FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff
Article Id 190761
Description
When adding some part of configuration that use indexes, the "edit 0" option can be used to avoid overwrite existing settings.

By using the option "edit 0", the FortiGate will choose the next following index available to add the new objects.  This can apply to static routes, firewall policies, policy based routes....

The use of this option is illustrated in the following examples.

Solution
Example 1: To add a new static route to the following existing config.

FG1 # show router static

config router static
edit 1
set device "port1"
set gateway 192.168.183.254
set weight 50
next
end


If the following commands are used they will overwrite static route 1:
FG1 # config router static
FG1 (static) # edit 1
To prevent this happening, use the following:
FG1 # config router static
FG1 (static) # edit 0
new entry '0' added <<CLI message

set device "port1"
set dst 10.161.0.0 255.255.254.0
set gateway 192.168.183.254
set weight 50
end
The config can now be checked to see that static route index 2 has been added.

FG1 # show router static

config router static
edit 1
set device "port1"
set gateway 192.168.183.254
set weight 50
next
edit 2
set device "port1"
set dst 10.161.0.0 255.255.254.0
set gateway 192.168.183.254
set weight 50
next
end


Example 2: To add a new firewall policy to the following existing config.


FG1 # show firewall policy

config firewall policy
edit 4
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 5
set srcintf "toFG2"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end


If the following commands are used they will overwrite firewall policy 1:
FG1 # config firewall policy
FG1 (policy) # edit 1
FG1 (1) #
Using the following commands will create a new firewall policy with the next available index:
FG1 # config firewall policy
FG1 (policy) # edit 0
new entry '0' added <<CLI message

set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
The config can now be checked to see that firewall policy #6 has been added:

FG1 # show firewall policy

config firewall policy
edit 4
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 5
set srcintf "toFG2"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
edit 1
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
edit 6
set srcintf "port2"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
end



Example 3: Adding a section to the configuration using copy/paste to the CLI without overwriting existing firewall policies.

config firewall policy
edit 0
set srcintf "port4"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next

edit 0
set srcintf "toFG2"
set dstintf "port4"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
next
end




Contributors