From ce381908babaed84163878e3dcf88e8a346334b4 Mon Sep 17 00:00:00 2001 From: John Poland Date: Sat, 11 Oct 2025 17:07:42 -0400 Subject: [PATCH] fortigate/vdom_Policy/firewall.cfg Sat Oct 11 05:07:41 PM EDT 2025 --- configs/fortigate/vdom_Policy/firewall.cfg | 1145 ++++++++++++++++++++ 1 file changed, 1145 insertions(+) create mode 100644 configs/fortigate/vdom_Policy/firewall.cfg diff --git a/configs/fortigate/vdom_Policy/firewall.cfg b/configs/fortigate/vdom_Policy/firewall.cfg new file mode 100644 index 0000000..2e9d337 --- /dev/null +++ b/configs/fortigate/vdom_Policy/firewall.cfg @@ -0,0 +1,1145 @@ +config firewall address + edit "none" + set subnet 0.0.0.0 255.255.255.255 + next + edit "login.microsoftonline.com" + set type fqdn + set fqdn "login.microsoftonline.com" + next + edit "login.microsoft.com" + set type fqdn + set fqdn "login.microsoft.com" + next + edit "login.windows.net" + set type fqdn + set fqdn "login.windows.net" + next + edit "gmail.com" + set type fqdn + set fqdn "gmail.com" + next + edit "wildcard.google.com" + set type fqdn + set fqdn "*.google.com" + next + edit "wildcard.dropbox.com" + set type fqdn + set fqdn "*.dropbox.com" + next + edit "SSLVPN_TUNNEL_ADDR1" + set type iprange + set start-ip 10.212.134.200 + set end-ip 10.212.134.210 + next + edit "all" + next + edit "FIREWALL_AUTH_PORTAL_ADDRESS" + next + edit "FABRIC_DEVICE" + set comment "IPv4 addresses of Fabric Devices." + next + edit "FCTEMS_ALL_FORTICLOUD_SERVERS" + set type dynamic + set sub-type ems-tag + next +end +config firewall multicast-address + edit "all_hosts" + set start-ip 224.0.0.1 + set end-ip 224.0.0.1 + next + edit "all_routers" + set start-ip 224.0.0.2 + set end-ip 224.0.0.2 + next + edit "Bonjour" + set start-ip 224.0.0.251 + set end-ip 224.0.0.251 + next + edit "EIGRP" + set start-ip 224.0.0.10 + set end-ip 224.0.0.10 + next + edit "OSPF" + set start-ip 224.0.0.5 + set end-ip 224.0.0.6 + next + edit "all" + set start-ip 224.0.0.0 + set end-ip 239.255.255.255 + next +end +config firewall address6 + edit "all" + next + edit "none" + set ip6 ::/128 + next + edit "SSLVPN_TUNNEL_IPv6_ADDR1" + set ip6 fdff:ffff::/120 + next +end +config firewall multicast-address6 + edit "all" + set ip6 ff00::/8 + next +end +config firewall addrgrp + edit "G Suite" + set member "gmail.com" "wildcard.google.com" + next + edit "Microsoft Office 365" + set member "login.microsoftonline.com" "login.microsoft.com" "login.windows.net" + next +end +config firewall wildcard-fqdn custom + edit "g-Adobe Login" + set wildcard-fqdn "*.adobelogin.com" + next + edit "g-Gotomeeting" + set wildcard-fqdn "*.gotomeeting.com" + next + edit "g-Windows update 2" + set wildcard-fqdn "*.windowsupdate.com" + next + edit "g-adobe" + set wildcard-fqdn "*.adobe.com" + next + edit "g-android" + set wildcard-fqdn "*.android.com" + next + edit "g-apple" + set wildcard-fqdn "*.apple.com" + next + edit "g-appstore" + set wildcard-fqdn "*.appstore.com" + next + edit "g-auth.gfx.ms" + set wildcard-fqdn "*.auth.gfx.ms" + next + edit "g-autoupdate.opera.com" + set wildcard-fqdn "*autoupdate.opera.com" + next + edit "g-cdn-apple" + set wildcard-fqdn "*.cdn-apple.com" + next + edit "g-citrix" + set wildcard-fqdn "*.citrixonline.com" + next + edit "g-dropbox.com" + set wildcard-fqdn "*.dropbox.com" + next + edit "g-eease" + set wildcard-fqdn "*.eease.com" + next + edit "g-firefox update server" + set wildcard-fqdn "aus*.mozilla.org" + next + edit "g-fortinet" + set wildcard-fqdn "*.fortinet.com" + next + edit "g-google-drive" + set wildcard-fqdn "*drive.google.com" + next + edit "g-google-play" + set wildcard-fqdn "*play.google.com" + next + edit "g-google-play2" + set wildcard-fqdn "*.ggpht.com" + next + edit "g-google-play3" + set wildcard-fqdn "*.books.google.com" + next + edit "g-googleapis.com" + set wildcard-fqdn "*.googleapis.com" + next + edit "g-icloud" + set wildcard-fqdn "*.icloud.com" + next + edit "g-itunes" + set wildcard-fqdn "*itunes.apple.com" + next + edit "g-live.com" + set wildcard-fqdn "*.live.com" + next + edit "g-microsoft" + set wildcard-fqdn "*.microsoft.com" + next + edit "g-mzstatic-apple" + set wildcard-fqdn "*.mzstatic.com" + next + edit "g-skype" + set wildcard-fqdn "*.messenger.live.com" + next + edit "g-softwareupdate.vmware.com" + set wildcard-fqdn "*.softwareupdate.vmware.com" + next + edit "g-swscan.apple.com" + set wildcard-fqdn "*swscan.apple.com" + next + edit "g-update.microsoft.com" + set wildcard-fqdn "*update.microsoft.com" + next + edit "g-verisign" + set wildcard-fqdn "*.verisign.com" + next +end +config firewall service category + edit "General" + set comment "General services." + next + edit "Web Access" + set comment "Web access." + next + edit "File Access" + set comment "File access." + next + edit "Email" + set comment "Email services." + next + edit "Network Services" + set comment "Network services." + next + edit "Authentication" + set comment "Authentication service." + next + edit "Remote Access" + set comment "Remote access." + next + edit "Tunneling" + set comment "Tunneling service." + next + edit "VoIP, Messaging & Other Applications" + set comment "VoIP, messaging, and other applications." + next + edit "Web Proxy" + set comment "Explicit web proxy." + next +end +config firewall service custom + edit "DNS" + set category "Network Services" + set tcp-portrange 53 + set udp-portrange 53 + next + edit "HTTP" + set category "Web Access" + set tcp-portrange 80 + next + edit "HTTPS" + set category "Web Access" + set tcp-portrange 443 + next + edit "IMAP" + set category "Email" + set tcp-portrange 143 + next + edit "IMAPS" + set category "Email" + set tcp-portrange 993 + next + edit "LDAP" + set category "Authentication" + set tcp-portrange 389 + next + edit "DCE-RPC" + set category "Remote Access" + set tcp-portrange 135 + set udp-portrange 135 + next + edit "POP3" + set category "Email" + set tcp-portrange 110 + next + edit "POP3S" + set category "Email" + set tcp-portrange 995 + next + edit "SAMBA" + set category "File Access" + set tcp-portrange 139 + next + edit "SMTP" + set category "Email" + set tcp-portrange 25 + next + edit "SMTPS" + set category "Email" + set tcp-portrange 465 + next + edit "KERBEROS" + set category "Authentication" + set tcp-portrange 88 464 + set udp-portrange 88 464 + next + edit "LDAP_UDP" + set category "Authentication" + set udp-portrange 389 + next + edit "SMB" + set category "File Access" + set tcp-portrange 445 + next + edit "FTP" + set category "File Access" + set tcp-portrange 21 + next + edit "FTP_GET" + set category "File Access" + set tcp-portrange 21 + next + edit "FTP_PUT" + set category "File Access" + set tcp-portrange 21 + next + edit "ALL" + set category "General" + set protocol IP + next + edit "ALL_TCP" + set category "General" + set tcp-portrange 1-65535 + next + edit "ALL_UDP" + set category "General" + set udp-portrange 1-65535 + next + edit "ALL_ICMP" + set category "General" + set protocol ICMP + unset icmptype + next + edit "ALL_ICMP6" + set category "General" + set protocol ICMP6 + unset icmptype + next + edit "GRE" + set category "Tunneling" + set protocol IP + set protocol-number 47 + next + edit "AH" + set category "Tunneling" + set protocol IP + set protocol-number 51 + next + edit "ESP" + set category "Tunneling" + set protocol IP + set protocol-number 50 + next + edit "AOL" + set visibility disable + set tcp-portrange 5190-5194 + next + edit "BGP" + set category "Network Services" + set tcp-portrange 179 + next + edit "DHCP" + set category "Network Services" + set udp-portrange 67-68 + next + edit "FINGER" + set visibility disable + set tcp-portrange 79 + next + edit "GOPHER" + set visibility disable + set tcp-portrange 70 + next + edit "H323" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1720 1503 + set udp-portrange 1719 + next + edit "IKE" + set category "Tunneling" + set udp-portrange 500 4500 + next + edit "Internet-Locator-Service" + set visibility disable + set tcp-portrange 389 + next + edit "IRC" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 6660-6669 + next + edit "L2TP" + set category "Tunneling" + set tcp-portrange 1701 + set udp-portrange 1701 + next + edit "NetMeeting" + set visibility disable + set tcp-portrange 1720 + next + edit "NFS" + set category "File Access" + set tcp-portrange 111 2049 + set udp-portrange 111 2049 + next + edit "NNTP" + set visibility disable + set tcp-portrange 119 + next + edit "NTP" + set category "Network Services" + set tcp-portrange 123 + set udp-portrange 123 + next + edit "OSPF" + set category "Network Services" + set protocol IP + set protocol-number 89 + next + edit "PC-Anywhere" + set category "Remote Access" + set tcp-portrange 5631 + set udp-portrange 5632 + next + edit "PING" + set category "Network Services" + set protocol ICMP + set icmptype 8 + unset icmpcode + next + edit "TIMESTAMP" + set protocol ICMP + set visibility disable + set icmptype 13 + unset icmpcode + next + edit "INFO_REQUEST" + set protocol ICMP + set visibility disable + set icmptype 15 + unset icmpcode + next + edit "INFO_ADDRESS" + set protocol ICMP + set visibility disable + set icmptype 17 + unset icmpcode + next + edit "ONC-RPC" + set category "Remote Access" + set tcp-portrange 111 + set udp-portrange 111 + next + edit "PPTP" + set category "Tunneling" + set tcp-portrange 1723 + next + edit "QUAKE" + set visibility disable + set udp-portrange 26000 27000 27910 27960 + next + edit "RAUDIO" + set visibility disable + set udp-portrange 7070 + next + edit "REXEC" + set visibility disable + set tcp-portrange 512 + next + edit "RIP" + set category "Network Services" + set udp-portrange 520 + next + edit "RLOGIN" + set visibility disable + set tcp-portrange 513:512-1023 + next + edit "RSH" + set visibility disable + set tcp-portrange 514:512-1023 + next + edit "SCCP" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 2000 + next + edit "SIP" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 5060 + set udp-portrange 5060 + next + edit "SIP-MSNmessenger" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1863 + next + edit "SNMP" + set category "Network Services" + set tcp-portrange 161-162 + set udp-portrange 161-162 + next + edit "SSH" + set category "Remote Access" + set tcp-portrange 22 + next + edit "SYSLOG" + set category "Network Services" + set udp-portrange 514 + next + edit "TALK" + set visibility disable + set udp-portrange 517-518 + next + edit "TELNET" + set category "Remote Access" + set tcp-portrange 23 + next + edit "TFTP" + set category "File Access" + set udp-portrange 69 + next + edit "MGCP" + set visibility disable + set udp-portrange 2427 2727 + next + edit "UUCP" + set visibility disable + set tcp-portrange 540 + next + edit "VDOLIVE" + set visibility disable + set tcp-portrange 7000-7010 + next + edit "WAIS" + set visibility disable + set tcp-portrange 210 + next + edit "WINFRAME" + set visibility disable + set tcp-portrange 1494 2598 + next + edit "X-WINDOWS" + set category "Remote Access" + set tcp-portrange 6000-6063 + next + edit "PING6" + set protocol ICMP6 + set visibility disable + set icmptype 128 + unset icmpcode + next + edit "MS-SQL" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 1433 1434 + next + edit "MYSQL" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 3306 + next + edit "RDP" + set category "Remote Access" + set tcp-portrange 3389 + next + edit "VNC" + set category "Remote Access" + set tcp-portrange 5900 + next + edit "DHCP6" + set category "Network Services" + set udp-portrange 546 547 + next + edit "SQUID" + set category "Tunneling" + set tcp-portrange 3128 + next + edit "SOCKS" + set category "Tunneling" + set tcp-portrange 1080 + set udp-portrange 1080 + next + edit "WINS" + set category "Remote Access" + set tcp-portrange 1512 + set udp-portrange 1512 + next + edit "RADIUS" + set category "Authentication" + set udp-portrange 1812 1813 + next + edit "RADIUS-OLD" + set visibility disable + set udp-portrange 1645 1646 + next + edit "CVSPSERVER" + set visibility disable + set tcp-portrange 2401 + set udp-portrange 2401 + next + edit "AFS3" + set category "File Access" + set tcp-portrange 7000-7009 + set udp-portrange 7000-7009 + next + edit "TRACEROUTE" + set category "Network Services" + set udp-portrange 33434-33535 + next + edit "RTSP" + set category "VoIP, Messaging & Other Applications" + set tcp-portrange 554 7070 8554 + set udp-portrange 554 + next + edit "MMS" + set visibility disable + set tcp-portrange 1755 + set udp-portrange 1024-5000 + next + edit "NONE" + set visibility disable + set tcp-portrange 0 + next + edit "webproxy" + set proxy enable + set category "Web Proxy" + set protocol ALL + set tcp-portrange 0-65535:0-65535 + next +end +config firewall service group + edit "Email Access" + set member "DNS" "IMAP" "IMAPS" "POP3" "POP3S" "SMTP" "SMTPS" + next + edit "Web Access" + set member "DNS" "HTTP" "HTTPS" + next + edit "Windows AD" + set member "DCE-RPC" "DNS" "KERBEROS" "LDAP" "LDAP_UDP" "SAMBA" "SMB" + next + edit "Exchange Server" + set member "DCE-RPC" "DNS" "HTTPS" + next +end +config firewall shaper traffic-shaper + edit "high-priority" + set maximum-bandwidth 1048576 + set per-policy enable + next + edit "medium-priority" + set maximum-bandwidth 1048576 + set priority medium + set per-policy enable + next + edit "low-priority" + set maximum-bandwidth 1048576 + set priority low + set per-policy enable + next + edit "guarantee-100kbps" + set guaranteed-bandwidth 100 + set maximum-bandwidth 1048576 + set per-policy enable + next + edit "shared-1M-pipe" + set maximum-bandwidth 1024 + next +end +config firewall schedule recurring + edit "always" + set day sunday monday tuesday wednesday thursday friday saturday + next + edit "none" + next + edit "default-darrp-optimize" + set start 01:00 + set end 01:30 + set day sunday monday tuesday wednesday thursday friday saturday + next +end +config firewall ssh local-key + edit "g-Fortinet_SSH_DSA1024" + set  *HIDDEN* + set source built-in + next + edit "g-Fortinet_SSH_ECDSA256" + set  *HIDDEN* + set source built-in + next + edit "g-Fortinet_SSH_ECDSA384" + set  *HIDDEN* + set source built-in + next + edit "g-Fortinet_SSH_ECDSA521" + set  *HIDDEN* + set source built-in + next + edit "g-Fortinet_SSH_ED25519" + set  *HIDDEN* + set source built-in + next + edit "g-Fortinet_SSH_RSA2048" + set  *HIDDEN* + set source built-in + next +end +config firewall ssh local-ca + edit "g-Fortinet_SSH_CA" + set  *HIDDEN* + set source built-in + next + edit "g-Fortinet_SSH_CA_Untrusted" + set  *HIDDEN* + set source built-in + next +end +config firewall ssh setting + set caname "g-Fortinet_SSH_CA" + set untrusted-caname "g-Fortinet_SSH_CA_Untrusted" + set hostkey-rsa2048 "g-Fortinet_SSH_RSA2048" + set hostkey-dsa1024 "g-Fortinet_SSH_DSA1024" + set hostkey-ecdsa256 "g-Fortinet_SSH_ECDSA256" + set hostkey-ecdsa384 "g-Fortinet_SSH_ECDSA384" + set hostkey-ecdsa521 "g-Fortinet_SSH_ECDSA521" + set hostkey-ed25519 "g-Fortinet_SSH_ED25519" +end +config firewall profile-protocol-options + edit "default" + set comment "All default services." + config http + set ports 80 + unset options + unset post-lang + end + config ftp + set ports 21 + set options splice + end + config imap + set ports 143 + set options fragmail + end + config mapi + set ports 135 + set options fragmail + end + config pop3 + set ports 110 + set options fragmail + end + config smtp + set ports 25 + set options fragmail splice + end + config nntp + set ports 119 + set options splice + end + config ssh + unset options + end + config dns + set ports 53 + end + config cifs + set ports 445 + unset options + end + next +end +config firewall ssl-ssh-profile + edit "certificate-inspection" + set comment "Read-only SSL handshake inspection profile." + config https + set ports 443 + set status certificate-inspection + set unsupported-ssl-version allow + end + config ftps + set status disable + set unsupported-ssl-version allow + end + config imaps + set status disable + set unsupported-ssl-version allow + end + config pop3s + set status disable + set unsupported-ssl-version allow + end + config smtps + set status disable + set unsupported-ssl-version allow + end + config ssh + set ports 22 + set status disable + end + config dot + set status disable + end + next + edit "deep-inspection" + set comment "Read-only deep inspection profile." + config https + set ports 443 + set status deep-inspection + set unsupported-ssl-version allow + end + config ftps + set ports 990 + set status deep-inspection + set unsupported-ssl-version allow + end + config imaps + set ports 993 + set status deep-inspection + set unsupported-ssl-version allow + end + config pop3s + set ports 995 + set status deep-inspection + set unsupported-ssl-version allow + end + config smtps + set ports 465 + set status deep-inspection + set unsupported-ssl-version allow + end + config ssh + set ports 22 + set status disable + end + config dot + set status disable + end + config ssl-exempt + edit 1 + set fortiguard-category 31 + next + edit 2 + set fortiguard-category 33 + next + edit 3 + set type wildcard-fqdn + set wildcard-fqdn "g-adobe" + next + edit 4 + set type wildcard-fqdn + set wildcard-fqdn "g-Adobe Login" + next + edit 5 + set type wildcard-fqdn + set wildcard-fqdn "g-android" + next + edit 6 + set type wildcard-fqdn + set wildcard-fqdn "g-apple" + next + edit 7 + set type wildcard-fqdn + set wildcard-fqdn "g-appstore" + next + edit 8 + set type wildcard-fqdn + set wildcard-fqdn "g-auth.gfx.ms" + next + edit 9 + set type wildcard-fqdn + set wildcard-fqdn "g-citrix" + next + edit 10 + set type wildcard-fqdn + set wildcard-fqdn "g-dropbox.com" + next + edit 11 + set type wildcard-fqdn + set wildcard-fqdn "g-eease" + next + edit 12 + set type wildcard-fqdn + set wildcard-fqdn "g-firefox update server" + next + edit 13 + set type wildcard-fqdn + set wildcard-fqdn "g-fortinet" + next + edit 14 + set type wildcard-fqdn + set wildcard-fqdn "g-googleapis.com" + next + edit 15 + set type wildcard-fqdn + set wildcard-fqdn "g-google-drive" + next + edit 16 + set type wildcard-fqdn + set wildcard-fqdn "g-google-play2" + next + edit 17 + set type wildcard-fqdn + set wildcard-fqdn "g-google-play3" + next + edit 18 + set type wildcard-fqdn + set wildcard-fqdn "g-Gotomeeting" + next + edit 19 + set type wildcard-fqdn + set wildcard-fqdn "g-icloud" + next + edit 20 + set type wildcard-fqdn + set wildcard-fqdn "g-itunes" + next + edit 21 + set type wildcard-fqdn + set wildcard-fqdn "g-microsoft" + next + edit 22 + set type wildcard-fqdn + set wildcard-fqdn "g-skype" + next + edit 23 + set type wildcard-fqdn + set wildcard-fqdn "g-softwareupdate.vmware.com" + next + edit 24 + set type wildcard-fqdn + set wildcard-fqdn "g-verisign" + next + edit 25 + set type wildcard-fqdn + set wildcard-fqdn "g-Windows update 2" + next + edit 26 + set type wildcard-fqdn + set wildcard-fqdn "g-live.com" + next + edit 27 + set type wildcard-fqdn + set wildcard-fqdn "g-google-play" + next + edit 28 + set type wildcard-fqdn + set wildcard-fqdn "g-update.microsoft.com" + next + edit 29 + set type wildcard-fqdn + set wildcard-fqdn "g-swscan.apple.com" + next + edit 30 + set type wildcard-fqdn + set wildcard-fqdn "g-autoupdate.opera.com" + next + edit 31 + set type wildcard-fqdn + set wildcard-fqdn "g-cdn-apple" + next + edit 32 + set type wildcard-fqdn + set wildcard-fqdn "g-mzstatic-apple" + next + end + next + edit "custom-deep-inspection" + set comment "Customizable deep inspection profile." + config https + set ports 443 + set status deep-inspection + set unsupported-ssl-version allow + end + config ftps + set ports 990 + set status deep-inspection + set unsupported-ssl-version allow + end + config imaps + set ports 993 + set status deep-inspection + set unsupported-ssl-version allow + end + config pop3s + set ports 995 + set status deep-inspection + set unsupported-ssl-version allow + end + config smtps + set ports 465 + set status deep-inspection + set unsupported-ssl-version allow + end + config ssh + set ports 22 + set status disable + end + config dot + set status disable + end + config ssl-exempt + edit 1 + set fortiguard-category 31 + next + edit 2 + set fortiguard-category 33 + next + edit 3 + set type wildcard-fqdn + set wildcard-fqdn "g-adobe" + next + edit 4 + set type wildcard-fqdn + set wildcard-fqdn "g-Adobe Login" + next + edit 5 + set type wildcard-fqdn + set wildcard-fqdn "g-android" + next + edit 6 + set type wildcard-fqdn + set wildcard-fqdn "g-apple" + next + edit 7 + set type wildcard-fqdn + set wildcard-fqdn "g-appstore" + next + edit 8 + set type wildcard-fqdn + set wildcard-fqdn "g-auth.gfx.ms" + next + edit 9 + set type wildcard-fqdn + set wildcard-fqdn "g-citrix" + next + edit 10 + set type wildcard-fqdn + set wildcard-fqdn "g-dropbox.com" + next + edit 11 + set type wildcard-fqdn + set wildcard-fqdn "g-eease" + next + edit 12 + set type wildcard-fqdn + set wildcard-fqdn "g-firefox update server" + next + edit 13 + set type wildcard-fqdn + set wildcard-fqdn "g-fortinet" + next + edit 14 + set type wildcard-fqdn + set wildcard-fqdn "g-googleapis.com" + next + edit 15 + set type wildcard-fqdn + set wildcard-fqdn "g-google-drive" + next + edit 16 + set type wildcard-fqdn + set wildcard-fqdn "g-google-play2" + next + edit 17 + set type wildcard-fqdn + set wildcard-fqdn "g-google-play3" + next + edit 18 + set type wildcard-fqdn + set wildcard-fqdn "g-Gotomeeting" + next + edit 19 + set type wildcard-fqdn + set wildcard-fqdn "g-icloud" + next + edit 20 + set type wildcard-fqdn + set wildcard-fqdn "g-itunes" + next + edit 21 + set type wildcard-fqdn + set wildcard-fqdn "g-microsoft" + next + edit 22 + set type wildcard-fqdn + set wildcard-fqdn "g-skype" + next + edit 23 + set type wildcard-fqdn + set wildcard-fqdn "g-softwareupdate.vmware.com" + next + edit 24 + set type wildcard-fqdn + set wildcard-fqdn "g-verisign" + next + edit 25 + set type wildcard-fqdn + set wildcard-fqdn "g-Windows update 2" + next + edit 26 + set type wildcard-fqdn + set wildcard-fqdn "g-live.com" + next + edit 27 + set type wildcard-fqdn + set wildcard-fqdn "g-google-play" + next + edit 28 + set type wildcard-fqdn + set wildcard-fqdn "g-update.microsoft.com" + next + edit 29 + set type wildcard-fqdn + set wildcard-fqdn "g-swscan.apple.com" + next + edit 30 + set type wildcard-fqdn + set wildcard-fqdn "g-autoupdate.opera.com" + next + edit 31 + set type wildcard-fqdn + set wildcard-fqdn "g-cdn-apple" + next + edit 32 + set type wildcard-fqdn + set wildcard-fqdn "g-mzstatic-apple" + next + end + next + edit "no-inspection" + set comment "Read-only profile that does no inspection." + config https + set status disable + set unsupported-ssl-version allow + end + config ftps + set status disable + set unsupported-ssl-version allow + end + config imaps + set status disable + set unsupported-ssl-version allow + end + config pop3s + set status disable + set unsupported-ssl-version allow + end + config smtps + set status disable + set unsupported-ssl-version allow + end + config ssh + set ports 22 + set status disable + end + config dot + set status disable + end + next +end +config firewall policy + edit 1 + set name "Default" + set srcintf "any" + set dstintf "any" + set srcaddr "all" + set dstaddr "all" + set srcaddr6 "all" + set dstaddr6 "all" + set service "ALL" + set ssl-ssh-profile "certificate-inspection" + next +end