Filter Firewall rules on CLI which match a filter

FlashOver · ‎02-16-2012

Hi. When I make a " show firewall policy" on CLI, I will see all rules like they are ordered. But, when I have to make some changes on some special rules, it will take a long time on cli to sort them out to know there ID. Otherwise I could do so by using a search option within a editor like notepad++ across the complete configuration file but that is not a good solution. Is it possible to show all firewall policies which match a filter? For example. show firewall policy | includes srcint wan1 Is something like that possible? I tried commands like | grep, begin and something like that I know from other vendors but nothing worked. Can somebody tell me, if there are some hidden filter commands for the output available?

ede_pfau · ‎02-16-2012

 conf firewall policy
 show | grep anything

This works in 4.2.10. I don' t know exactly when Fortinet introduced the ' grep' command but I think it' s from 4.2 on. It' s documented in the 4.2 CLI Guide, last chapter, under ' get' . grep Options: ' -i' case-insensitive, ' -v' invert results and the search pattern may be a Regular Expression.

Ede Kernel panic: Aiee, killing interrupt handler!

FlashOver · ‎02-16-2012

I will have a look to the cli reference guide at the get section and will try what i " get"

thank you very much for your fast response

rwpatterson · ‎02-16-2012

Not sure if this will help or not: I open the backup file, find what I want to change there, change it, and paste it back into the CLI window. Not quite what you' re looking for, but same effect.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

FlashOver · ‎02-16-2012

When I think on a customer Firewall with more then 3000 policy rules, I think that can not bet handled this way with 50 changes per day per device. At the moment a checkpoint.

rwpatterson · ‎02-16-2012

ORIGINAL: FlashOver When I think on a customer Firewall with more then 3000 policy rules, I think that can not bet handled this way with 50 changes per day per device. At the moment a checkpoint.

3000 policies? 50 changes per day? that seems to me more like either bad planning or a really micro-managing boss.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

FlashOver · ‎02-17-2012

That' s one of the biggest customers from CheckPoint in Europe which is growing and growing and growing. New Applications, new servies, new regions, new special networks and dmz... a lot of work for hundrets for firewall clusters.

FortiRack_Eric · ‎02-20-2012

In the gui you have some nice features to select the firewall rules you' ll need and changed. Bare in mind that in the standard view the policies are ordered based on source and destination interface that in essence already orders the gui and is not so messy as the checkpoint interface. There is also global view in the Fortigate and basically then you have your messy checkpoint interface. It was made on purpose for old checkpoint users to make them feel at home after a migration.

Rackmount your Fortinet --> http://www.rackmount.it/fortirack