Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ugadata
New Contributor

Fortigate 60D - Policies appear in reverse order????

When I look at the policies in my Fortigate 60D, I don't see what I expect to see.

 

I expect to see the policies listed in the order they are applied from top (#1) to bottom (#44).  I am forced to use the global view due to how one or more policies are setup.

 

The problem for me is, the policy I expect to see at #1 is actually the last policy #44.  Is it possible that the policies are listed in reverse order?  Meaning that what I see as policy #44 is applied first then policy 43 then... etc. 

 

I expect the policies to be applied the in the same order they are listed in the view, and the way I see it now is not good. 

 

 

4 Solutions
Fahad
New Contributor III

hi,

 

policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

View solution in original post

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Dave_Hall
Honored Contributor

Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view.  In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page.  (In 5.x. you can right-click on column bar).  If you are using 5.x, you can set the default column view, by using...

 

config system settings
    set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end

 

Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate.  (Though you can always use a text editor to "renumber" the IDs to match the seq order.)

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Dave_Hall
Honored Contributor

Policy (firewall) rules are executed from top-to-bottom.  Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish.  In the sample firewall set (below) is one possible way of setting up the Fortigate.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
emnoc
Esteemed Contributor III

I have to agreed. Also, when in doubt login into the  cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.

 

All fwpolicies are then inspect by the src int,  then dst int , src address  then dst address, and finally  and the service & action.

 

I hope that helps

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7 REPLIES 7
Fahad
New Contributor III

hi,

 

policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Dave_Hall
Honored Contributor

Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view.  In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page.  (In 5.x. you can right-click on column bar).  If you are using 5.x, you can set the default column view, by using...

 

config system settings
    set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end

 

Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate.  (Though you can always use a text editor to "renumber" the IDs to match the seq order.)

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Ugadata
New Contributor

Thank you for your replies.

 

I didn't realize there was both SEQ and ID columns.  The numbers I was referring to were sequence numbers (I didn't have the ID column displayed).

 

If the ID is just a label then I presume policies are applied based on the SEQ column?

 

Dave_Hall
Honored Contributor

Ugadata wrote:

If the ID is just a label then I presume policies are applied based on the SEQ column?

Yep.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Ugadata
New Contributor

Hmm.  Maybe my thinking is what is wrong.

 

The reason I think the policy order is backwards is the DENY ALL policy is last.  

I thought the DENY ALL policy should be the first policy to be applied and all the other policies are then opening a path for the specified traffic.

Dave_Hall
Honored Contributor

Policy (firewall) rules are executed from top-to-bottom.  Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish.  In the sample firewall set (below) is one possible way of setting up the Fortigate.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
emnoc
Esteemed Contributor III

I have to agreed. Also, when in doubt login into the  cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.

 

All fwpolicies are then inspect by the src int,  then dst int , src address  then dst address, and finally  and the service & action.

 

I hope that helps

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors