Description
This article explains how to change the order of the IPV4, traffic shaping, local-in and SD-WAN policy list in the CLI.
Scope
FortiGate.
Solution
It is possible to change the policy order in the IPV4 list by dragging items in the GUI, or by entering the CLI commands outlined in this article. The ID number of moved policies does not change.
For example, to move policy 10 before or after policy 30, enter the following command:
For Firewall Policy, use the example command given below:
config firewall policy
move 10 <'before' or 'after'> 30
end
For Local-in-policy, use the example command given below:
config firewall local-in-policy
move 10 <'before' or 'after'> 30
end
For SD-WAN, use the example command given below:
config system sdwan
config service
move 3 <'before' or 'after'> 2
end
Note:
Starting from FortiOS v7.6.0, the local policy can be configured from the GUI.
Note:
Starting from v7.4.0+, policies can now be moved by their policy ID directly from the FortiGate GUI as an alternative to the drag-and-drop method. This feature is available on the Firewall Policy page when using the 'By Sequence' or 'Sequence Grouping' view. For detailed steps, refer to the 'Move by ID' option in the GUI. For more information, refer to the Move Policy by ID via GUI.
The move subcommand is only available to use in tables where the order of entries makes a difference to function. The same process can be used to manage traffic shaping, local-in, and SD-WAN policies.
See the attached console logs for information about lab tests demonstrating policy order changes.
If multiple VIP entries are configured and it is desired to change the order of VIP through the CLI, use the following commands:
config firewall vip
move <VIP NAME> [before/after] <VIP NAME>
end
After running the commands:
It also applies to Dynamic Port Policies. These policies are processed sequentially just like firewall policies.
However, it is not possible to drag and drop on the GUI. It must be done in the CLI. The example below shows how to move policy 'User1' above 'Other users' as it is more specific:
- Unlike firewall policies, Dynamic Port Policy does not have a policy ID. Hence, it is necessary to use policy names in the CLI. If the policy name contains a space, it is necessary to put a '\' before the space as an escape character:
config switch-controller dynamic-port-policy
edit "Test"
config policy
move Other\ Users after User1
end
end
- After that change, User1 is not above 'Other Users'.
- To move the URL filter entries, for example, move entry 2 before entry 1:
config webfilter urlfilter
edit <>
config entries
move 2 before 1
end
To move SSL VPN authentication rules, use the command provided below:
config vpn ssl settings
config authentication-rules
move <ID> before <ID> <----- After can also be used. For example, 'move <ID> after <ID>'.
end
end
