Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wolfmaster
New Contributor

In 5.0.5 " Section View" is always disabled

Hi, I have a FMG 400B with 5.0.5, in the policy package the " Section View" is always disabled and i can see the security policy only in " Global View" . The single policy that I' ve created has source and destination interface specified, there aren' t policy with interface " any" or multilple interfaces and the used interfaces are vlan in 802.3ad. Why i can' t select " Section View" ?
5 REPLIES 5
billp
Contributor

Never mind. My problem was simple -- I had more than one interface selected on a policy. There' s no way to delete a post on this forum :( I' m having the same problem. How frustrating. Did you ever resolve? Thanks.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
oheigl
Contributor II

Hi Guys, I' m experiencing the same issue. It was after the upgrade from 5.0.3 to 5.0.5 Before the upgrade the view was fine, after the upgrade the section view is disabled on all packages. The packages have not been edited, so I don' t understand why. No any and only one interface per policy. Anybody else having this issue?
RH2
New Contributor II

try moving to version 5.0.4 instead of 5.0.5 5.0.4 appears fairly stable and I had problems with 5.0.5 as soon as I installed it. I modified an existing address and most of my fortigates showed no changes necessary. Only two devices got the updated address applied to them.
Matthew_Mollenhauer
New Contributor III

This is a bug that I had previously raised: 0223912 Packages will only display in Global View if they are inside a folder. This was resolved in 5.0.6 Regards, Matthew Mollenhauer
Sean_Toomey_FTNT

Sorry to hear about the issues on earlier 5.0.x FortiManager patches with this feature. That notwithstanding, I' d like to take this opportunity to go a bit more in depth about the differences and why one would want to use one over the other. Section View shows you all rules to a specific src/dst interface pairing. It is important to understand that anytime you use multiple interfaces in a policy, or you use ' any' for an interface in a policy, Section view is disabled. Much can be debated over which view is easier/better, but I will say that primarily I see global view used for numerous reasons. A preference for one vs. the other usually stems from the device one was used to prior.. CheckPoint folks tend to like Global view better, Cisco ASA folks tend to like Section View better because they more closely approximate what you are used to, which I can appreciate. First, global view is the common denominator. No matter what happens to your policy you will always be able to use it, and it shows more cleanly which rules will be matched first. Section view is available so long as every rule has one defined source and destination interface. Secondly, using multiple interfaces in a single rule can help reduce the number of rules you have to write, consider for instance if you have a point-to-point between data centers and also a backup VPN. You don' t want to have to write the rule twice, so you can simply add both interfaces to src or dst as appropriate and just have one rule.. Another case is if you need mesh communication - in other words you have 4 internal interfaces and you want to allow internal ping. That would take 12 rules if you spell it out one interface at a time.. or one rule if you combine interfaces. Thirdly, global view allows you to organize rules (using Section Titles) into collapsable groups regardless of the interfaces involved. Therefore you can create a section of 15 " internal rules" that may be comprised of many different interface rules. In Section View, you' d have to dig into many places to find all these rules. So in terms of generalization - and not to discount the people that prefer Section View - that' s a personal preference thing :) - in general you will use Section view for simpler deployments and Global view for normal to complicated deployments, but if you are ambivalent and don' t care which one, I' d nudge you towards Global view. Hope that helps.
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Top Kudoed Authors