Skip to main content
ift38375
ift38375
New Member
October 30, 2014
Question

Section view is currently Disabled

  • October 30, 2014
  • 2 replies
  • 19630 views

How can we easily identify that which ploicy creating problem.

 

I am not using policy with "any" interface.   Plz help

    2 replies

    ShrewLWD
    ShrewLWD
    New Member
    October 30, 2014

    Hi IFT,

    It's *possible* it got disabled in the global...

    config system global

    set gui-policy-interface-pairs-view enable

    end

     

    It's not just the 'ANY' interface that can cause this, however.  Combining two interfaces into one rule will also break section view (a super silly example: you have your WAN and DMZ listed as the Source or destination, of a rule). 

    ift38375
    ift38375Author
    New Member
    October 31, 2014

    ShrewLWD wrote:

    Hi IFT,

    It's *possible* it got disabled in the global...

    config system global

    set gui-policy-interface-pairs-view enable

    end

     

    It's not just the 'ANY' interface that can cause this, however.  Combining two interfaces into one rule will also break section view (a super silly example: you have your WAN and DMZ listed as the Source or destination, of a rule). 

     

    Hello Shrew,

     

    this command is not working in CLI mode, version of FortiGate 100D is  v5.0,build4429.

     

    There are no such type of rule or policy in Firewall as you said ((a super silly example: you have your WAN and DMZ listed as the Source or destination, of a rule). Give me some examples  or trick to search conflict rules.

    ShrewLWD
    ShrewLWD
    New Member
    October 31, 2014

    Hmm, yes I tested on my 600C (509) and 100D (521) and that command is now gone.  It's still listed here in their 5.0 documentation...

     

    http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gui.070.14.html

     

    Well, you could dump the config file and check the policy section for something like;

    set srcintf "WAN1" "WAN2"

     

    or

    set dstintf "internal" "DMZ"

     

    etc.

     

    Please note: around patch 6 of 5.0 they did explicitly make a change to the Section View:

     

    To improve GUI performance, Section View is disabled in the firewall policy page if a large number of policies exist

     

    Do you have a high number of policies?

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 30, 2014

    Multiple interfaces in a policy are only allowed in FOS v5 and higher.

    Terms & ConditionsAccessibility statement