New Member

Solved

Fortigate 60D - Policies appear in reverse order????

Forum|Forum|11 years ago
October 27, 2014
5 replies
16035 views

When I look at the policies in my Fortigate 60D, I don't see what I expect to see.

I expect to see the policies listed in the order they are applied from top (#1) to bottom (#44). I am forced to use the global view due to how one or more policies are setup.

The problem for me is, the policy I expect to see at #1 is actually the last policy #44. Is it possible that the policies are listed in reverse order? Meaning that what I see as policy #44 is applied first then policy 43 then... etc.

I expect the policies to be applied the in the same order they are listed in the view, and the way I see it now is not good.

Best answer by Fahad

hi,

policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)

FahadAnswer

New Member

hi,

policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)

Dave_Hall

New Member

Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view. In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page. (In 5.x. you can right-click on column bar). If you are using 5.x, you can set the default column view, by using...

config system settings
    set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end

Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate. (Though you can always use a text editor to "renumber" the IDs to match the seq order.)

columns.gif

UgadataAuthor

New Member

Thank you for your replies.

I didn't realize there was both SEQ and ID columns. The numbers I was referring to were sequence numbers (I didn't have the ID column displayed).

If the ID is just a label then I presume policies are applied based on the SEQ column?

Dave_Hall

New Member

Ugadata wrote:
If the ID is just a label then I presume policies are applied based on the SEQ column?

Yep.

Column sort.gif

UgadataAuthor

New Member

Hmm. Maybe my thinking is what is wrong.

The reason I think the policy order is backwards is the DENY ALL policy is last.

I thought the DENY ALL policy should be the first policy to be applied and all the other policies are then opening a path for the specified traffic.

Dave_Hall

New Member

Policy (firewall) rules are executed from top-to-bottom. Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish. In the sample firewall set (below) is one possible way of setting up the Fortigate.

Policy Rule list.gif

emnoc

New Member

I have to agreed. Also, when in doubt login into the cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.

All fwpolicies are then inspect by the src int, then dst int , src address then dst address, and finally and the service & action.

I hope that helps

Ken

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded