Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eduard_w
New Contributor II

how to change all policy rules at the same time

Hi

I'm new to the board and also very new to Fortigate. Have a lot of experience using asa firewalls but now migrating to Fortigates. 

But I need some help.

 

We are migrating using the forticonvertor.

I’m looking for a simple solution to add the option

“set logtraffic-start enable” on every rule

It there a option to do this easily

I tried using the cli

 

config firewall policy

edit 0 - 4294967294

set logtraffic-start enable

 

But it does not accept the command “edit 0 – 4294967294”

Enabling it by hand on every rule is not a option. I hope there is a global command or at least a option to edit a range of rule numbers in one go.

 

Kind Regards

Eduard

The Netherlands

1 Solution
eduard_w
New Contributor II

Build a very small script 2 one liners. Did not copy paste it to the fortigate yet.

As a source I used a stored config backup of the fotigate (vdom).

 

I just learned do not run script on cli of fortigate. Because reading back the rules to fortimanager is not so great.

But run script in fortimager against the vdom


grep -b4 "set srcintf" "configfile of fortigate" | grep edit | awk -F- '{print $2}' > config.txt


sed -e 's/$/\n set logtraffic-start enable \n end/' -i config.txt


and then add serveral lines to the top of the file

Beacuas you run against vdom only one additional line needed

 

config firewall policy

 

And add at the end an additional

End

 

Eduard

View solution in original post

8 REPLIES 8
hbac
Staff
Staff

Hi @eduard_w,

 

Which firmware version are you using? You can edit firewall policy on the GUI > Policy & Object. Make sure it is listed as "By Sequence". You can use "Shift" key to select all the policies and under the Log column, click the pencil and change to All and click Apply. See screenshot below 

log.PNG

 

There is no CLI command to change them all at the same time. Is "0 - 4294967294" a policy name? 

 

Regards, 

hbac

The "Shift" key works the same way as Windows. Hold "Shift" and click on the first and last policy in the list will select all the policies. 

eduard_w
New Contributor II

Hi Thanks for the quick replies.

We are running 7.0.12 on the fortigate and v7.0.8 for the fortimanager

But the suggested solution does not work.

When I select all rules on the fortigate I can only change the log settings to ALL or Disabled or Utm. The option for log Generate logs when session start is not possible to select it is even not available on the gui on the fortigate. Only by cli

Using the fortimanager I have 3 log option to change when selecting al the rules. “Disable, Log security events, Log all Sessions”.

There is a bit of a mismatch in naming between Fortigat gui and fortimanger ☹.

On the fortimanager I can change only enable Generate logs when session start one rule at a time.

 

Eduard

fricci_FTNT
Staff
Staff

Hi @eduard_w,

I can think of two ways of achieving that:
1- You can create a script editing one firewall policy at time, something like the below. You can create a bash or python script that generates it automatically (for only the firewall policy IDs present in your config):

config firewall policy
edit 1
set logtraffic-start enable
next
edit 2
set logtraffic-start enable
next
... ...
edit N
set logtraffic-start enable
next
end

 
2- Alternatively you can export a backup copy of the config from GUI, edit it with a text editor and restore it through the GUI menu. Restoring the config will cause a restart of the firewall.

Please bear in mind that enabling that setting on all firewall policies will generate a double amount of logs for each session hitting those firewall policies.

Regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
eduard_w

Thanks, For now I think this is the only solution. Early i found this solution from 2014

Technical Note: Bulk rule changes and examples wit... - Fortinet Community

But i could not find the script which was menthiod.

 

Thanks for the advice.

 

Eduard

eduard_w
New Contributor II

Hi Hamid, i tried that several times but i cannot enable logtraffic start by selecting all rules in the policy. The option is not available by selecting all rules. Or I do something wrong. 

 

Eduard

eduard_w
New Contributor II

Build a very small script 2 one liners. Did not copy paste it to the fortigate yet.

As a source I used a stored config backup of the fotigate (vdom).

 

I just learned do not run script on cli of fortigate. Because reading back the rules to fortimanager is not so great.

But run script in fortimager against the vdom


grep -b4 "set srcintf" "configfile of fortigate" | grep edit | awk -F- '{print $2}' > config.txt


sed -e 's/$/\n set logtraffic-start enable \n end/' -i config.txt


and then add serveral lines to the top of the file

Beacuas you run against vdom only one additional line needed

 

config firewall policy

 

And add at the end an additional

End

 

Eduard

JP-Khan
New Contributor

If anyone is interested, it is easy to do this with excel. You just enter your lines as needed, highlight the group and then drag down the corner + to create copies and they populate numerically. . 

I hope this proves to be helpful to someone. 

 

 

 

 

 

Screenshot 2024-06-26 135255-1.pngScreenshot 2024-06-26 135255-2.pngScreenshot 2024-06-26 135255-3.pngScreenshot 2024-06-26 135255-4.png

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors