Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VicAndr
New Contributor III

Multiple firewall policies between WiFi interface and wired one

Many network interfaces on my FG unit (FG-500D) are in use. I have no problem creating multiple firewall policies between hardwired interfaces, but could only create a single policy between a WiFi interface and any of wired ones. Every attempt to add a second (let alone 3rd, 4th) policy between WiFi interface and a wired one ends up with the following error message:               Entry not found.

 

Is that a firmware bug (my unit is running FortiOS v.5.2.3) or I do something wrong? Has anyone experienced similar issues?

 

Thank you for any comments/suggestions.

7 REPLIES 7
gschmitt
Valued Contributor

Are you using some kind of bugged object in the policy?

VicAndr
New Contributor III

gschmitt wrote:

Are you using some kind of bugged object in the policy?

No. That was nothing to do with a "bugged object". With the help of Fortinet support I found why I couldn't have added any additional policies between the interfaces.

 

We all know that firewall policies are processed from top to bottom. To achieve a desirable result you have to place any new policy in a proper place between other ones. ...and for years I used FortiOS' GUI "Insert Policy Above" and "Insert Policy Below" options to do just that. You click one of those options - it opens "Create New Policy" window for you, and then - you would simply configure all policy's properties in it and click <OK>.

 

But with FortiOS 5.2.3, although both "Insert Policy" options are still there, it doesn't work as expected any longer. It does actually insert a disabled policy with action DENY and nothing else configured, but you have specifically open it to do all the configuration. ...and as soon as you click <OK> - you get that above mentioned pesky message.

 

The "solution" was not to use "Insert Policy" options but creating a whole new policy from scratch. New policy is placed at the bottom of a section which lists all policies between a pair of interfaces - and that's bring a whole new question: Is there a simple way to reposition policies in one interface section without the need to reconfigure few of them to ensure a proper firewall's behavior. I do not see those anywhere in GUI and CLI.

rwpatterson
Valued Contributor III

Right click on the policy to move, then insert [before|after] and choose the ID number of the policy where you would like to place it before or after. Beware, you must first display the policy IDs in the list by choosing that option from the column settings list.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

VicAndr
New Contributor III

rwpatterson wrote:

Right click on the policy to move, then insert [before|after] and choose the ID number of the policy where you would like to place it before or after.

That's exactly how it used to work (although it wasn't called "insert" but "move" instead). Well, on v.5.2.3 you do not have such a "luxury" any longer. Those are configuration options available to you when you right-click on a policy:

 

 

Did you actually try it yourself on FortiOS 5.2.3? 

rwpatterson
Valued Contributor III

No.

 

Have you tried cut policy/paste before|after?

 

For what it's worth, on my 5.2.3 box, right clicking does nothing. Maybe a Firefox issue.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

VicAndr
New Contributor III

rwpatterson wrote:

Have you tried cut policy/paste before|after?

It doesn't work either. If you cut a policy - it removes it from the list. But when you try to paste it into a different place - it creates a whole new DENY policy instead - with nothing configured. The policy which you cut just a moment ago with intent to relocate - disappears, and you have to go back and recreate that policy from scratch. What a mess! [&:]

 

Am I the only one who experiences such a problem?

VicAndr
New Contributor III

Found a solution in this forum. The only simple method to re-order policies which actually works for me (FG-5000D on v.5.2.3) is dragging-and-dropping.