Hot!How to view Firewall policies in CLI

Author
Anand Narayana
Silver Member
  • Total Posts : 61
  • Scores: 1
  • Reward points: 0
  • Joined: 2010/02/10 00:15:56
  • Status: offline
2017/02/14 21:15:44 (permalink)
0

How to view Firewall policies in CLI

Hi,
 I am aware that to view a specific policy ID from the command line, I will need to type in "show firewall policy <polic ID>, but how to view all the policies specific to an Interface? e.g. source port - port1 and destination port10, I need to view all the policies under this from the CLI

Anand
#1

7 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5591
    • Scores: 376
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: How to view Firewall policies in CLI 2017/02/15 00:49:48 (permalink)
    0
    This functionality is only available in the GUI. One workaround would be to get the IDs from the GUI section display and call them up one after another in the CLI, e.g.
    show firewall policy <nn>

     
    Thanks to your question I found out that one can call the 'show' command with a policy ID - didn't notice in the last 10 years...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    neonbit
    Expert Member
    • Total Posts : 463
    • Scores: 49
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: How to view Firewall policies in CLI 2017/02/15 03:20:00 (permalink)
    0
    As per ede's post the GUI would be the way to go.
     
    You can show policies in the CLI and filter using grep, but that would only filter if the source or destination interface was port1.
     
    You could use an OR grep for port1 or port10, but again it would show all policies where either port1 or port10 is used in source or destination interface.
     
    FYI to do this you would use the following:
     
    config firewall policy
    show | grep -f 'port1\|port10'
    #3
    ede_pfau
    Expert Member
    • Total Posts : 5591
    • Scores: 376
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: How to view Firewall policies in CLI 2017/02/15 03:43:30 (permalink)
    0
    @neonbit: grep will only filter the lines with 'set dstintf' and 'set srcintf', not the whole block. I doubt this will suffice.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    jintrah_FTNT
    Bronze Member
    • Total Posts : 39
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/02/02 02:04:54
    • Status: offline
    Re: How to view Firewall policies in CLI 2017/02/16 04:05:45 (permalink)
    0
    May be the below context helps
     
    show firewall policy | grep -f port1
    #5
    bstevens
    New Member
    • Total Posts : 2
    • Scores: 3
    • Reward points: 0
    • Joined: 2018/01/12 09:16:38
    • Status: offline
    Re: How to view Firewall policies in CLI 2018/06/20 06:59:46 (permalink)
    4 (1)
    ede_pfau
    @neonbit: grep will only filter the lines with 'set dstintf' and 'set srcintf', not the whole block. I doubt this will suffice.


    I know this is old, but it might help someone who is reading this:
     
    if you use "show firewall policy | grep -B10 -A10 -f 'port1\|port10'"
     
    it will show the 10 lines before and after the interfaces....this can be handy to see the entire block, alternatively you could just use the -B10 which would end up showing you which policy ID and then use the OP syntax to view the whole policy. Hope this helps.
     
    #6
    rwpatterson
    Expert Member
    • Total Posts : 8230
    • Scores: 177
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: How to view Firewall policies in CLI 2018/06/20 07:45:17 (permalink)
    0
    ede_pfau
    This functionality is only available in the GUI. One workaround would be to get the IDs from the GUI section display and call them up one after another in the CLI, e.g.
    show firewall policy <nn>

     
    Thanks to your question I found out that one can call the 'show' command with a policy ID - didn't notice in the last 10 years...


    Lol! I see I'm not the only one still learning things here. ;-)

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #7
    emnoc
    Expert Member
    • Total Posts : 4897
    • Scores: 300
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: How to view Firewall policies in CLI 2018/06/25 02:54:11 (permalink)
    0
    Yeap I use what bstevens does and almost daily if I might add.
     
    So much quicker ( than the gui  ) and  the problem with the WebGUI,  "  the WebGUI does NOT show you all items for that policyID. Just the common items. "
     
     More and more fortigate engineer do not know that and are missing other items that might be enable imho
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #8
    Jump to:
    © 2018 APG vNext Commercial Version 5.5