Create firewall policy (safe)
fortigate_create_policySafely create a FortiGate firewall policy: dry-run validates first, then apply by setting FORTIGATE_ENABLE_WRITE and providing the confirmation phrase.
Instructions
Safely create a firewall policy. Defaults to dry_run=true. To apply, set FORTIGATE_ENABLE_WRITE=true and pass confirm exactly as the configured confirmation phrase.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| name | Yes | New firewall policy name | |
| srcintf | Yes | Incoming interface names, e.g. ['lan'] | |
| dstintf | Yes | Outgoing interface names, e.g. ['virtual-wan-link'] | |
| srcaddr | Yes | Source address or group names | |
| dstaddr | No | Destination address/group names (required unless internet-service=enable) | |
| service | No | Service names (required unless internet-service=enable) | |
| policyid | No | Optional policy ID; FortiGate auto-assigns when omitted. | |
| status | No | Defaults to enable on create. | |
| action | No | Defaults to accept on create. | |
| schedule | No | Defaults to always on create. | |
| comments | No | Optional FortiGate comment | |
| nat | No | Defaults to enable on create. | |
| utm-status | No | Enable or disable UTM profiles. | |
| logtraffic | No | Defaults to all on create. | |
| logtraffic-start | No | ||
| internet-service | No | Enable FortiGuard Internet Service destination matching. | |
| internet-service-name | No | Internet Service names when internet-service is enabled | |
| internet-service-group | No | Internet Service group names when internet-service is enabled | |
| ssl-ssh-profile | No | Optional SSL/SSH inspection profile | |
| av-profile | No | Optional antivirus profile | |
| webfilter-profile | No | Optional web filter profile | |
| dnsfilter-profile | No | Optional DNS filter profile | |
| ips-sensor | No | Optional IPS sensor | |
| application-list | No | Optional application control list | |
| profile-protocol-options | No | Optional protocol options profile | |
| dry_run | No | Defaults to true (plan only). Set false to apply a real change. | |
| confirm | No | Required only when dry_run=false; must equal exactly 'APPLY FORTIGATE CHANGE'. |