Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
VicAndr wrote:emnoc wrote:Could you elaborate - how you actually do it via the CLI, please? ...I mean for FortiOS v.5.2.X.
You can also do it via the cli under config firewall policy and the move option
check this
config firewall policy
move <policyid> <before/after> <policy id>
Will this work if you are only configuring a new policy under edit 0? The reason I am asking is that it's quite cumbersome or wastes more time if I have to configure the new policy using edit 0, then go to the gui to check the new policy created and take note of the policy ID number, then go back to the CLI and type the command you suggested.
"edit 0" is just to let the FGT pick the ID. Generally the next ID from the existing highest. But you need to check that ID the new policy got. Then you can use "move" command.
Toshi
That is what I mean, this is cumbersome if you have created a deny rule in your policy before. This means all new policies created under CLI (using edit "0") will automatically be placed "After" that deny rule. This means, that I have to go back to GUI, to move it there using the mouse OR go back to CLI and issue the command mentioned here and using the newly generated policy ID.
I believe it's a logical or even better feature if they can add the move option during the creation of a policy... IMHO
Created on 09-19-2023 04:32 PM Edited on 09-19-2023 04:40 PM
If you want to do this in CLI, you just need to find the "deny" policy ID by "show | grep -f "key_word_in_name_or_comment"" or at least "show full | grep -f "set action deny"" (because "deny" doesn't show in "show") after finding the new policy ID then use "move x before y" to move the new policy above the deny policy.
Any new policies are placed at the end of the same source-destination interface pair. Even if you decided scrolling the entire policies in the CLI screen, it shouldn't be too bad to find them.
<edit>A new policy seems to be placed at the bottom of the entire policies in CLI. Not at the nd of the same interface pair policies. I was mistaken.</edit>
Toshi
If you are in interface pair view, that new policy goes automatically at the bottom of the heap of the interface pair. I still don't get the logic of why they can't add that move command when you create a new policy...
All of the sudden, for whatever reason, the policy page won't let me drag/drop to change the policy sequence. I can pick it up and drag it, but trying to drop it just kicks it back to where it was.
I can't even use the "config firewall policy" move command-- it gives me "Command fail. Return code 1." Anybody ever run into this?
I've got a 100D with the v5.2.3. Not sure what happened.
From the upgrade path, it seems the lowest is 5.2.9 for that Hardware. Will you be able to schedule a downtime to upgrade it? Is it a very sensitive device that will have a major impact on your business if you decide to upgrade it?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.