Skip to main content
j0ebeer
j0ebeer
New Member
September 11, 2015
Question

Adding new rule via cli

  • September 11, 2015
  • 3 replies
  • 28206 views

I'm looking into a way to add a new rule to an existing policy using an automated script.  Is there a simple way via the cli to accomplish this?  For example, how do I tell the new rule what number to use if I don't know how many existing rules there are? Is there a command in "config firewall policy" to use the next number available?

 

Joe

3 replies

emnoc
emnoc
New Member
September 11, 2015

When you add a rule via the cli it will craft the fw-policyid automatically. Now what I did a previous life role was we had a sql database. We manipulate the fw-policy-id by reading the records and appending the last entry by +1.

 

Could you do something like that?

 

Ken

Jupiter_FTNT
Staff
Jupiter_FTNT
Staff
September 11, 2015

use edit 0, it will use the next available number for policy.

j0ebeer
j0ebeerAuthor
New Member
September 12, 2015

Thanks for clueing me in on the edit 0.  That works great but is there a way to specify that the new rule becomes the first in a section?  When I created the rule it placed it at the bottom of the section and is now a shadowed rule.  There is a rule above that is allowing the traffic that I am specifically looking to deny.

 

Joe

ede_pfau
SuperUser
ede_pfau
SuperUser
September 12, 2015

The sequence of the policies is just the sequence of command blocks in the section "conf firewall policy". Appending any new policy to the existing code is IMHO a design decision of the FortiOS team, and in a way, reasonable.

I think the only way to determine the position of the new policy is to read the whole policy code block, insert the new policy where you want it (you may use "edit 0" here nonetheless), and writing the whole block back. This will of course break all existing sessions but should be possible without reboot.

Terms & ConditionsAccessibility statement