Description | This article describes the hidden command 'diagnose firewall iprope flush' and how to re-populate the policy ruleset in case the command was accidentally executed and all firewall rules were deleted. This is important information that should be read before using the command. |
Scope | FortiGate. |
Solution |
Since FortiOS 5.2.0 was released in 2014 the command 'diagnose firewall iprope flush' is hidden and is no longer shown in the CLI help.
Note that:
The hidden command will not be shown when executing:
diagnose firewall iprope ?
The command parameters will be shown when executing the command specifically with a question mark '?': Be careful not to type the flush command without '?' and then hit 'enter' as this would otherwise execute the command and delete all policies.
diagnose firewall iprope flush ?
All implicit and manually added firewall, proxy, or local in policies can be seen with the command:
diagnose firewall iprope list
After the iprope table is flushed with 'iprope flush', the results from the command shown above will be empty. The FortiGate will no longer have any policies.
Any execution of the flush command will be logged in the crashlog and can be seen with the following command:
diag debug crashlog read
Example output:
1279: 2023-12-11 09:59:29 User admin used "diagnose firewall iprope flush" in vdom root.
If the firewall policies got deleted, the iprope table can be re-populated again. This can be done by modifying any existing or adding a new policy via the GUI or CLI. For example: toggle the field 'allowaccess' for any interface via the GUI or CLI, which will configure an implicit access rule.
Example in the CLI:
config system interface edit port1 set allowaccess ssh end
config system interface edit port1 unset allowaccess end
Afterward, the FortiGate firewall tables will be populated again and can be verified with the 'diagnose firewall ipope list' command. |