphens (-). The pattern is 8-4-4-4-12; 36 digits if you include the hyphens.

Addresses

Firewall addresses define sources and destinations of network traffic and are used when creating policies. When properly set up these firewall objects can be used with great flexibility to make the configuration of firewall policies simpler and more intuitive. The FortiGate unit compares the IP addresses contained in packet headers with a security policy’s source and destination addresses to determine if the security policy matches the traffic.

The address categories and the types within those categories on the FortiGate unit can include:

  • l IPv4 addresses l IP address and Netmask l IP address range l Geography based address l Fully Qualified Domain Name (FQDN) address l Wildcard FQDN l IPv4 Address Group
  • l IPv6 addresses l Subnets l IP range l IPv6 Address Group
  • l Multicast addresses l Multicast IP range l Broadcast subnets
  • l Proxy Addresses l URL Pattern l Host Regex Match l URL Category l HttpMethod l User Agent l HTTP Header l Advanced (Source) l Advanced (Destination)
  • l IP Pools (IPv4) l Overload l One-to-one l Fixed Port Range l Port Block Allocation
  • l IP Pools (IPv6) l Virtual IP Addresses l IPv4 l IPv6
  • l NAT46 l NAT64

Interfaces

When setting up an address one of the parameters that is asked for is the interface. This means that the system will expect to see that address only on the interface that you select. You can only select one interface. If you expect that the address may be seen at more than one interface you can choose the “any” interface option. Whenever, possible it is best to choose a more specific interface than the “any” option because in the GUI configuration of firewall policies there is a drop down field that will show the possible addresses that can be used. The drop down will only show those addresses that can be on the interface assigned for that interface in the policy.

Example:

  • l You have an address called “XYZ”.
  • l “XYZ” is set to the WAN1 interface because that is the only interface that will be able to access that address.
  • l When you are selecting a Source Address in the Web-based Manager for a policy that is using the DMZ the address “XYZ” will not be in the drop-down menu.

When there are only 10 or 20 addresses this is not a concern, but if there are a few hundred addresses configured it can make your life easier.

Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. If an address is selected in a policy, the address cannot be deleted until it is deselected from the policy.

Addressing Best Practices Tip

Don’t specify an interface for VIP objects or other address objects that may need to be moved or approached from a different direction. When configuring a VIP you may think that it will only be associated with a single interface, but you may later find that you need to reference it on another interface.

Example: Some web applications require the use of a FQDN rather than an

IP address. If you have a VIP set up that works from the Internet to the Internal LAN you wont be able to use that VIP object to access it from an internal LAN interface.

IPv4 Addresses

When creating an IPv4 address there are a number of different types of addresses that can be specified. These include:

  • l FQDN
  • l Geography l IP Range l IP/Netmask l Wildcard FQDN

Which one chosen will depend on which method most easily yet accurately describes the addresses that you are trying to include with as few entries as possible based on the information that you have. For instance, if you are trying to describe the addresses of a specific company’s web server but it you have no idea of how extensive there web server farm is you would be more likely to use a Fully Qualified Domain Name (FQDN) rather than a specific IP address. On the other hand some computers don’t have FQDNs and a specific IP address must be used.

The following is a more comprehensive description of the different types of addresses.

FQDN Addresses

By using Fully Qualified Domain Name (FQDN) addressing you can take advantage of the dynamic ability of DNS to keep up with address changes without having to manually change the addresses on the FortiGate. FQDN addresses are most often used with external web sites but they can be used for internal web sites as well if there is a trusted DNS server that can be accessed. FQDN addressing also comes in handy for large web sites that may use multiple addresses and load balancers for their web sites. The FortiGate firewall automatically maintains a cached record of all the addresses resolved by the DNS for the FQDN addresses used.

For example, if you were doing this manually and you wanted to have a security policy that involved Google you could track down all of the IP addresses that they use across multiple countries. Using the FQDN address is simpler and more convenient.

When representing hosts by an FQDN, the domain name can also be a subdomain, such as mail.example.com.

Valid FQDN formats include:

  • l <host_name>.<top_level_domain_name> such as example.com
  • l <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com When creating FQDN entries it is important to remember that:
  • l Wildcards are not supported in FQDN address objects l While there is a level of convention that would imply it, “www.example.com” is not necessarily the same address of “example.com”. they will each have their own records on the DNS server.

The FortiGate firewall keeps track of the DNS TTLs so as the entries change on the DNS servers the IP address will effectively be updated for the FortiGate. As long as the FQDN address is used in a security policy, it stores the address in the DNS cache.

There is a possible security downside to using FQDN addresses. Using a fully qualified domain name in a security policy means that your policies are relying on the DNS server to be accurate and correct. DNS servers in the past were not seen as potential targets because the thinking was that there was little of value on them and therefore are often not as well protected as some other network resources. People are becoming more aware that the value of the DNS server is that in many ways it controls where users and computers go on the Internet. Should the DNS server be compromised, security policies requiring domain name resolution may no longer function properly.

Creating a Fully Qualified Domain Name address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address. 3. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Name for the address object.
  4. In the Type field, select FQDN from the drop down menu.
  5. Input the domain name in the FQDN field.
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments field.
  9. Press OK.

Example: FQDN address

You have to great a policy that will govern traffic that goes to a site that has a number of servers on the Internet. Depending on the traffic or the possibility that one of the servers is down network traffic can go to any one of those sites. The consistent factor is that they all use the same Fully Qualified Domain Name.

  • l The FQDN of the web site: example.com
  • l The number of ISP connections off of the FortiGate firewall: 2

Configuring the address in the GUI

  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information:
Category Address
Name BigWebsite.com
Type FQDN
FQDN bigwebsite.com
Interface any
Show in Address List <enable>
Comments <Input into this field is optional>
  1. Select OK.

Configuring the address in the CLI

config firewall address edit BigWebsite.com set type fqdn set associated-interface any set fqdn bigwebsite.com end

Verification

To verify that the addresses were added correctly:

  1. Go to Firewall Objects > Address > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall address edit <the name of the address that you wish to verify> Show full-configuration

Changing the TTL of a FQDN address

To make sure that the FQDN resolves to the most recent active server you have been asked to make sure that the FortiGate has not cached the address for any longer than 10 minutes.

There is no field for the cached time-to-live in the web-based manager. It is only configurable in the CLI. Enter the following commands:

config firewall address edit BigWebsite.com set cache-ttl 600

end

Geography Based Addresses

Geography addresses are those determined by country of origin.

This type of address is only available in the IPv4 address category.

Creating a Geography address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address. 3. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Namefor the address object.
  4. In the Type field, select Geography from the drop down menu.
  5. In the Country field, select a single country from the drop down menu.
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments field.
  9. Press OK.

Example: Geography-based Address

Configuring the address in the GUI

Your company is US based and has information on its web site that may be considered information that is not allowed to be sent to embargoed countries. In an effort to help reduce the possibility of sensitive information going to those countries you have be asked to set up addresses for those countries so that they can be block in the firewall policies.

  • l One of the countries you have been asked to block is Cuba
  • l You have been asked to comment the addresses so that other administrators will know why they have been created
  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information
Category Address
Name Cuba
Type Geography
Country Cuba
Interface any
Visibility <enable>
Comments Embargoed
  1. Select OK.

Configuring the address in the CLI

Enter the following CLI commands:

config firewall address edit Cuba set type geography set country CN set interface wan1

end

Overrides

It is possible to assign a specific ip address range to a customized country ID. Generally, geographic addressing is done at the VDOM level; it coulb be considered global if you are using the root VDOM, but the geoip-override setting is a global setting.

config system geoip-override edit “test”

set country-id “A0” config ip-range edit 1 set start-ip 7.7.7.7 set end-ip 7.7.7.8

next

edit 2 set start-ip 7.7.10.1 set end-ip 7.7.10.255 end

After creating a customized Country by using geoip-override command, the New country name has been added automatically to the country list and will be available on the Firewall Address Country field.

Diagnose commands

There are a few diagnose commands used with geographic addresses. The basic syntax is:

diagnose firewall ipgeo [country-list | ip-list | ip2country | override | copyright-notice]

Diagnose command Description
country-list Listing of all the countries.
ip-list List of the IP addresses associated with the country
ip2country Used to determine which country a specific IP address is assigned to.
override Listing of user defined geography data – items configured by using “config system geoip-override” command.
copyright-notice Shows the copyright notice.

IP Range Addresses

Where the Subnet address is good a representing a standardized group of addresses that are subnets the IP

Range type of address can describe a group of addresses while being specific and granular. It does this by

specifying a continuous set of IP addresses between one specific IP address and another. While it is most common that this range is with a subnet it is not a requirement. For instance, 192.168.1.0/24 and 192.168.2.0/24 would be 2 separate subnets but if you wanted to describe the top half of one and the bottom half of the other you could describe the range of 192.168.1.128-192.168.2.127. It’s also a lot easier that trying to calculate the correct subnet mask.

The format would be:

x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120

There is a notation that is commonly used and accepted by some devices that follows the format:

x.x.x.[x-x], such as 192.168.110.[100-120]

This format is not recognized in FortiOS 5.2 as a valid IP Range.

Creating a IP Range address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address 3. In the Category field, chose Address(IPv4 addresses) or IPv6 Address.
  3. Input a Name for the address object.
  4. In the Type field, select IP Range from the drop down menu.
  5. In the Subnet / IP Range field, enter the range of addresses in the following format: x.x.x.x-x.x.x.x (no spaces)
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu. (This setting is not available for IPv6 addresses)
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments field.

10. Press OK. Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field Value
Category Address or IPv6 Address
Name Guest_users
Type IP Range
Subnet / IP Range 192.168.100.200-192.168.100.240
Interface Port1
Field Value
Show in Address

List

[on]
Comments Computers on the 1st floor used by guests for Internet access.

IP Range addresses can be configured forboth IPv4 and IPv6 addresses. The only differences in creating an IPv6 IP Range address is that you would choose IPv6 Address for the Category and the syntax of the address in the Subnet/IP Range field would be in the format of 2001:0db8:0000:0002:0:0:0:202001:0db8:0000:0004:0:0:0:20

IP / Netmask Addresses

The subnet type of address is expressed using a host address and a subnet mask. From a strictly mathematical stand point this is the most flexible of the types because the address can refer to as little one individual address or as many as all of the available addresses.

It is usally used when referring to your own internal addresses because you know what they are and they are usually administered in groups that are nicely differentiated along the lines of the old A, B, and C classes of IPv4 addresses. They are also addresses that are not likely to change with the changing of Internet Service Providers (ISP).

When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be:

  • l A single host such as a single computer with the address 192.45.46.45 l A range of hosts such as all of the hosts on the subnet 192.45.46.1 to 192.45.46.255 l All hosts, represented by 0.0.0.0 which matches any IP address

The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats:

  • l Netmask for a class A subnet of 16,777,214 usable addresses: 255.0.0.0, or /8 l Netmask for a class B subnet of 65,534 usable addresses: 255.255.0.0, or /16 l Netmask for a class C subnet of 254 usable addresses: 255.255.255.0, or /24 l Netmask for subnetted class C of 126 usable addresses: 255.255.255.128, or /25 l Netmask for subnetted class C of 62 usable addresses: 255.255.255.128, or /26 l Netmask for subnetted class C of 30 usable addresses: 255.255.255.128, or /27 l Netmask for subnetted class C of 14 usable addresses: 255.255.255.128, or /28 l Netmask for subnetted class C of 6 usable addresses: 255.255.255.128, or /29 l Netmask for subnetted class C of 2 usable addresses: 255.255.255.128, or /30 l Netmask for a single computer: 255.255.255.255, or /32 l Netmask used with 0.0.0.0 to include all IP addresses: 0.0.0.0, or /0

So for a single host or subnet the valid format of IP address and netmask could be either:

x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0

or

x.x.x.x/x, such as 192.168.1.0/24

Static Route Configuration

A setting that is found in the IP/Netmask address type that is not found in the other address types is the enabling or disabling of Static Route Configuration. Enabling this feature includes the address in the listing of named addresses when setting up a static route.

To use in the GUI

  1. Enable the Static Route Configuration in the address.
  2. Go to Network > Static Routes and create a new route.
  3. For a Destination type, choose Named Address.
  4. Using the drop down menu, enter the name of the address object in the field just underneath the Destination type options.
  5. Fill out the other information relevant to the route
  6. Select the OK button

To enable in the CLI:

config firewall address edit <address_name> set allow-routing enable end

Creating a Subnet address
  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address. 3. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Namefor the address object.
  4. In the Type field, select IP/Netmask from the drop down menu.
  5. In the Subnet/IP Range field, enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Select the desired on/off toggle setting for Static Route Configuration.
  9. Input any additional information in the Comments field.
11. Press OK. Example

Example of a Subnet address for a database server on the DMZ:

Field Value
Category Address
Name DB_server_1
Type IP/Netmask
Subnet/IP Range United States
Interface any
Show in Address List [on]
Static Route Configuration [off]
Comments  

Wildcard FQDN

There are a number of companies that use secondary and even tertiary domain names or FQDNs for their websites. Wildcard FQDN addresses are to ease the administrative overhead in cases where this occurs. Sometimes its as simple as sites that still use www. as a prefix for their domain name. If you don’t know whether or not the www is being used it’s simpler to use a wildcard and include all of the possibilities whether it be example.com, www.example.com or even ftp.example.com.

Wildcard FQDN addresses do not resolve to a specific set of IP addresses in the same way that a normal FQDN addresss does. They are intended for use in SSL exemptions and should not be used as source or destination addresses in policies.

Creating a Fully Qualified Domain Name address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address 3. In the Category field, chose Address. (This is for IPv4 addresses.)
  3. Input a Name for the address object.
  4. In the Type fUncategorizedield, select Wildcard FQDNfrom the drop down menu.
  5. Input the domain name in the Wildcard FQDN field.
  6. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments field.

10. Press OK. Example

Example of a FQDN address for a remote FTP server used by Accounting team:

Field Value
Category Address
Name Example.com_servers
Type Wildcard FQDN
Wildcard FQDN *.example.com
Interface any
Show in Address List [on]
Comments Secondary and tertiary domain names for example.com

IPv6 Addresses

When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:

  • l Subnet
  • l IP Range – the details of this type of address are the same as the IPv4 version of this type

The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based or FQDN address but as IPv6 becomes more mainstream this should change.

Subnet Addresses

The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:

fd5e:3c59:35ce:f67e::/64

  • l The hexidecimal charaters represent the IPv6 subnet address.
  • l The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
  • l /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include

18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.

Creating a Subnet address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address
  3. In the Category field, chose IPv6 Address.
  4. Input a Name for the address object.
  5. In the Type field, select Subnet from the drop down menu.
  6. In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments field.
  9. Press OK.

Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field Value
Category IPv6 Address
Name IPv6_Guest_user_range
Type Subnet
Subnet / IP Range fd5e:3c59:35ce:f67e::/64
Show in Address List [on]
Comments  

Multicast Addresses

Multicast addressing defines a specific range of address values set aside for them. Therefore all IPv4 multicast addresses should be between 224.0.0.0 and 239.255.255.255.

More information on the concepts behind Multicast addressing can be found in the Multicast Forwarding section.

Multicast IP Range

This type of address will allow multicast broadcasts to a specified range of addresses.

Creating a Multicast IP Range address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New.

l If you use the down arrow next to Create New, select Address.

  1. Choose the Category, Multicast Address
  2. Input a Name for the address object.
  3. Select the Type,Multicast IP Range from the dropdown menu.
  4. Enter the value for the Multicast IP Range
  5. Select the Interface from the dropdown menu.
  6. Enable the Show in Address List function
  7. Input any additional information in the Comments field.
  8. Press OK.

Example: Multicast IP Range Address

The company has a large high tech campus that has monitors in many of its meeting rooms. It is common practice for company wide notifications of importance to be done in a streaming video format with the CEO of the company addressing everyone at once.

The video is High Definition quality so takes up a lot of bandwidth. To minimize the impact on the network the network administrators have set things up to allow the use of multicasting to the monitors for these notifications. Now it has to be set up on the FortiGate firewall to allow the traffic.

l The range being used for the multicast is 239.5.5.10 to 239.5.5.200 l The interface on this FortiGate firewall will be on port 9

  1. Go to Policy & Objects> Objects > Addresses and select Create New > Address.
  2. Fill out the fields with the following information
Category Multicast Address
Name Meeting_Room_Displays
Type Multicast IP Range
Multicast IP Range 239.5.5.10-239.5.5.200
Interface port9
Show in Address List <enable>
Comments <Input into this field is optional>
  1. Select OK.
  2. Enter the following CLI command:

config firewall multicast-address edit “meeting_room_display” set type multicastrange set associated-interface “port9” set start-ip 239.5.5.10 set end-ip 239.5.5.200

set visibility enable

next

end

To verify that the address range was added correctly:

  1. Go to Policy & Objects> Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall multicast-address edit <the name of the address that you wish to verify>

Show full-configuration

 

Broadcast Subnet

This type of address will allow multicast broadcast to every node on a subnet.

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In theCategory field, choseMulticast Address.
  4. Input a Name for the address object.
  5. In the Type field, select Broadcast Subnetfrom the drop down menu.
  6. In the Broadcast Subnet field enter the address and subnet mask according to the format x.x.x.x/x.x.x.x or the short hand format of x.x.x.x/x.(Remember, it needs to be within the appropriate IP range 224.0.0.0 to 239.255.255.255)
  7. In the Interface field, leave as the default any or select a specific interface from the drop down menu.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments field.
  10. Press OK.

Example

Field Value
Category Broadcast Subnet
Name Corpnet-B
Type Broadcast Subnet
Broadcast Subnet 224.5.5.0/24
Interface any
Show in Address List [on]
Comments Corporate Network devices – Broadcast Group B

Multicast IP addresses

Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address range is reserved for multicast groups. The multicast address range applies to multicast groups, not to the originators of multicast packets. The following table lists the reserved multicast address ranges and describes what they are reserved for:

Reserved Multicast address ranges

Reserved

Address Range

Use Notes
224.0.0.0 to

224.0.0.255

Used for network protocols on local networks. For more information, see RFC 1700. In this range, packets are not forwarded by the router but remain on the local network. They have a Time to Live (TTL) of 1. These addresses are used for communicating routing information.
224.0.1.0 to

238.255.255.255

Global addresses used for multicasting data between organizations and across the Internet. For more information, see RFC 1700. Some of these addresses are reserved, for example, 224.0.1.1 is used for Network Time Protocol (NTP).
239.0.0.0 to

239.255.255.255

Limited scope addresses used for local groups and organizations. For more information, see RFC 2365. Routers are configured with filters to prevent multicasts to these addresses from leaving the local system.

Creating multicast security policies requires multicast firewall addresses. You can add multicast firewall addresses by going to Firewall Objects > Address > Addresses and selecting Create New > Multicast

Address. The factory default configuration includes multicast addresses for Bonjour (224.0.0.251-224.0.0.251, EIGRP (224.0.0.10-224.0.0.100), OSPF (224.0.0.5-224.0.0.60), all_hosts (224.0.0.1-224.0.0.1), and all_routers (224.0.0.2-224.0.0.2).

Proxy Addresses

This category of address is different from the other addresses in that it is not designed to be used in the normal firewall policy configuration. It is intended to be used only with explicit web proxies.

In some respects they can be like a FQDN addresses in that they refer to an alpha-numeric string that is assigned to an IP address, but then goes an additional level of granularity by using additional information and criteria to further specify locations or types of traffic within the website itself. In depth information on Explicit Proxy Addressing can be found in WAN Optimization, but it is worth laying out the steps of how to create an address object for this category.

Creating an Proxy address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address.
  3. In the Category field, chose Proxy Address.
  4. Input a Name for the address object.
  5. For the Type field, select one of the options from the drop down menu.

Within the Explicit Proxy Address category there are 8 types of addresses. Each of these types will have associated field(s) that also need to have values entered to make the object specific to it’s address.

Type = URL Pattern

  • l In the Host field, choose from drop down menu l In the URL Path Regex field, enter the appropriate string

Host Regex Match l In the Host Regex Pattern field, enter the appropriate string

URL Category

  • l In the Host field, choose from drop down menu l In the URL Category field, choose from drop down menu

HTTP Method

  • l In the Host field, choose from drop down menu l In the Request Method field, choose from drop down menu The options are: l CONNECT l DELETE l GET l HEAD l OPTIONS l POST l PUT l TRACE

User Agent

  • l In the Host field, choose from drop down menu l In the User Agent field, choose from drop down menu The options are:
  • l Apple Safari l Google Chrome
  • l Microsoft Internet Explorer or Spartan l Mozilla Firefox l Other browsers

HTTP Header

  • l In the Host field, choose from drop down menu l In the Header Name field, enter the appropriate string value l In the Header Regex field, enter the appropriate string value

Advanced (Source)

  • l In the Host field, choose from drop down menu l In the Request Method field, choose from drop down menu (see HTTP Method type for option list) l In the User Agent field, choose from drop down menu (see User Agent type for option list)
  • l In the Header Group table, create, edit or delete Header Name strings and associated Header Regex strings

Advance (Destination)

  • l In the Host field, choose from drop down menu l In the Host Regex Pattern field, enter the appropriate string l In the URL Category field, choose from drop down menu
  1. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  2. Input any additional information in the Comments field.
  3. Press OK.

Proxy Address Groups

To create a Proxy address group:

  1. Go to Policy & Objects > Addresses.
  2. Click on + Create New to get the drop down menu. Select Address Group.
  3. In the Category field, choose Proxy Group.
  4. Fill in a descriptive name in the Group Name field.
  5. If you wish, use the Change link to change the Color of icons in the GUI. There are 32 color options.
  6. In the Type field, select whether the group will be a Source Group (composed of source addresses) or a Destination Group (composed of destination addresses).
  7. Select anywhere in the Members field to bring forth the pane of potential members for selection to the group.
  8. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled, the address will appear in drop down menus where it is an option.
  9. Input any additional information in the Comments field.
  10. Click on OK.

Internet Services

In FortiOS 5.4, support was added for Internet Service objects which could be used with FortiView, Logging, Routing and WAN Load Balancing. Now they can be added to firewall policies as well.

There is an either or relationship between Internet Service objects and destination address and service combinations in firewall policies. This means that a destination address and service can be specified in the policy OR an Internet service, not both.

CLI

The related CLI options/syntax are:

config firewall policy edit 1 set internet-service 1 5 10 set internet-service-custom test set internet-service-negate [enable|disable]

end

GUI

In the policy listing page you will notice that is an Internet Service object is used, it will be found in both the Destination and Service column.

In the policy editing page the Destination Address, now Destination field now has two types, Address and Internet Service.

 

Multicast Policy

Multicast Policy

The Multicast Policy GUI page has been updated from previous versions of the firmware to the new GUI look and feel. Some functionality has also been changed.

The DNAT option has been removed from the GUI but is still in the CLI.

To create/edit a multicast policy go to Policy & Objects > Multicast Policy. The Listing window on the right will have buttons along the top that will enable you to l Create New l Edit l Delete

There is also a Search field that will allow you to search or filter the available policies if you have a lot of them.

To configure a new policy left click on the Create New button. This will reveal the New Policy editing window.

  1. Using the drop down menu, fill in the field for Incoming Interface. Only one interface can be chosen.
  2. Using the drop down menu, fill in the field for Outgoing Interface. Only one interface can be chosen.
  3. Set the Source Address parameter by selecting the field with the “+” next to the field label. When the field is selected a window will slide out from the right. In order for a multicast address to available for selection, the address object needs to have been created already. Only useable address options will be available for selection. This means only mutlticast address objects and the more generic all and none The “+” icon next to the Search field is a shortcut for creating a new firewall object. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.

Multicast

  1. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  2. Set the Action This will be to either ACCEPT or DENY the traffic through the policy.
  3. Toggle the Enable SNAT switch to the setting you want. If the slider is gray the option is disabled. If it is colored, it is enabled.
  4. Use the drop down menu to select a Protocol. The options are: l Any l ICMP l IGMP
    • TCP – includes Port Range fields l UDP – includes Port Range fields
    • OSPF
    • Other – includes a field for the protocol number
  5. Depending on which Protocol is defined, the some other fields may appear.
    • Port Range – The first field is for the starting value for the port and the second for the ending value for the port range used by the protocol. Both of these values are inclusive.
    • Protocol field – This appears when the Other option is chosen. Enter the value of the protocol number for the protocol you wish to use.
  6. Toggle the Log Allowed Traffic switch to the setting you want. If the slider is gray the option is disabled. If it is colored, it is enabled.
  7. Toggle the Enable this policy switch to the setting you want. If the slider is gray the option is disabled. If it is colored, it is enabled. By default, this should be enabled
  8. Click on the OK button to save the policy.

Multicast

IPv6 DoS Policy

IPv6 DoS Policy

To configure a IPv6 DoS Policy in the GUI

  1. Go to Policy & Objects > IPv6 DoS Policy

The right side window will display a table of the existing IPv6 DoS Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  5. Set the parameters for the various traffic anomalies.

All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

  • Status – enable or disable the indicated profile l Logging – enable or disable logging of the indicated profile being triggered l Action – whether to Pass or Block traffic when the threshold is reached l Threshold – the number of anomalous packets detected before triggering the action.

The listing of anomaly profiles includes:

L3 Anomalies

  • ip_src_session l ip_dst_session

L4 Anomalies

  • tcp_syn_flood l tcp_port_scan l tcp_src_session l tcp_dst_session l udp_flood l udp_scan

 

Multicast

  • udp_src_session l udp_dst_session l icmp_flood l icmp_sweep l icmp_src_session l icmp_dst_session l sctp_flood l sctp_scan
  1. Toggle whether or not to Enable this policy.The default is enabled.
  2. Select the OK button to save the policy.

Configuring the IPv6 DoS Policy in the GUI

The configuring of the IPv6 version of the DoS policy is the same as in the IPv4 version , with the exception of first command.

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy6

The rest of the settings are the same as in IPv4 Dos Policy.

IPv4 DoS Policy

IPv4 DoS Policy

To configure a IPv4 DoS Policy in the GUI

  1. Goto Policy & Objects > IPv4 DoS Policy

The right side window will display a table of the existing IPv4 DoS Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  5. Set the parameters for the various traffic anomalies.

All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

  • Status – enable or disable the indicated profile l Logging – enable or disable logging of the indicated profile being triggered l Action – whether to Pass or Block traffic when the threshold is reached l Threshold – the number of anomalous packets detected before triggering the action.

The listing of anomaly profiles includes:

L3 Anomalies

  • ip_src_session l ip_dst_session

L4 Anomalies

  • tcp_syn_flood l tcp_port_scan l tcp_src_session l tcp_dst_session l udp_flood l udp_scan l udp_src_session l udp_dst_session IPv4
  • icmp_flood l icmp_sweep l icmp_src_session l sctp_flood l sctp_scan l sctp_src_session l sctp_dst_session
  1. Toggle whether or not to Enable this policy.The default is enabled.
  2. Select the OK button to save the policy.

Example

The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.

  • The interface to the Internet is on WAN1 l There is no requirement to specify which addresses are being protected or protected from. l The protection is to extend to all services.
  • The TCP attacks are to be blocked l The UDP, ICMP, and IP attacks are to be recorded but not blocked.
  • The SCTP attack filters are disabled
  • The tcp_syn_flood attach’s threshold is to be changed from the default to 1000

Configuring the DoS Policy in the GUI

  1. Go to Policy & Objects > Policy > DoS.
  2. Create a new policy
  3. Fill out the fields with the following information:
Field   Value
Incoming Interface   wan1
Source Address   all
Destination Addresses   all
Service   ALL

L3 Anomalies

Name Status Logging Action Threshold
ip_src_session enabled enabled Pass 5000
ip_dst_session enabled enabled Pass 5000

L4 Anomalies

Name Status   Logging Action Threshold
tcp_syn_flood enabled   enabled Block 1000
tcp_port_scan enabled   enabled Block <default value>
tcp_src_session enabled   enabled Block <default value>
tcp_dst_session enabled   enabled Block <default value>
udp_flood enabled   enabled Pass <default value>
udp_scan enabled   enabled Pass <default value>
udp_src_session enabled   enabled Pass <default value>
udp_dst_session enabled   enabled Pass <default value>
icmp_flood enabled   enabled Pass <default value>
icmp_sweep enabled   enabled Pass <default value>
icmp_src_session enabled   enabled Pass <default value>
icmp_dst_session enabled   enabled Pass <default value>
sctp_flood not enabled   not enabled Pass <default value>
sctp_scan not enabled   not enabled Pass <default value>
sctp_src_session not enabled   not enabled Pass <default value>
sctp_dst_session not enabled   not enabled Pass <default value>
  1. Toggle the button next to Enable this policy to ON.
  2. Select OK.

Configuring the IPv4 DoS Policy in the GUI

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy edit 0

set status enable set interface wan1 set srcaddr all set dstaddr all set service ALL config anomaly

IPv4

edit “tcp_syn_flood” set status enable set log disable set action block set threshold 1000 next

edit “tcp_port_scan” set status enable set log disable set action block set threshold 1000 next

edit “tcp_src_session”

set status enable set log disable set action block set threshold 5000 next

edit “tcp_dst_session”

set status enable set log disable set action block set threshold 5000 next

edit “udp_flood” set status enable set log disable set action pass set threshold 2000 next

edit “udp_scan” set status enable set log disable set action pass set quarantine none set threshold 2000 next

edit “udp_src_session”

set status enable set log disable set action pass set threshold 5000 next

edit “udp_dst_session”

set status enable set log disable set action pass set threshold 5000 next

edit “icmp_flood” set status enable set log disable set action pass set threshold 250 next

edit “icmp_sweep” set status enable set log disable set action pass set threshold 100 next

edit “icmp_src_session” set status enable set log disable set action pass set threshold 300 next

edit “icmp_dst_session” set status enable set log disable set action pass set threshold 1000 next

edit “ip_src_session” set status disable set log enable set action pass set threshold 5000 next

edit “ip_dst_session” set status disable set log enable set action pass set threshold 5000 next

edit “sctp_flood” set status disable set log disable set action pass set threshold 2000 next

edit “sctp_scan” set status disable set log disable set action pass set threshold 1000 next

edit “sctp_src_session” set status disable set log disable set action pass set threshold 5000 next

edit “sctp_dst_session” set status disable set log disable set action pass set threshold 5000 next end end end

IPv6

In this example of the CLI, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.

IPv6 Access Control List

IPv6 Access Control List

The IPv6 Access Control List is a specialized policy for denying IPv6 traffic based on:

l the incoming interface l the source addresses of the traffic l the destination addresses of the traffic l the services or ports the traffic is using

The only action available in this policy is DENY

To configure a IPv6 Access Control List entry in the GUI

  1. Goto Policy & Objects > IPv6 Access Control List

The right side window will display a table of the existing IPv6 Access Control List entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  5. Toggle whether or not to Enable this policy.The default is enabled.
  6. Select the OK button to save the policy.

To configure a IPv6 Access Control List entry in the CLI

Use the following syntax:

config firewall acl6 edit <acl Policy ID #> set status enable set interface <interface> set srcaddr <address object> set dstaddr <address object> set service <service object>

 

end

end

IPv4 Access Control List

IPv4 Access Control List

The IPv4 Access Control List is a specialized policy for denying IPv4 traffic based on:

l the incoming interface l the source addresses of the traffic l the destination addresses of the traffic l the services or ports the traffic is using

The only action available in this policy is DENY

For more information on see Access Control Lists

To configure a IPv4 Access Control List entry in the GUI

  1. Goto Policy & Objects > IPv4 Access Control List

The right side window will display a table of the existing IPv4 Access Control List entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  5. Toggle whether or not to Enable this policy.The default is enabled.
  6. Select the OK button to save the policy.

To configure a IPv4 Access Control List entry in the CLI

Use the following syntax: config firewall acl IPv6 Access Control List

edit <acl Policy ID #> set status enable set interface <interface> set srcaddr <address object> set dstaddr <address object> set service <service object>

end

end

Central SNAT

Central SNAT

Central NAT is disabled by default. To toggle the feature on or off, use the following commands:

config system settings set central-nat [enable | disable] end

When Central NAT is enable the Central SNAT section will appear under the Policy & Objects heading in the GUI.

The Central SNAT window contains a table of all of the Central SNAT policies.

To configure a Central SNAT entry in the GUI

  1. Goto Policy & Objects > Central SNAT

The right side window will display a table of the existing Central SNAT entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

  1. Set the Incoming Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

 

Central SNAT

  1. Set the Outgoing Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.
  2. Set the Source Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

Under the NAT Heading

  1. Set the IP Pool Configuration parameter by selecting either Use Outgoing Interface Address or Use Dynamic IP Pool.

o If Use Dynamic IP Pool is chosen, a field will appear just beneath the option that is used to select which IP Pool object will be used.Set the IP Pool by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available objects.

  1. Set the Protocol parameter.

There are 5 options for the Protocol.

l ANY – any protocol traffic l TCP – TCP traffic only. Protocol number set to 6 l UDP – UDP traffic only . Protocol number set to 17 l SCTP – SCTP traffic only. Protocol number set to 132 l Specify – User can specify the traffic filter protocol by setting the protocol number in the field.

  1. If the IP Pool is of the type: Overload, Explicit Port Mapping can be enabled.

To enable or disable, use the check box. Once enabled, the following additional parameters will appear.

  • Original Source Port – in the left number field, set the starting number of the source port range.
  • Translated Port – in the left number field, set the starting number of the translated port range. If it is a single port range leave the right number field alone. If the right number field is set to a number higher than the left, the right number field for the Original Source Port will change to make sure the 2 number ranges have a matching number of ports.
  1. Select the OK button to save the entry.

To configure Central SNAT in the CLI

  1. Using the CLI interface of your choice, run the following command to get to the correct context.

config firewall central-snat-map

  • To edit an existing entry, run the command show or show full-configuration to get a listing of all of the entries in the map. Take note of the policy ID for the entry to be edited.
  • To create a new entry the next step will use the policy ID 0 which will check for an unused ID number and create an entry with that number.
  1. Edit or create an entry with the correct policy ID edit <policyID number>

Access Control List

Run the following commands to set the parameters of the entry:

set status [enable|disable]

set orig-addr <valid address object preconfigured on the FortiGate> set srcintf <name of interface on the FortiGate>

set dst-addr <valid address object preconfigured on the FortiGate> set dstintf <name of interface on the FortiGate> set protocol <integer for protocol number> set orig-port <integer for original port number> set nat-port <integer for translated port number>

  1. Save the entry by running the command end or next.

NAT46 Policy

NAT46 Policy

To configure a NAT46 policy in the GUI

  1. Go to Policy & Objects > NAT46 Policy

The right side window will display a table of the existing NAT46 Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
  2. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)
  3. Set the Source parameter by selecting the field with the “+” next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indicating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  5. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  6. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  7. Set the Action Select one of the following options for the action:
    • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session

While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Skip the NAT setting. This type of policy is intended only for traffic that is being NATed from IPv4 to IPv6, because without NATing the traffic couldn’t reach its destination, so disabling NAT would be pointless.

Central SNAT

  1. Set the Fixed Port parameter by toggling the slider button.(gray means it is disabled)
  2. Set the IP Pool Configuration by selection one of the options of:

l Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool.

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.