Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Features that you would like to see
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Features that you would like to see
Why limit to Authentication-based routing,can' t fortinet have Address-based and Device Identity routing on the policy tab itself rahter than putting it on the policy route tab would be very nice to have when your using/have multiple gateways
80293
115 REPLIES 115
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn' t look like the decision on which real integer is used to store the policy in configuration is made until ' end' commits it to the running or startup config. Look at the output when the CLI debug level is set to 8:
McFortiGate # di de reset
McFortiGate # di de en
McFortiGate # di de cli 8
McFortiGate # conf firewall policy
McFortiGate (policy) # edit 0
new entry ' 0' added
McFortiGate (0) # set srcintf FortiLAN
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set dstintf wan1
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set srcaddr all
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set dstaddr all
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set schedule always
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set service ALL
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set action accept
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # set nat en
path=firewall, objname=policy, size=1388, sz_attr=1
McFortiGate (0) # end
cmd_clean_context 0, abort=0
McFortiGate # write config file success, prepare to save in flash
[__create_file_new_version:560] the new version config file ' /data/./config/vd_root_firewall_policy.gz.v000000076' is created
[symlink_config_file:627] a new version of ' /data/./config/vd_root_firewall_policy.gz' is created: /data/./config/vd_root_firewall_policy.gz.v000000076
[symlink_config_file:670] the old version ' /data/./config/vd_root_firewall_policy.gz.v000000075' is deleted
[symlink_config_file:673] ' /data/./config/vd_root_firewall_policy.gz' has been symlink' ed to the new version ' /data/./config/vd_root_firewall_policy.gz.v000000076' . The old version ' /data/./config/vd_root_firewall_policy.gz.v000000075' has been deleted
zip config file /data/./config/vd_root_firewall_policy.gz success!
The context of policy 0 is ' cleaned' after typing ' end' , and the rest of the output notes that a new file has replaced the old file. It looks like it would be *theoretically* possible to try piping the output of the new file created to another container, and by script, parse the file to see the diff between the old and new configs, and pull the policy ID from that file at the bottom of the ' config firewall policy' section, if you really wanted to know right away. Even here, though, it' s after ' end' is typed. I don' t think the kernel handles the process of policy creation in a way that it could note the real number before the full policy is committed.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
' next' or ' end' or doesn' t matter? next isn' t needed in your example, but not sure if that changes things.
After the edit 0 reply was posted I tried to find it documented (only in the kb). I found a script example where multiple policies were added using edit 0; they were added in a block with one end statement. I hope that works because it will be very handy for scripting.
It would be nice if the real policy ID was printed to the console at some stage in the edit process, and yes, ideally at the ' added' message.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn' t matter between ' next' or ' end' ...both are statements which will commit a change to the configuration. Using ' next' will return you to the context you' re already in, i.e., ' config firewall policy' or ' config router static' , whereas ' end' will return you to the root of the CLI *or* the last point where you used the verb ' config' .
It' s not that we don' t want to entertain an NFR for citing a real policy number earlier on in the process - I don' t think it' s even possible.
Even thinking about the theoretical implications, the kernel will do a sanity check on the policy before committing it. To have a policy numbered before entering any options would mean modifying a policy which now has a number and a place within the order of the rest of your rules. What would happen to the kernel if it had a policy in the list with *no* other settings defined, or worse yet, the wrong settings, that would trigger a CLI error code after typing ' next' or ' end' , ultimately leaving the new object discarded?
I' m not a developer, but I could see the way, just by knowing the order that a policy or new object is applied in, how this probably wouldn' t work, nice as it may be.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I like this discussion, so let me add my 2 cts, _when_ the kernel knows, which policy number is to be added:
login as: admin
FortiGate-VM64 # config firewall policy
FortiGate-VM64 (policy) # edit 0
new entry ' 0' added
FortiGate-VM64 (0) # show
config firewall policy
edit 3
next
end
FortiGate-VM64 (0) #
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah...
Never underestimate the SHOW.
Regards, Chris McMullan Fortinet Ottawa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent - so next release then ;)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this one always start with 1 i.e
config firewall policy
edit 1
if you type edit 0, it will shown as 1
FR: -allow tarpit
-allow port knocking
- | grep -f not available in FortiAnalyzer FortiMail, most probably other than FortiGate
login as: admin
# config firewall policy
(policy) # edit 0
new entry ' 0' added
(0) # show
config firewall policy
edit 3
next
end
http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple ' edit 0' do work, even before the final ' end' . So, there is some internal housekeeping done right after the ' edit 0' command.
Shouldn' t be too difficult to implement.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very cool, Hut ab!
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proper CLI navigation similar to JunOS where Ctrl+W/E/U/etc. does what it supposed to and not just deletes the entire line.
When I search for an option/value in CLI then to display the location of it, instead of using | grep -2000 <search term> then to scroll back to try to find the location of it.
Same for all the diagnose commands. If I want to find an option to debug what I want, without having access to the CLI guide, or to use the ' tree diagnose' command and scroll through potentially hundreds of lines, but rather to have a search option that tells me how I can get to the specific command.
Have the history available in CLI of the last few configuration changes made and an option to rollback to any of them with a simple option, similar again to JunOS " show | compare rollback <previous revisionX> <previous revisionY>" and " rollback <revision #>"
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,792 -
FortiClient
1,786 -
5.2
801 -
FortiManager
742 -
5.4
639 -
FortiAnalyzer
566 -
FortiSwitch
481 -
FortiAP
475 -
FortiClient EMS
438 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
254 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
216 -
FortiWeb
210 -
5.0
196 -
FortiNAC
194 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
109 -
FortiGateCloud
102 -
FortiSIEM
100 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
58 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
36 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
32 -
VDOM
31 -
FortiConnect
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
23 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1742 | |
| 1114 | |
| 760 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.