Technical Tip: Commands to check the order of the firewall policies from CLI

nithincs · ‎06-12-2023

Description

This article describes how to check the policies and the ordering from the CLI.

Scope

Any supported version of FortiGate.

Solution

Below commands can be used to check the policy order and policy configuration from CLI.

get firewall policy

This command will list all the policy ID in the top to bottom order:

DCFW_Pri # get firewall policy
== [ 1 ]
policyid: 1
== [ 2 ]
policyid: 2
== [ 3 ]
policyid: 3

This will be useful to understand the ordering of the policies, troubleshoot traffic matching wrong policy, and reorder the policies.

show firewall policy

This command will show the configuration of the policies in the top to bottom order.

If there are large numbers of policies, then it is possible to specify the policy ID to display the output:

show firewall policy <ID>

DCFW_Pri # show firewall policy 3
config firewall policy
edit 3
set uuid b02f464e-08fc-51ee-6f63-2a580a1e8690
set srcintf "ssl.root"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set webfilter-profile "default"
set users "test"
set nat enable
next
end

Technical Tip: Commands to check the order of the firewall policies from CLI

You are leaving our website