Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ugadata
New Contributor

Created on ‎10-27-2014 07:32 AM

Fortigate 60D - Policies appear in reverse order????

When I look at the policies in my Fortigate 60D, I don't see what I expect to see.

 

I expect to see the policies listed in the order they are applied from top (#1) to bottom (#44).  I am forced to use the global view due to how one or more policies are setup.

 

The problem for me is, the policy I expect to see at #1 is actually the last policy #44.  Is it possible that the policies are listed in reverse order?  Meaning that what I see as policy #44 is applied first then policy 43 then... etc. 

 

I expect the policies to be applied the in the same order they are listed in the view, and the way I see it now is not good. 

 

 

12814
0 Kudos
4 Solutions
Fahad
New Contributor III

Created on ‎10-27-2014 08:00 AM

hi,

 

policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

View solution in original post

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
5405
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎10-27-2014 08:01 AM

Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view.  In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page.  (In 5.x. you can right-click on column bar).  If you are using 5.x, you can set the default column view, by using...

 

config system settings
    set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end

 

Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate.  (Though you can always use a text editor to "renumber" the IDs to match the seq order.)

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
45 KB
5405
0 Kudos
Dave_Hall
Honored Contributor
In response to Ugadata

Created on ‎10-27-2014 09:09 AM

Policy (firewall) rules are executed from top-to-bottom.  Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish.  In the sample firewall set (below) is one possible way of setting up the Fortigate.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
124 KB
5405
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-27-2014 04:37 PM

I have to agreed. Also, when in doubt login into the  cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.

 

All fwpolicies are then inspect by the src int,  then dst int , src address  then dst address, and finally  and the service & action.

 

I hope that helps

 

Ken

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
5405
0 Kudos
7 REPLIES 7
Fahad
New Contributor III

Created on ‎10-27-2014 08:00 AM

hi,

 

policies on top of list will always be applied before the last ( if policy matches) if you believe #44 should be on top then move it manually, numbers wont reflect the order its just a reference (except the policy ID)

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.

FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
5406
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎10-27-2014 08:01 AM

Firewall polices are auto-assigned IDs when you use the GUI to create them, but usually the ID column is not shown in the default view.  In most firmware versions you can change/define the columns to show by clicking on a column setting option at the top of the policy page.  (In 5.x. you can right-click on column bar).  If you are using 5.x, you can set the default column view, by using...

 

config system settings
    set gui-default-policy-columns "#" "col name1" "col name2" "col name3" "col name4" "...."
end

 

Policy IDs are just "labels" assigned to policies -- they do not determine the seq order that they are executed by Fortigate.  (Though you can always use a text editor to "renumber" the IDs to match the seq order.)

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
45 KB
5406
0 Kudos
Ugadata
New Contributor

Created on ‎10-27-2014 08:46 AM

Thank you for your replies.

 

I didn't realize there was both SEQ and ID columns.  The numbers I was referring to were sequence numbers (I didn't have the ID column displayed).

 

If the ID is just a label then I presume policies are applied based on the SEQ column?

 

5336
0 Kudos
Dave_Hall
Honored Contributor
In response to Ugadata

Created on ‎10-27-2014 08:51 AM

Ugadata wrote:

If the ID is just a label then I presume policies are applied based on the SEQ column?

Yep.

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
37 KB
5336
0 Kudos
Ugadata
New Contributor

Created on ‎10-27-2014 08:54 AM

Hmm.  Maybe my thinking is what is wrong.

 

The reason I think the policy order is backwards is the DENY ALL policy is last.  

I thought the DENY ALL policy should be the first policy to be applied and all the other policies are then opening a path for the specified traffic.

5336
0 Kudos
Dave_Hall
Honored Contributor
In response to Ugadata

Created on ‎10-27-2014 09:09 AM

Policy (firewall) rules are executed from top-to-bottom.  Generally, broader policies are near the bottom of the list with more restrictive or targeted policies at the top... but it depends more on what you are trying to accomplish.  In the sample firewall set (below) is one possible way of setting up the Fortigate.

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
124 KB
5406
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎10-27-2014 04:37 PM

I have to agreed. Also, when in doubt login into the  cli and issues a "show firewall policy ". The sequence that's displayed in the CLI is the sequence of the firewall policys. The ID#s are a place holder and have nothing todo with the sequence and inspection.

 

All fwpolicies are then inspect by the src int,  then dst int , src address  then dst address, and finally  and the service & action.

 

I hope that helps

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5406
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.