FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lol
Staff
Staff
Article Id 289322
Description This article describes the hidden command 'diagnose firewall iprope flush' and how to re-populate the policy ruleset in case the command was accidentally executed and all firewall rules were deleted. This is important information that should be read before using the command.
Scope FortiGate.
Solution

Since FortiOS 5.2.0 was released in 2014 the command 'diagnose firewall iprope flush' is hidden and is no longer shown in the CLI help.

 

Note that:

  • This command is not meant to be used in a productive environment unless there is a valid reason.
  • When executing the flush command, all FortiGate firewall policies will be deleted.

 

The hidden command will not be shown when executing:

 

diagnose firewall iprope ?
lookup Lookup firewall policy that matches provided criteria.
list List.
appctrl List application control lists.
show Show policy statistic. [Take 0-14 arg(s)]
clear Clear policy statistic. [Take 0-14 arg(s)]
state state 

 

The command parameters will be shown when executing the command specifically with a question mark '?':

Be careful not to type the flush command without '?' and then hit 'enter' as this would otherwise execute the command and delete all policies.

 

diagnose firewall iprope flush ?
<No.> Number, hexadecimal.

 

All implicit and manually added firewall, proxy, or local in policies can be seen with the command:

 

diagnose firewall iprope list

 

After the iprope table is flushed with 'iprope flush', the results from the command shown above will be empty.

The FortiGate will no longer have any policies.

 

Any execution of the flush command will be logged in the crashlog and can be seen with the following command:

 

diag debug crashlog read

 

Example output:

 

1279: 2023-12-11 09:59:29 User admin used "diagnose firewall iprope flush" in vdom root.

 

If the firewall policies got deleted, the iprope table can be re-populated again.

This can be done by modifying any existing or adding a new policy via the GUI or CLI.

For example: toggle the field 'allowaccess' for any interface via the GUI or CLI, which will configure an implicit access rule.

 

Example in the CLI:

 

config system interface

edit port1

set allowaccess ssh

end

 

config system interface

edit port1

unset allowaccess

end

 

Afterward, the FortiGate firewall tables will be populated again and can be verified with the 'diagnose firewall ipope list' command.