Skip to main content
hgarara
Staff
hgarara
Staff
December 7, 2022

Technical Tip: Configure sequence grouping for firewall policies for 'Sequence Grouping View' view

  • December 7, 2022
  • 0 replies
  • 29041 views
Description

 

This article describes how to configure or remove sequence grouping created automatically while migrating from other vendors to FortiGate using FortiConverter.

 

Scope

 

FortiGate.

 

Solution

 

Sequence grouping uses a top-to-bottom approach. Before sequence grouping:

SEQ_2.JPG

 

To create a change, Firewall Policy View to 'Sequence Grouping View', 'right-click to Firewall Policy where the grouping will start. In this example, the grouping will start on firewall policy ID 2.

From GUI:

SEQ_1.JPG

 
From CLI:

config firewall policy

    edit 2

        set global-label TEST_GROUP

end

 

Note: The 'global-label' configuration does not appear when using the 'show' or 'show full' commands. However, it is still visible in the backup configuration file downloaded from the GUI.

Also this command is not auto-completed by pressing the TAB key.

 

After sequence grouping:

 

SEQ_3.JPG

 

It is important to remember that any policies which do not have a group label (uncategorized) and appear after the configured policy ID, will appear under the preceding policy group label.

 

For example: 

 

  1. policy.global-label == ''
  2. policy.global-label == 'group1'
  3. policy.global-label == 'group1'
  4. policy.global-label == ''
  5. policy.global-label == 'group2'
  6. policy.global-label == ''
  7. policy.global-label == 'group2'
  8. policy.global-label == 'group1'

 

In the GUI, the table will look like the following:

 

  • section 1 - uncategorized
  • policy 1
  • section 2 - group1
  • policy 2, 3, 4
  • section 3 - group2
  • policy 5, 6, 7
  • section 4 - group1 (# 2)  
  • policy 8

 

If a group label is used again by a later policy, on the GUI, this will appear as group-name followed by the number of times it has been reused e.g. group1 (# 2). This is shown in section 4 and is expected behaviour, which has been implemented to ensure stability when pushing and pulling this configuration from FortiManager.

 

To rename and delete sequence grouping, 'Right-click' on the first firewall policy within the Group. 

 

SEQ_4.JPG

 

To move the firewall policy to a different group, Right-click on the desired firewall policy. 

 

SEQ_5.JPG

 

To insert a new sequence group, 'Right-click on the desired firewall policy where the new grouping will start. 
 

SEQ_6.JPG

 

Related articles:

Technical Tip: Renaming sequence grouping for firewall policies for 'By sequence grouping' view 

Technical Tip: How to retrieve policy sequence groups from FortiGate 

    Terms & ConditionsAccessibility statement