DescriptionWhen adding some part of configuration that use indexes, the "edit 0" option can be used to avoid overwrite existing settings.
By using the option "edit 0", the FortiGate will choose the next following index available to add the new objects. This can apply to static routes, firewall policies, policy based routes....
The use of this option is illustrated in the following examples.
Solution
Example 1: To add a new static route to the following existing config.
FG1 # show router static
config router static edit 1 set device "port1" set gateway 192.168.183.254 set weight 50 next end |
If the following commands are used they will overwrite static route 1:
FG1 # config router static FG1 (static) # edit 1
To prevent this happening, use the following:
FG1 # config router static FG1 (static) # edit 0 new entry '0' added <<CLI message
set device "port1" set dst 10.161.0.0 255.255.254.0 set gateway 192.168.183.254 set weight 50 end
The config can now be checked to see that static route index 2 has been added.
FG1 # show router static
config router static edit 1 set device "port1" set gateway 192.168.183.254 set weight 50 next edit 2 set device "port1" set dst 10.161.0.0 255.255.254.0 set gateway 192.168.183.254 set weight 50 next end | |
Example 2: To add a new firewall policy to the following existing config.
FG1 # show firewall policy
config firewall policy edit 4 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 5 set srcintf "toFG2" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next end |
If the following commands are used they will overwrite firewall policy 1:
FG1 # config firewall policy FG1 (policy) # edit 1 FG1 (1) #
Using the following commands will create a new firewall policy with the next available index:
FG1 # config firewall policy FG1 (policy) # edit 0 new entry '0' added <<CLI message
set srcintf "port2" set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next
The config can now be checked to see that firewall policy #6 has been added:
FG1 # show firewall policy
config firewall policy edit 4 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 5 set srcintf "toFG2" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 6 set srcintf "port2" set dstintf "port3" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next end
|
|
Example 3: Adding a section to the configuration using copy/paste to the CLI without overwriting existing firewall policies.
config firewall policy edit 0 set srcintf "port4" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next
edit 0 set srcintf "toFG2" set dstintf "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end |