Moving Policies up or down

Rfornell · ‎11-07-2013

FortiGate 200B v5.0 GA Patch 2 Previous version you could right click a policy and select move above or below and you could enter a existing policy to move it where you wanted. Any idea on how to this now in version 5 Patch 2??? Trying to get a new policy in place for our new phone system so any help with this would greatly appreciated.

Jordan_Thompson_FTNT · ‎11-07-2013

You can re-order the policies by dragging and dropping on the sequence number column. Alternatively, there is cut/copy/paste support, also available by right-clicking on the sequence #.

View solution in original post

jintrah_FTNT · ‎09-23-2015

VicAndr wrote:
emnoc wrote:
You can also do it via the cli under config firewall policy and the move option
Could you elaborate - how you actually do it via the CLI, please? ...I mean for FortiOS v.5.2.X.

check this

config firewall policy

move <policyid> <before/after> <policy id>

View solution in original post

bluephoenix71 · ‎09-19-2023

Will this work if you are only configuring a new policy under edit 0? The reason I am asking is that it's quite cumbersome or wastes more time if I have to configure the new policy using edit 0, then go to the gui to check the new policy created and take note of the policy ID number, then go back to the CLI and type the command you suggested.

Toshi_Esumi · ‎09-19-2023

"edit 0" is just to let the FGT pick the ID. Generally the next ID from the existing highest. But you need to check that ID the new policy got. Then you can use "move" command.

Toshi

bluephoenix71 · ‎09-19-2023

That is what I mean, this is cumbersome if you have created a deny rule in your policy before. This means all new policies created under CLI (using edit "0") will automatically be placed "After" that deny rule. This means, that I have to go back to GUI, to move it there using the mouse OR go back to CLI and issue the command mentioned here and using the newly generated policy ID.
I believe it's a logical or even better feature if they can add the move option during the creation of a policy... IMHO

Toshi_Esumi · ‎09-19-2023

If you want to do this in CLI, you just need to find the "deny" policy ID by "show | grep -f "key_word_in_name_or_comment"" or at least "show full | grep -f "set action deny"" (because "deny" doesn't show in "show") after finding the new policy ID then use "move x before y" to move the new policy above the deny policy.

Any new policies are placed at the end of the same source-destination interface pair. Even if you decided scrolling the entire policies in the CLI screen, it shouldn't be too bad to find them.

<edit>A new policy seems to be placed at the bottom of the entire policies in CLI. Not at the nd of the same interface pair policies. I was mistaken.</edit>

Toshi

bluephoenix71 · ‎09-19-2023

If you are in interface pair view, that new policy goes automatically at the bottom of the heap of the interface pair. I still don't get the logic of why they can't add that move command when you create a new policy...

Endiel · ‎09-15-2015

All of the sudden, for whatever reason, the policy page won't let me drag/drop to change the policy sequence. I can pick it up and drag it, but trying to drop it just kicks it back to where it was.

I can't even use the "config firewall policy" move command-- it gives me "Command fail. Return code 1." Anybody ever run into this?

I've got a 100D with the v5.2.3. Not sure what happened.

bluephoenix71 · ‎09-19-2023

From the upgrade path, it seems the lowest is 5.2.9 for that Hardware. Will you be able to schedule a downtime to upgrade it? Is it a very sensitive device that will have a major impact on your business if you decide to upgrade it?