Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gs4711
New Contributor II

View of firewall policies without grouping

The grouping of policy is a perfect way to handle (or review) a bunch of policies on the GUI, but to verify the exact order it would be great to get an ungrouped view of all policies?

 

Is there a hidden switch to show all policies in the exact order on the GUI - or should I use the CLI?

7 REPLIES 7
kaman
Staff
Staff

You can re-order the policies by dragging and dropping them on the sequence number column. Alternatively, there is cut/copy/paste support, also available by right-clicking on the sequence #. You can click on the By Sequence option available under the right side corner of the firewall policy.

gs4711
New Contributor II

>


@kaman wrote:

You can re-order the policies by dragging and dropping them on the sequence number column. Alternatively, there is cut/copy/paste support, also available by right-clicking on You can click on the By Sequence option available under the right side corner of the firewall policy.


Thanks for your answer. Sorry, but unfortunatelly I cannot see any button. It seems that there is no sorting option after having activated the grouping.Bildschirmfoto 2023-05-12 um 11.33.29.png

 

pavankr5
Staff
Staff

If you need to view all policies in the exact order, you can use the CLI command "show firewall policy". This command will display all firewall policies configured on the FortiGate device in the order they are applied. The output will include details such as the policy ID, source and destination addresses, services, and action.

Dannу

Does FortiOS 7.4 provide an option to show the firewall policy as ordered in "show firewall policy". If not I could script a bookmarklet to show that policy in the WebUI similar to this.

ede_pfau
Esteemed Contributor III

Firstly, as kaman mentioned, there is a switch in the upper right corner of the web page "By sequence" which switches off interface-pair grouping.

Apart from getting a quick overview (for instance, which policies use a specific security profile, or NAT) and being able to filter the complete policy table, you will not gain more "exactness". The interface-pair view displays the exact sequence in which packets are matched, just filtered by interface pairs.

In "by sequence" view, the policy ID does NOT determine the sequence of matches - it's only there to identify the policy.

Last hint: to display the policy ID in either view, click the header row and enable "ID". After applying this, you can drag the column to whereever you like it to be. I prefer the very first column.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
gs4711
New Contributor II


@ede_pfau wrote:

Firstly, as kaman mentioned, there is a switch in the upper right corner of the web page "By sequence" which switches off interface-pair grouping.


Thank you for the feedback: The issue with the display of the ordering is related to the "By sequence" view which does not show the order of the processed policies.

 

The grouping seems to be good for maintaining an overview but may cause unintended policy actions when you mix allow and deny rules.

 

Therefore, an ungrouped view would be very helpful.

Dannу

I added the ungrouped view to our communities' FortiGate WebUI Tools extension.

Labels
Top Kudoed Authors