capirca/policies/pol/sample_fortigate.pol at master · google/capirca · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Header Option: from-id <int> -- Tells Capirca to number firewall
#                                 policies starting at the provided integer.
# Header Option: ngfw-mode <profile|policy> -- Default is profile.
#                                              If Fortigate is using policy-based NGFW mode add 'ngfw-mode policy'

header {
  target:: fortigate
}

term allow-web-outbound{
  source-address:: INTERNAL
  destination-port:: HTTP HTTPS
  source-port:: HTTP
  protocol:: tcp udp
  expiration:: 2020-12-20
  logging:: syslog
  action:: accept
}

term customers-policy {
  destination-address:: INTERNAL
  destination-exclude:: NTP_SERVERS
  destination-port:: DNS HTTPS
  source-exclude:: NTP_SERVERS
  protocol:: tcp udp
  action:: reject
}

term customers-policy2 {
  source-interface:: port2
  destination-interface:: port1
  source-address:: INTERNAL
  source-port:: SMTP
  destination-address:: MAIL_SERVERS
  destination-port:: SMTP
  protocol:: tcp udp
  comment:: "this a test policy"
  owner:: foo@google.com
  action:: accept
}

term ipv6-outbound{
  source-address:: LINKLOCAL
  destination-address:: SITELOCAL LINKLOCAL
  destination-port:: HTTP HTTPS
  source-port:: HTTP
  protocol:: tcp
  expiration:: 2020-12-20
  action:: accept
}