Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Anand_Narayana
Contributor

How to view Firewall policies in CLI

Hi,

 I am aware that to view a specific policy ID from the command line, I will need to type in "show firewall policy <polic ID>, but how to view all the policies specific to an Interface? e.g. source port - port1 and destination port10, I need to view all the policies under this from the CLI

Anand

Anand
9 REPLIES 9
ede_pfau
Esteemed Contributor III

This functionality is only available in the GUI. One workaround would be to get the IDs from the GUI section display and call them up one after another in the CLI, e.g.

show firewall policy <nn>

 

Thanks to your question I found out that one can call the 'show' command with a policy ID - didn't notice in the last 10 years...


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
neonbit
Valued Contributor

As per ede's post the GUI would be the way to go.

 

You can show policies in the CLI and filter using grep, but that would only filter if the source or destination interface was port1.

 

You could use an OR grep for port1 or port10, but again it would show all policies where either port1 or port10 is used in source or destination interface.

 

FYI to do this you would use the following:

 

config firewall policy

show | grep -f 'port1\|port10'

ede_pfau
Esteemed Contributor III

@neonbit: grep will only filter the lines with 'set dstintf' and 'set srcintf', not the whole block. I doubt this will suffice.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bstevens
New Contributor II

ede_pfau wrote:

@neonbit: grep will only filter the lines with 'set dstintf' and 'set srcintf', not the whole block. I doubt this will suffice.

I know this is old, but it might help someone who is reading this:

 

if you use "show firewall policy | grep -B10 -A10 -f 'port1\|port10'"

 

it will show the 10 lines before and after the interfaces....this can be handy to see the entire block, alternatively you could just use the -B10 which would end up showing you which policy ID and then use the OP syntax to view the whole policy. Hope this helps.

 

rwpatterson
Valued Contributor III

ede_pfau wrote:

This functionality is only available in the GUI. One workaround would be to get the IDs from the GUI section display and call them up one after another in the CLI, e.g.

show firewall policy <nn>

 

Thanks to your question I found out that one can call the 'show' command with a policy ID - didn't notice in the last 10 years...

Lol! I see I'm not the only one still learning things here. ;)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
emnoc
Esteemed Contributor III

Yeap I use what bstevens does and almost daily if I might add.

 

So much quicker ( than the gui  ) and  the problem with the WebGUI,  "  the WebGUI does NOT show you all items for that policyID. Just the common items. "

 

 More and more fortigate engineer do not know that and are missing other items that might be enable imho

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
kadey
New Contributor

So is it not possible to delete a policy unless you know the id?

emnoc
Esteemed Contributor III

Correct you need to know the policy.id and no warning or confirmation is given. Know what your doing before you issue delete

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
jintrah_FTNT
Staff
Staff

May be the below context helps

 

show firewall policy | grep -f port1

Labels
Top Kudoed Authors