Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎06-12-2023 01:43 AM

Article Id 259840

Technical Tip: How to configure clone policy from the CLI and GUI of the FortiGate

Description This article explains how to clone existing policies and reorder the policy.
Scope FortiGate.
Solution

In some scenarios or for testing, it is needed to keep cloning the existing policy for the test ip/ device and apply the new changes with UTM and other policy options.

It is possible to copy and paste the existing policy from GUI as below.

 

Go to Firewall policy -> select the policy and 'right-click' with the mouse to get the options.

 

kb1.PNG

 

Select Copy option and then again 'right-click' on the same policy or on the policy, before or after it is wanted to place the cloned policy.

 

kb2.PNG

 

As the selection shows, the cloned policy will be placed on top or below the policy, and the status of the cloned policy will be disabled. Policy ID will be automatically fetched.

 

kb3.PNG

 

From CLI, first, create the cloned policy and then reorder the policy.
By default, when creating a clone policy, it will be placed below the actual policy and status will be enabled.

syntax:

 

config firewall policy
    clone <exisiting policy id> to <new policy id>
end

 

Example :

FortiGate has only one policy.

 

DCFW_Pri # config firewall policy

DCFW_Pri (policy) # get
== [ 1 ]
policyid: 1


DCFW_Pri # config firewall policy
DCFW_Pri (policy) # clone 1 to 2
DCFW_Pri (policy) # end

 

DCFW_Pri # config firewall policy
DCFW_Pri (policy) # get
== [ 1 ]
policyid: 1
== [ 2 ]
policyid: 2

 

DCFW_Pri (policy) # sh
    config firewall policy
        edit 1
            set name "sslvpn_policy"
            set uuid d9be985c-f4ca-51ed-033f-762242deecec
            set srcintf "ssl.root"
            set dstintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set webfilter-profile "default"
            set users "test"
            set nat enable
        next
        edit 2
            set uuid d18d23a6-08f7-51ee-28d4-4f4b8f4a3ac3
            set srcintf "ssl.root"
            set dstintf "any"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "certificate-inspection"
            set webfilter-profile "default"
            set users "test"
            set nat enable
        next
    end

 

To reorder the clone policy, use the below commands:

 

DCFW_Pri # config firewall policy
DCFW_Pri (policy) # move 2
after move after
before move before

 

DCFW_Pri (policy) # move 2 before 1
DCFW_Pri (policy) # end

 

Make sure to use the unused id number for the new policy, if it is wanted to enter any existing policy id for a clone policy it is possible to get the below error:

 

DCFW_Pri (policy) # clone 1 to 2
Can not clone: table entry '2' already exists

 

5574
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.