I'm looking into a way to add a new rule to an existing policy using an automated script. Is there a simple way via the cli to accomplish this? For example, how do I tell the new rule what number to use if I don't know how many existing rules there are? Is there a command in "config firewall policy" to use the next number available?
Joe
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When you add a rule via the cli it will craft the fw-policyid automatically. Now what I did a previous life role was we had a sql database. We manipulate the fw-policy-id by reading the records and appending the last entry by +1.
Could you do something like that?
Ken
PCNSE
NSE
StrongSwan
use edit 0, it will use the next available number for policy.
Thanks for clueing me in on the edit 0. That works great but is there a way to specify that the new rule becomes the first in a section? When I created the rule it placed it at the bottom of the section and is now a shadowed rule. There is a rule above that is allowing the traffic that I am specifically looking to deny.
Joe
The sequence of the policies is just the sequence of command blocks in the section "conf firewall policy". Appending any new policy to the existing code is IMHO a design decision of the FortiOS team, and in a way, reasonable.
I think the only way to determine the position of the new policy is to read the whole policy code block, insert the new policy where you want it (you may use "edit 0" here nonetheless), and writing the whole block back. This will of course break all existing sessions but should be possible without reboot.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.