Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ispcolohost
Contributor

Create or clone policy via CLI without needing policyid?

Hi all, is there any way to create new firewall policy via 'config firewall policy' without having to specify a policy id; i.e., let it just take the next available number?  I'm trying to either mass clone or mass create new rules to break multi-interface rules into individual rules so 'interface pair view' becomes usable again in the web interface.  Doing this while having to come up with unique numbers for each clone or edit command is a nightmare.

2 Solutions
FortiOSman
New Contributor III

config firewall policy

edit 0

 

0 is the policy id for next available. 

 

 

FortiOSman,

Up, Up, and Away!

View solution in original post

emnoc
Esteemed Contributor III

Even btter since you said clone, you could do the following

 

 

config firewall policy 

 

   clone   1111 to  0 

 

That would allow you to clone a existing policyid 1111 to the next newiest number ( id  ) and then you can make the change.

 

This  method is available for fwpolicy id, services customs, but not for  address or addrgroups. It's probably the #1 missed cli option that can speed up deploy and when your doing mass deployments imho

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
9 REPLIES 9
FortiOSman
New Contributor III

config firewall policy

edit 0

 

0 is the policy id for next available. 

 

 

FortiOSman,

Up, Up, and Away!

ispcolohost

Awesome; thanks!

emnoc
Esteemed Contributor III

Even btter since you said clone, you could do the following

 

 

config firewall policy 

 

   clone   1111 to  0 

 

That would allow you to clone a existing policyid 1111 to the next newiest number ( id  ) and then you can make the change.

 

This  method is available for fwpolicy id, services customs, but not for  address or addrgroups. It's probably the #1 missed cli option that can speed up deploy and when your doing mass deployments imho

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
journeyman

Thanks emnoc, clone 1111 to 0 is my new friend.

 

Is there a way to find what the new policy ID number is, other than doing a show, and preferably not doing edit 0 then show then subtracting one?

 

Is there something like clone 1111 to 0 && edit 0 that might open the newly cloned policy?

 

emnoc
Esteemed Contributor III

Yes  you  have a few choices but I agree the  clone make you look for the new  policed.

 

1: the  new policed is always 1+ the last  create policyid

 

2: will always be at the end of the seq#

 

3: if you want to clone a policy id like 1111 to  a <new unused policyid> you  can do that . Forties is smart enough to restrict cloning a <inused policy and will ALWAYS throw up a error>

 

e.g 

 

FWF (root) # show firewall  policy 118  < - check to see if its available

entry is not found in table

Command fail. Return code 1

 

FWF (root) # config firewall  policy 

 

FWF (policy) # clone 120 to 118  <----- clone the  policyid

 

 

 

FWF (policy) # edit 

policyid    Policy ID. (0-4294967294)

8  

9  

4294967291

4294967292

4294967293

4294967294  

1  

2  

4

89

123

120

121

122

124

12  

118    <----clone of  poliycyid #120 

 

 

I hope that helps understanding the clone and notice it was dropped last in the SEQ ordering.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
dio99
New Contributor

use edit 0 and it will create next id :)

 

// Anders

hklb
Contributor II

you can do a "clone 120 to 0" to clone to the next ID avaible

emnoc
Esteemed Contributor III

But his question is "other than doing a show" I don't know of a way to know what's the next policyid that will be assigned UNLESS you do a "show" or  do what was suggested b4, find a unused policy-id and clone to that policy-id

 

FortiOS will not let you overwrite an existing policyid

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
journeyman

It's easier and not too much trouble by turning the order of operations around

# conf fire policy

(policy) # ed 0

(0) # sh

config firewall policy

    edit 123 <--- new policy ID

    next

end

(0) # ne <--- effectively aborts, ID 123 remains free for clone destination

node_check_object! for srcintf

Attribute 'srcintf' MUST be set.

(policy) # clone 17 to 0

(policy) # ed 123

Labels
Top Kudoed Authors