Helpful ReplyHot!what determines the policy ordering

Author
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
2017/05/19 01:29:48 (permalink)
0

what determines the policy ordering

Is the seq# that determines the order in which the policy are applied?
Thanks
 
#1
ede_pfau
Expert Member
  • Total Posts : 5195
  • Scores: 322
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: what determines the policy ordering 2017/05/19 03:32:34 (permalink) ☄ Helpfulby nikolaj 2017/06/28 03:03:34
0
Yes and no.
Only the order within an interface pair is relevant. Policies are ordered by their appearance in the config file, top down.
The sequence number is just an optical aid in the GUI - you won't find it anywhere in the config. It is numbered consecutively from the first to the last policy. So, it is not determining the order but adjusted to the order. Say, you drag a policy in the GUI to the top - it's sequence number will change.
There's an unambiguous ID for each policy by which you can edit it in the CLI. The ID column can be shown in the GUI as well. But it is not relevant for the order of execution but the order of creation.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
Re: what determines the policy ordering 2017/05/19 04:44:22 (permalink)
0
So, in the Fortigate GUI, in the policy section with section view checked, I can see the interface pair.
The numbers in ascending order in the first column represent the sequence in which the policy are executed?
 
#3
Kenundrum
Silver Member
  • Total Posts : 96
  • Scores: 6
  • Reward points: 0
  • Joined: 2008/05/15 10:25:50
  • Location: Rhode Island, US
  • Status: offline
Re: what determines the policy ordering 2017/05/19 06:04:43 (permalink)
0
nikolaj
The numbers in ascending order in the first column represent the sequence in which the policy are executed?

 
As long as Sequence# is the first column in your gui. You can right click on the column heading to add/remove columns. The tell-tale is that the sequence# does not have a clickable link whereas the policy id does. I use both the sequence# and the policy ID as the first two columns because i need to refer to the ID for change tracking.

NSE4 (at Accelerate2017!)
Some FGT500Ds, 60Ds at work
FWF60E, FWF80CM, FGT60C, and FWF60B at home
#4
emnoc
Expert Member
  • Total Posts : 4146
  • Scores: 231
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: what determines the policy ordering 2017/05/19 09:45:18 (permalink)
0
I have to  agree with the other ken ;) in thw gui set the policyid and seq# , from the cmd_sli the show firewall policy and the resulting output is the top-2-bottom that Ede mentioned earlier
 
 
YMMV but  beaware the policy-id HAS NOTHING TODO WITH THE SEQUENCE
 
e.g
 
FGTLONUK01 (custM) $ show firewall  policy
policyid    Policy ID. (0-4294967294)
10288
12333
18  
111
19  
17  
15  
14  
234
490
13  
11  
8  
1  
2  
3  
82
190
189
4  
5  
6  
12  


PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#5
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
Re: what determines the policy ordering 2017/06/28 03:03:00 (permalink)
0
So, in essence, I can see the order in which the rules are applied not in the GUI but in the config file, where I can see the interface pair and the order is from top down. Correct?
#6
jpp
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2007/07/16 00:38:28
  • Status: offline
Re: what determines the policy ordering 2017/06/28 07:12:54 (permalink) ☄ Helpfulby nikolaj 2017/06/28 07:46:20
0
why you cannot see the in the gui ?
rules are aplied exactly like they are in the gui, and as long as you don't have policies with multiple interfaces, it's fairly easy to determine wich one is before other.
You can drag-and-drop policies to reorder them in the gui and this will be the order next connection will be"classified".
 
It is always a good idea to show both sequence# and policyID#. You just don't need to look at the numbers but the order - top to bottom (assuming your monitor is upright ;))
post edited by jpp - 2017/06/28 07:14:51
#7
emnoc
Expert Member
  • Total Posts : 4146
  • Scores: 231
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: what determines the policy ordering 2017/06/28 09:18:45 (permalink)
0
You can set the webGui  display filters to show the  seq# and policy ID#
 
see screenshot
 

Attached Image(s)


PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#8
ede_pfau
Expert Member
  • Total Posts : 5195
  • Scores: 322
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: what determines the policy ordering 2017/07/02 06:09:07 (permalink) ☄ Helpfulby nikolaj 2017/07/03 00:00:22
0
nikolaj
So, in essence, I can see the order in which the rules are applied not in the GUI but in the config file, where I can see the interface pair and the order is from top down. Correct?

Yes. Simply top-down, and in ascending sequence number, as you would expect.
 
This explains why you are encouraged to order the policies from most explicit to most general, regarding the matching fields (source addr, dest addr, service, schedule). If a more general policy is placed before (on top of) a more specific one, the specific one will never be hit.
 

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#9
Jump to:
© 2017 APG vNext Commercial Version 5.5