Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pmeet
Staff
Staff

Created on ‎11-13-2025 09:25 PM

Article Id 418947

Technical Tip: Firewall Policy change based on policy view when multiple interface policy is enabled and is in use

Description This article describes the Firewall Policy change based on policy view when multiple interface policy is enabled and are in use.
Scope FortiOS.
Solution When a firewall policy makes references to more than one interface in either 'Incoming interface' or 'Outgoing interface' (This requires 'Multiple Interface Policies' to be enabled under System -> Feature) the behavior exhibited by
the GUI firewall policy table (Policy & Objects -> Firewall Policy) will differ based on if the policy view is 'By Sequence' or 'Interface Pair View'. The behavior is explained in the demonstration below.


A policy named test4 is created using multiple interfaces defined in 'Incoming interface', and the policy view is set to By Sequence, which results in the following display on the table.

 

Policy67.png

 

When the Policy view is changed to Interface pair view, the single policy (test4) will be displayed as two separate policies:

 

test79.png

 

In the visual demonstration below, when a change is made on one of the two policies, it will be reflected on both policies when the interface pair view is selected.

 

Recording 2025-11-13 090017 (1).gif

 

This is an expected behavior in how the GUI displays the interface-pair view when multiple interfaces are selected in the firewall policy. While two entries are shown in the GUI (to display proper interface pairs), modifying either will modify the single policy that is present in the configuration, which is then reflected to 'both' policies in the GUI.


config firewall policy

    edit 21

        set name "test4"
        set uuid dc8189d6-4ce6-51ee-7350-17549fc41257
        set srcintf "CyberWorld" "Guest"
        set dstintf "internal"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set ips-sensor "default"
        set comments " (Reverse of test) ()"

    next

end

 

If there is a need to treat traffic differently coming from one interface than another, then it is necessary to split up this policy into two separate policies for each interface pair.
181
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.