Hot!CLI, Sequence Grouping, and adding new policies

Author
Geezertronic
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/01 01:01:22
  • Status: offline
2019/06/13 08:31:09 (permalink)
0

CLI, Sequence Grouping, and adding new policies

Hi.  Running a FortiGate 800D running v6.0.4 build 0231.
 
Please can someone advise how I can create Sequence Groups via CLI, then add a new IPv4 policy to be located under that sequence group again via CLI.
 
Thanks
#1

9 Replies Related Threads

    hubertzw
    Gold Member
    • Total Posts : 192
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/04/16 13:29:04
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/15 03:40:16 (permalink)
    0
    What do you mean by 'Sequence Groups'?
     
    This is how you can move policy under specific policy ID: 

    config firewall policy
     move policy_ID [before|after] policy_ID
    #2
    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/15 04:06:42 (permalink)
    0
    There is no sequence numbering or grouping in CLI. Policies are uniquely numbered with an policy-ID. Only in the GUI, policies are grouped by source & dest interface, and sequentially re-numbered.
    That's why many users discard the "sequence ID" column and add "policyID", as then you can find it in the CLI.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #3
    Geezertronic
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/01 01:01:22
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/16 06:18:26 (permalink)
    0
    In the GUI, you can create Sequence Groups and have different policies under each sequence group - they offer no usage value other than to group policies together based on usage.  Can you not create these groups via the CLI and assign policies to be under them rather than do all of that via the GUI?
    #4
    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/16 10:01:54 (permalink)
    0
    Only now I understand - you're working in sequence view of the Policy table. AFAIK there is no CLI equivalent of sequence grouping. I've created one, and searched the complete config for it's name - nothing. Seems to be a GUI tool only.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    Geezertronic
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/01 01:01:22
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/17 00:43:58 (permalink)
    0
    Thanks.  I searched the config as well and could not find it - very weird.
    #6
    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/17 13:03:20 (permalink)
    0
    Unfortunate for you, but not weird. The recommended organisation model for policies is the interface pair grouping in GUI. I would agree that (with a lot of policies, like 100s) one could think of different grouping schemes, but...it's not the way it is.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #7
    Geezertronic
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/01 01:01:22
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/18 00:18:58 (permalink)
    0
    So is best practice to specify source and destination interfaces for each policy?  
    #8
    AlexS
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/06 01:52:31
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/18 03:45:02 (permalink)
    0
    To set:
    config firewall policy
    edit <policy ID>
    set global-label "Sequence Group Name"
     
    Any policies below will be in that same Group until you specify another global-label.
    #9
    Geezertronic
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/01 01:01:22
    • Status: offline
    Re: CLI, Sequence Grouping, and adding new policies 2019/06/18 07:24:34 (permalink)
    0
    Thanks, that is just what I am looking for
    #10
    Jump to:
    © 2019 APG vNext Commercial Version 5.5