Many network interfaces on my FG unit (FG-500D) are in use. I have no problem creating multiple firewall policies between hardwired interfaces, but could only create a single policy between a WiFi interface and any of wired ones. Every attempt to add a second (let alone 3rd, 4th) policy between WiFi interface and a wired one ends up with the following error message: Entry not found.
Is that a firmware bug (my unit is running FortiOS v.5.2.3) or I do something wrong? Has anyone experienced similar issues?
Thank you for any comments/suggestions.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Are you using some kind of bugged object in the policy?
gschmitt wrote:Are you using some kind of bugged object in the policy?
No. That was nothing to do with a "bugged object". With the help of Fortinet support I found why I couldn't have added any additional policies between the interfaces.
We all know that firewall policies are processed from top to bottom. To achieve a desirable result you have to place any new policy in a proper place between other ones. ...and for years I used FortiOS' GUI "Insert Policy Above" and "Insert Policy Below" options to do just that. You click one of those options - it opens "Create New Policy" window for you, and then - you would simply configure all policy's properties in it and click <OK>.
But with FortiOS 5.2.3, although both "Insert Policy" options are still there, it doesn't work as expected any longer. It does actually insert a disabled policy with action DENY and nothing else configured, but you have specifically open it to do all the configuration. ...and as soon as you click <OK> - you get that above mentioned pesky message.
The "solution" was not to use "Insert Policy" options but creating a whole new policy from scratch. New policy is placed at the bottom of a section which lists all policies between a pair of interfaces - and that's bring a whole new question: Is there a simple way to reposition policies in one interface section without the need to reconfigure few of them to ensure a proper firewall's behavior. I do not see those anywhere in GUI and CLI.
Right click on the policy to move, then insert [before|after] and choose the ID number of the policy where you would like to place it before or after. Beware, you must first display the policy IDs in the list by choosing that option from the column settings list.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:That's exactly how it used to work (although it wasn't called "insert" but "move" instead). Well, on v.5.2.3 you do not have such a "luxury" any longer. Those are configuration options available to you when you right-click on a policy:Right click on the policy to move, then insert [before|after] and choose the ID number of the policy where you would like to place it before or after.
Did you actually try it yourself on FortiOS 5.2.3?
No.
Have you tried cut policy/paste before|after?
For what it's worth, on my 5.2.3 box, right clicking does nothing. Maybe a Firefox issue.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:It doesn't work either. If you cut a policy - it removes it from the list. But when you try to paste it into a different place - it creates a whole new DENY policy instead - with nothing configured. The policy which you cut just a moment ago with intent to relocate - disappears, and you have to go back and recreate that policy from scratch. What a mess! [&:]Have you tried cut policy/paste before|after?
Am I the only one who experiences such a problem?
Found a solution in this forum. The only simple method to re-order policies which actually works for me (FG-5000D on v.5.2.3) is dragging-and-dropping.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.