Description
This article explains how to change the order of the IPV4, traffic shaping, local-in and SD-WAN policy list in the CLI.
Scope
FortiGate.
Solution
It is possible to change the policy order in the IPV4 list by dragging items in the GUI, or by entering the CLI commands outlined in this article. The ID number of moved policies does not change.
For example, to move policy 10 before or after policy 30, enter the following command:
config firewall policy
move 10 <'before' or 'after'> 30
end
The move subcommand is only available to use in tables where the order of entries makes a difference to function. The same process can be used to manage traffic shaping, local-in, and SD-WAN policies.
See the attached console logs for information about lab tests demonstrating policy order changes.
If multiple VIP entries are configured and it is desired to change the order of VIP through the CLI, use the following commands:
config firewall vip
move <VIP NAME> [before/after] <VIP NAME>
end
After running the commands:
It also applies to Dynamic Port Policies. These policies are processed sequentially just like firewall policies. However, it is not possible to drag and drop on the GUI. It must be done in the CLI. The example below shows how to move policy 'User1' above 'Other users' as it is more specific:
- Note that, unlike firewall policies, Dynamic Port Policy does not have a policy ID. Hence, it is necessary to use policy names in the CLI. If the policy name contains a space, it is necessary to put a '\' before the space as an escape character:
config switch-controller dynamic-port-policy
edit "Test"
config policy
move Other\ Users after User1
end
end
- After that change, User1 is not above 'Other Users'.
To move the URL filter entries, for example move entry 2 before entry 1:
config webfilter urlfilter
edit <>
config entries
move 2 before 1
end
