Skip to main content
akamath
Staff
akamath
Staff
August 30, 2020

Technical Tip: Using the CLI to change the order of the IPV4, traffic shaping, local-in and SD-WAN policy list, VIP, SSL VPN Authentication Rules

  • August 30, 2020
  • 0 replies
  • 28026 views

Description

 

This article explains how to change the order of the IPV4, traffic shaping, local-in and SD-WAN policy list in the CLI.

 

Scope

 

FortiGate.

 

Solution

 

It is possible to change the policy order in the IPV4 list by dragging items in the GUI, or by entering the CLI commands outlined in this article. The ID number of moved policies does not change.

 

For example, to move policy 10 before or after policy 30, enter the following command:

For Firewall Policy, use the example command given below:

 

config firewall policy

    move 10 <'before' or 'after'> 30

end

 

For Local-in-policy, use the example command given below:

 

config firewall local-in-policy

    move 10 <'before' or 'after'> 30

end

 

For SD-WAN, use the example command given below:

 

config system sdwan

    config service

        move 3 <'before' or 'after'> 2

end

 

Changing the policy order immediately affects live traffic. Existing sessions are not re-evaluated unless sessions are cleared:

 

diagnose sys session filter policy <policy-id>

diagnose sys session list

diagnose sys session clear

 

Note:

Starting from FortiOS v7.6.0, the local policy can be configured from the GUI.

Local-in policy.

 

Note:
Starting from v7.4.0+, policies can now be moved by their policy ID directly from the FortiGate GUI as an alternative to the drag-and-drop method. This feature is available on the Firewall Policy page when using the 'By Sequence' or 'Sequence Grouping' view. For detailed steps, refer to the 'Move by ID' option in the GUI. For more information, refer to the Move Policy by ID via GUI.

The move subcommand is only available to use in tables where the order of entries makes a difference to function. The same process can be used to manage traffic shaping, local-in, and SD-WAN policies.

 

See the attached console logs for information about lab tests demonstrating policy order changes.

If multiple VIP entries are configured and it is desired to change the order of VIP through the CLI, use the following commands:

 

config firewall vip 

    move <VIP NAME> [before/after] <VIP NAME> 

end

 

vip.jpg

 

vip_move_command.jpg

 

After running the commands:

 

vip_after_moving.jpg

 

It also applies to Dynamic Port Policies. These policies are processed sequentially just like firewall policies.

However, it is not possible to drag and drop on the GUI. It must be done in the CLI. The example below shows how to move policy 'User1' above 'Other users' as it is more specific: 


dynamic.png

 

  • Unlike firewall policies, Dynamic Port Policy does not have a policy ID. Hence, it is necessary to use policy names in the CLI. If the policy name contains a space, it is necessary to put a '\' before the space as an escape character:

config switch-controller dynamic-port-policy
    edit "Test"
        config policy
            move Other\ Users after User1
        end
end

 

  • After that change, User1 is not above 'Other Users'.
                                             

after.png

 

  • To move the URL filter entries, for example, move entry 2 before entry 1:

 

config webfilter urlfilter
    edit <>
        config entries
        move 2 before 1
end

 

Static_URL_Filter_orderStatic_URL_Filter_order

 

To move SSL VPN authentication rules, use the command provided below:

 

config vpn ssl settings

    config authentication-rules

        move <ID> before <ID> <----- After can also be used. For example, 'move <ID> after <ID>'.

    end

end

Terms & ConditionsAccessibility statement