Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
New Contributor

edit 0 position for ipsec firewall policy

When adding firewall policies you can use edit 0 to get the "next" unused id but how do you track what id is assigned? 

Right now I have three policies that are catch all with different logging and security profiles. Those are at the bottom when looked at with the CLI. 

When I do an edit 0 a new policy number is picked but it is always added at the bottom below the catch all policies. The old policies will be hit and I will not get the policy ipsec until I re-order the policies manually.

Is there a way to move the existing policies to the bottom. I cannot re-order the new policies because the policy id is not known after the policy is created.  A command like "move X to end" or "move X to bottom" would be helpful. 

4 REPLIES 4
aionescu
Staff
Staff

Hi @aguerriero ,

 

Welcome to the community. 

 

You can arrange the policies in the GUI, using the drag/drop method.

Also, in the CLI you can list the policies using the command:

show firewall policy

 Then you can re-order them using the command:

 

config firewall policy
move <id1> before|after <id2>

Hope this is what you are looking for.

aionescu
Staff
Staff

Hi @aguerriero ,

 

Welcome to the community. 

 

You can arrange the policies in the GUI, using the drag/drop method.

 

Also, in the CLI,  you can list the policies using the command:

show firewall policy

 Then you can re-order them using the command:

 

config firewall policy
move <id1> before|after <id2>

Hope this is what you are looking for.

aguerriero

That isn't what I am looking for. That is what I have to do now. Which means I have to log in manually and create the policies then manually move them.

I want to be able to automate it with ansible but edit 0 doesn't provide the policy number that is created as output. So the only piece of information I have is the existing policy.

gfleming

You do not have to use id 0. This just picks the next available ID.

 

If you want to go about this in a programmatic way, you can use any ID in the range of 1 - 4294967294. Use an ID range for your automatically-added policies and then use the manually-assigned IDs to program the move above the catch-all policies that already exist in your table.

 

Also looking at the Ansible documentation it looks like you can do this with built-in commands. I'm not an Ansible expert so I could be wrong here but looks like you can define the creation of a policy and then move that policy after it's instantiated. Look at the "mkey" return value and the "move" action.

 

https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_policy_module....

Cheers,
Graham