Skip to main content
FlashOver
FlashOver
New Member
February 16, 2012
Question

Filter Firewall rules on CLI which match a filter

  • February 16, 2012
  • 5 replies
  • 5977 views
Hi. When I make a " show firewall policy" on CLI, I will see all rules like they are ordered. But, when I have to make some changes on some special rules, it will take a long time on cli to sort them out to know there ID. Otherwise I could do so by using a search option within a editor like notepad++ across the complete configuration file but that is not a good solution. Is it possible to show all firewall policies which match a filter? For example. show firewall policy | includes srcint wan1 Is something like that possible? I tried commands like | grep, begin and something like that I know from other vendors but nothing worked. Can somebody tell me, if there are some hidden filter commands for the output available?

    5 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 16, 2012
     conf firewall policy  show | grep anything
    This works in 4.2.10. I don' t know exactly when Fortinet introduced the ' grep' command but I think it' s from 4.2 on. It' s documented in the 4.2 CLI Guide, last chapter, under ' get' . grep Options: ' -i' case-insensitive, ' -v' invert results and the search pattern may be a Regular Expression.
    FlashOver
    FlashOverAuthor
    New Member
    February 16, 2012
    I will have a look to the cli reference guide at the get section and will try what i " get" thank you very much for your fast response
    rwpatterson
    rwpatterson
    New Member
    February 16, 2012
    Not sure if this will help or not: I open the backup file, find what I want to change there, change it, and paste it back into the CLI window. Not quite what you' re looking for, but same effect.
    FlashOver
    FlashOverAuthor
    New Member
    February 16, 2012
    When I think on a customer Firewall with more then 3000 policy rules, I think that can not bet handled this way with 50 changes per day per device. At the moment a checkpoint.
    rwpatterson
    rwpatterson
    New Member
    February 16, 2012
    ORIGINAL: FlashOver When I think on a customer Firewall with more then 3000 policy rules, I think that can not bet handled this way with 50 changes per day per device. At the moment a checkpoint.
    3000 policies? 50 changes per day? that seems to me more like either bad planning or a really micro-managing boss.
    FlashOver
    FlashOverAuthor
    New Member
    February 17, 2012
    That' s one of the biggest customers from CheckPoint in Europe which is growing and growing and growing. New Applications, new servies, new regions, new special networks and dmz... a lot of work for hundrets for firewall clusters.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    February 20, 2012
    In the gui you have some nice features to select the firewall rules you' ll need and changed. Bare in mind that in the standard view the policies are ordered based on source and destination interface that in essence already orders the gui and is not so messy as the checkpoint interface. There is also global view in the Fortigate and basically then you have your messy checkpoint interface. It was made on purpose for old checkpoint users to make them feel at home after a migration.
    Terms & ConditionsAccessibility statement