» fortios_firewall_security_policy

Provides a resource to configure firewall policies of FortiOS.

» Example Usage 1

provider "fortios" {
    hostname = "54.226.179.231"
    token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb"
}

resource "fortios_firewall_security_policy" "test1" {
    name = "ap11"
    srcintf = ["port2"]
    dstintf = ["port1"]
    srcaddr = ["swscan.apple.com", "google-play"]
    dstaddr = ["swscan.apple.com", "update.microsoft.com"]
    internet_service = "disable"
    internet_service_id = []
    schedule = "always"
    service = ["ALL_ICMP", "FTP"]
    action = "accept"
    utm_status = "enable"
    logtraffic = "all"
    logtraffic_start = "enable"
    capture_packet = "enable"
    ippool = "enable"
    poolname = ["rewq", "rbb"]
    groups = ["Guest-group", "SSO_Guest_Users"]
    devices = ["android-phone", "android-tablet"]
    comments = "security policy"
    av_profile = "wifi-default"
    webfilter_profile = "monitor-all"
    dnsfilter_profile = "default"
    ips_sensor = "protect_client"
    application_list = "block-high-risk"
    ssl_ssh_profile = "certificate-inspection"
    nat = "enable"
}

» Example Usage 2

provider "fortios" {
    hostname = "54.226.179.231"
    token = "jn3t3Nw7qckQzt955Htkfj5hwQ6jdb"
}

resource "fortios_firewall_security_policy" "test2" {
    name = "ap21"
    srcintf = ["port2"]
    dstintf = ["port1"]
    srcaddr = ["swscan.apple.com", "google-play"]
    dstaddr = ["swscan.apple.com", "update.microsoft.com"]
    internet_service = "enable"
    internet_service_id = [917520, 6881402, 393219]
    schedule = "always"
    service = []
    action = "accept"
    utm_status = "enable"
    logtraffic = "all"
    logtraffic_start = "enable"
    capture_packet = "enable"
    ippool = "enable"
    poolname = ["rewq", "rbb"]
    groups = ["Guest-group", "SSO_Guest_Users"]
    devices = ["android-phone", "android-tablet"]
    comments = "security policy"
    av_profile = "wifi-default"
    webfilter_profile = "monitor-all"
    dnsfilter_profile = "default"
    ips_sensor = "protect_client"
    application_list = "block-high-risk"
    ssl_ssh_profile = "certificate-inspection"
    nat = "enable"
}

» Example Usage 3

resource "fortios_firewall_security_policy" "test1" {
    name = "ap12221"
    srcintf = ["port3"]
    dstintf = ["port4"]
    srcaddr = []
    dstaddr = []
    internet_service = "enable"
    internet_service_id = [5242880]
    internet_service_src = "enable"
    internet_service_src_id = [65643]
    users = ["guest"]
    status = "enable"
    schedule = "always"
    service = []
    action = "accept"
    utm_status = "enable"
    logtraffic = "all"
    logtraffic_start = "enable"
    capture_packet = "enable"
    ippool = "disable"
    poolname = []
    groups = ["Guest-group", "SSO_Guest_Users"]
    devices = []
    comments = "security policy"
    av_profile = "wifi-default"
    webfilter_profile = "monitor-all"
    dnsfilter_profile = "default"
    ips_sensor = "protect_client"
    application_list = "block-high-risk"
    ssl_ssh_profile = "certificate-inspection"
    nat = "enable"
    profile_protocol_options = "default"
}

» Argument Reference

The following arguments are supported:

  • name - (Required) Policy name.
  • srcintf - (Required) Incoming (ingress) interface.
  • dstintf - (Required) Outgoing (egress) interface.
  • srcaddr - (Required) Source address and address group names.
  • dstaddr - (Required) Destination address and address group names.
  • internet_service - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
  • internet_service_id - Internet Service ID.
  • action - (Required) Policy action.
  • schedule - (Required) Schedule name.
  • service - (Required) Service and service group names..
  • utm_status - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
  • logtraffic - Enable or disable logging. Log all sessions or security profile sessions.
  • logtraffic_start - Record logs when a session starts and ends.
  • capture_packet - Enable/disable capture packets.
  • ippool - Enable to use IP Pools for source NAT.
  • poolname - IP Pool names.
  • groups - Names of user groups that can authenticate with this policy.
  • devices - Device type category.
  • comments - Comment.
  • av_profile - Name of an existing Antivirus profile.
  • webfilter_profile - Name of an existing Web filter profile.
  • dnsfilter_profile - Name of an existing DNS filter profile.
  • ips_sensor - Name of an existing IPS sensor.
  • application_list - Name of an existing Application list.
  • ssl_ssh_profile - Name of an existing SSL SSH profile.
  • nat - Enable/disable source NAT.
  • internet_service_src - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
  • internet_service_src_id - Internet Service source ID.
  • users - Names of individual users that can authenticate with this policy.
  • status - Enable or disable this policy.
  • profile_protocol_options - Name of an existing Protocol options profile.

» Attributes Reference

The following attributes are exported:

  • id - The ID of the firewall policy item.
  • name - Policy name.
  • srcintf - Incoming (ingress) interface.
  • dstintf - Outgoing (egress) interface.
  • srcaddr - Source address and address group names.
  • dstaddr - Destination address and address group names.
  • internet_service - Enable/disable use of Internet Services for this policy. If enabled, destination address and service are not used.
  • internet_service_id - Internet Service ID.
  • action - Policy action.
  • schedule - Schedule name.
  • service - Service and service group names..
  • utm_status - Enable to add one or more security profiles (AV, IPS, etc.) to the firewall policy.
  • logtraffic - Enable or disable logging. Log all sessions or security profile sessions.
  • logtraffic_start - Record logs when a session starts and ends.
  • capture_packet - Enable/disable capture packets.
  • ippool - Enable to use IP Pools for source NAT.
  • poolname - IP Pool names.
  • groups - Names of user groups that can authenticate with this policy.
  • devices - Device type category.
  • comments - Comment.
  • av_profile - Name of an existing Antivirus profile.
  • webfilter_profile - Name of an existing Web filter profile.
  • dnsfilter_profile - Name of an existing DNS filter profile.
  • ips_sensor - Name of an existing IPS sensor.
  • application_list - Name of an existing Application list.
  • ssl_ssh_profile - Name of an existing SSL SSH profile.
  • nat - Enable/disable source NAT.
  • internet_service_src - Enable/disable use of Internet Services in source for this policy. If enabled, source address is not used.
  • internet_service_src_id - Internet Service source ID.
  • users - Names of individual users that can authenticate with this policy.
  • status - Enable or disable this policy.
  • profile_protocol_options - Name of an existing Protocol options profile.