How can we easily identify that which ploicy creating problem.
I am not using policy with "any" interface. Plz help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi IFT,
It's *possible* it got disabled in the global...
config system global
set gui-policy-interface-pairs-view enable
end
It's not just the 'ANY' interface that can cause this, however. Combining two interfaces into one rule will also break section view (a super silly example: you have your WAN and DMZ listed as the Source or destination, of a rule).
ShrewLWD wrote:Hi IFT,
It's *possible* it got disabled in the global...
config system global
set gui-policy-interface-pairs-view enable
end
It's not just the 'ANY' interface that can cause this, however. Combining two interfaces into one rule will also break section view (a super silly example: you have your WAN and DMZ listed as the Source or destination, of a rule).
Hello Shrew,
this command is not working in CLI mode, version of FortiGate 100D is v5.0,build4429.
There are no such type of rule or policy in Firewall as you said ((a super silly example: you have your WAN and DMZ listed as the Source or destination, of a rule). Give me some examples or trick to search conflict rules.
Hmm, yes I tested on my 600C (509) and 100D (521) and that command is now gone. It's still listed here in their 5.0 documentation...
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gui.070.14.html
Well, you could dump the config file and check the policy section for something like;
set srcintf "WAN1" "WAN2"
or
set dstintf "internal" "DMZ"
etc.
Please note: around patch 6 of 5.0 they did explicitly make a change to the Section View:
To improve GUI performance, Section View is disabled in the firewall policy page if a large number of policies exist
Do you have a high number of policies?
ShrewLWD wrote:Hmm, yes I tested on my 600C (509) and 100D (521) and that command is now gone. It's still listed here in their 5.0 documentation...
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%25205.0%2520Help/gui.070.14.html
Well, you could dump the config file and check the policy section for something like;
set srcintf "WAN1" "WAN2"
or
set dstintf "internal" "DMZ"
etc.
Please note: around patch 6 of 5.0 they did explicitly make a change to the Section View:
To improve GUI performance, Section View is disabled in the firewall policy page if a large number of policies exist
Do you have a high number of policies?
Hello Shrew,
FortiGate have only 53 Policies. Can you check remotely our Firewall Policies.
My GMAIL id id kuldeepsingh007ster@gmail.com , Ping me on this id or you can share you Gmail id where i will give Firewall access through Teamviewer.
If you do not want to load an unencrypted backup of the config file into a text editor and perform the search yourself, you can always type show firewall policy on the CLI.
For a quick search to see if there are multiple interface names used in the config, type on the CLI the following...
show full | grep srcintf and
show full | grep dstintf
edit: you can also use show firewall policy | grep -f <interface name> (e.g. show firewall policy | grep -f wan1)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Hey ift,
I'm sorry, but being able to assist directly is not something I am comfortable doing.
You may want to open a ticket with Fortinet TAC so they can take a look (assuming it is registered and has an active contract).
Please do not accept an invitation from anyone claiming to be me, on your gmail account.
Multiple interfaces in a policy are only allowed in FOS v5 and higher.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1468 | |
1007 | |
748 | |
443 | |
206 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.