Hi All,
I'm familiar with the CLI commands to move policy IDs before or after another specific ID, but is there a way to script a move a newly created policy to the top, regardless of what the other IDs are?
I'm trying to create a script to add an ISDB block rule to the top of every policy list on about 40 FortiGates via FortiManager scripts, because this environment isn't yet using standardised policy sets so IDs differ from location to location.
e.g. below:
# creating a new policy is simple enough:
config firewall policy
edit 0
set name "** Block IP Reputation DB **"
set srcintf "any"
set dstintf "any"
set srcaddr "all"
set internet-service enable
set internet-service-name "Botnet-C&C.Server" "Malicious-Malicious.Server"
set schedule "always"
set logtraffic all
next
# But here is where I'd like to avoid making 40 manual changes:
move !bottom to !top
end
Has anyone had this use case or something similar before?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
As far as I know, there is no such way, unless you manually put it above the rule that permits the traffic after you create it, which you already have experienced by moving it from CLI or GUI.
If you have FMG, then a easy way to do it would be to put this deny rule in the Global Database > Firewall Header Policy and then assign it to the ADOM/Policy Package.
Hi,
As far as I know, there is no such way, unless you manually put it above the rule that permits the traffic after you create it, which you already have experienced by moving it from CLI or GUI.
If you have FMG, then a easy way to do it would be to put this deny rule in the Global Database > Firewall Header Policy and then assign it to the ADOM/Policy Package.
Thanks @funkylicious
That's what I thought might be the case.
Unfortunately, the customer has many conflicting security profiles and SSL-VPN web profiles, so we can't yet use the manager to push down the header policy. Resolving these is a work-in-progress.
I was hoping someone had some FMG script variable magics to play with, but this may have to be a manual change for now.
I'll keep this open for a couple of days, and if nobody else has a miracle suggestion I'll mark yours as the solution.
Basically there is this:
move <policyid> <before/after> <policy id>
However it requires you to have the policy id. If you use "edit 0" to create to policy you willl not know the actual policy id of your new policy in your script...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.