Hi all, is there any way to create new firewall policy via 'config firewall policy' without having to specify a policy id; i.e., let it just take the next available number? I'm trying to either mass clone or mass create new rules to break multi-interface rules into individual rules so 'interface pair view' becomes usable again in the web interface. Doing this while having to come up with unique numbers for each clone or edit command is a nightmare.
Solved! Go to Solution.
config firewall policy
edit 0
0 is the policy id for next available.
FortiOSman,
Up, Up, and Away!
Even btter since you said clone, you could do the following
config firewall policy
clone 1111 to 0
That would allow you to clone a existing policyid 1111 to the next newiest number ( id ) and then you can make the change.
This method is available for fwpolicy id, services customs, but not for address or addrgroups. It's probably the #1 missed cli option that can speed up deploy and when your doing mass deployments imho
PCNSE
NSE
StrongSwan
config firewall policy
edit 0
0 is the policy id for next available.
FortiOSman,
Up, Up, and Away!
Awesome; thanks!
Even btter since you said clone, you could do the following
config firewall policy
clone 1111 to 0
That would allow you to clone a existing policyid 1111 to the next newiest number ( id ) and then you can make the change.
This method is available for fwpolicy id, services customs, but not for address or addrgroups. It's probably the #1 missed cli option that can speed up deploy and when your doing mass deployments imho
PCNSE
NSE
StrongSwan
Thanks emnoc, clone 1111 to 0 is my new friend.
Is there a way to find what the new policy ID number is, other than doing a show, and preferably not doing edit 0 then show then subtracting one?
Is there something like clone 1111 to 0 && edit 0 that might open the newly cloned policy?
Yes you have a few choices but I agree the clone make you look for the new policed.
1: the new policed is always 1+ the last create policyid
2: will always be at the end of the seq#
3: if you want to clone a policy id like 1111 to a <new unused policyid> you can do that . Forties is smart enough to restrict cloning a <inused policy and will ALWAYS throw up a error>
e.g
FWF (root) # show firewall policy 118 < - check to see if its available
entry is not found in table
Command fail. Return code 1
FWF (root) # config firewall policy
FWF (policy) # clone 120 to 118 <----- clone the policyid
FWF (policy) # edit
policyid Policy ID. (0-4294967294)
8
9
4294967291
4294967292
4294967293
4294967294
1
2
4
89
123
120
121
122
124
12
118 <----clone of poliycyid #120
I hope that helps understanding the clone and notice it was dropped last in the SEQ ordering.
PCNSE
NSE
StrongSwan
use edit 0 and it will create next id :)
// Anders
you can do a "clone 120 to 0" to clone to the next ID avaible
But his question is "other than doing a show" I don't know of a way to know what's the next policyid that will be assigned UNLESS you do a "show" or do what was suggested b4, find a unused policy-id and clone to that policy-id
FortiOS will not let you overwrite an existing policyid
Ken
PCNSE
NSE
StrongSwan
It's easier and not too much trouble by turning the order of operations around
# conf fire policy
(policy) # ed 0
(0) # sh
config firewall policy
edit 123 <--- new policy ID
next
end
(0) # ne <--- effectively aborts, ID 123 remains free for clone destination
node_check_object! for srcintf
Attribute 'srcintf' MUST be set.
(policy) # clone 17 to 0
(policy) # ed 123
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1742 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.