Multiple firewall policies between WiFi interface and wired one
Many network interfaces on my FG unit (FG-500D) are in use. I have no problem creating multiple firewall policies between hardwired interfaces, but could only create a single policy between a WiFi interface and any of wired ones. Every attempt to add a second (let alone 3rd, 4th) policy between WiFi interface and a wired one ends up with the following error message:
Entry not found.
Is that a firmware bug (my unit is running FortiOS v.5.2.3) or I do something wrong? Has anyone experienced similar issues?
Are you using some kind of bugged object in the policy?
No. That was nothing to do with a "bugged object". With the help of Fortinet support I found why I couldn't have added any additional policies between the interfaces.
We all know that firewall policies are processed from top to bottom. To achieve a desirable result you have to place any new policy in a proper place between other ones. ...and for years I used FortiOS' GUI "Insert Policy Above" and "Insert Policy Below" options to do just that. You click one of those options - it opens "Create New Policy" window for you, and then - you would simply configure all policy's properties in it and click <OK>.
But with FortiOS 5.2.3, although both "Insert Policy" options are still there, it doesn't work as expected any longer. It does actually insert a disabled policy with action DENY and nothing else configured, but you have specifically open it to do all the configuration. ...and as soon as you click <OK> - you get that above mentioned pesky message.
The "solution" was not to use "Insert Policy" options but creating a whole new policy from scratch. New policy is placed at the bottom of a section which lists all policies between a pair of interfaces - and that's bring a whole new question: Is there a simple way to reposition policies in one interface section without the need to reconfigure few of them to ensure a proper firewall's behavior. I do not see those anywhere in GUI and CLI.
Right click on the policy to move, then insert [before|after] and choose the ID number of the policy where you would like to place it before or after. Beware, you must first display the policy IDs in the list by choosing that option from the column settings list.
Right click on the policy to move, then insert [before|after] and choose the ID number of the policy where you would like to place it before or after.
That's exactly how it used to work (although it wasn't called "insert" but "move" instead). Well, on v.5.2.3 you do not have such a "luxury" any longer. Those are configuration options available to you when you right-click on a policy:
Did you actually try it yourself on FortiOS 5.2.3?
It doesn't work either. If you cut a policy - it removes it from the list. But when you try to paste it into a different place - it creates a whole new DENY policy instead - with nothing configured. The policy which you cut just a moment ago with intent to relocate - disappears, and you have to go back and recreate that policy from scratch. What a mess! [&:]
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.