How “Any” policy can remove the Interface Pair View

The FortiGate unit will automatically change the view on the policy list page to By Sequence whenever there is a policy containing “any” as the Source or Destination interface. If the Interface Pair View is grayed out it is likely that one or more of the policies has used the “any” interface.

By using the “any” interface, the policy should go into multiple sections because it could effectively be any of a number of interface pairings. As mentioned, policies are sectioned by using the interface pairings (for example, port1 -> port2) and each section has its own specific policy order. The order in which a policy is checked for matching criteria to a packet’s information is based solely on the position of the policy within its section or within the entire list of policies as a whole but if the policy is in multiple sections at the same time there is no mechanism for placing the policy in a proper order within all of those sections at the same time because it is a manual process and there is no parameter to compare the precedence of one section or policy over the other. Thus a conflict is created. In order to resolve the conflict the FortiGate firewall removes that aspect of the sections so that there is no need to compare and find precedence between the sections and it therefore has only the Global View to work with.

Policy names

Each policy has a name field. Every policy name must be unique for the current VDOM regardless of policy type. Previous to FortiOS 5.4, this field was optional.

On upgrading from an earlier version of FortiOS to 5.4, policy names are not assigned to old policies, but when configuring new policies, a unique name must be assigned to the policy.

Configuring the Name field

GUI

In the GUI, the field for the policy name is the first field on the editing page.

CLI

In the CLI, the syntax for assigning the policy name is:

config firewall [policy|policy6] edit 0 set name <policy name> end

Disabling policy name requirement

While by default the requirement of having a unique name for each policy is the default, it can be enabled or disabled. Oddly enough, if disabling the requirement is a one time thing, doing it in the CLI is more straightforward.

This setting is VDOM based so if you are running multiple VDOMs, you will have to enter the correct VDOM before entering the CLI commands or turning the feature on or off in the GUI.

GUI

To edit the requirement in the GUI, the ability to do so must be enabled in the CLI. The syntax is:

config system settings set gui-allow-unnamed-policy [enable|disable] end

Once it has been enabled, the requirement for named policies can be relaxed by going to System > Feature Visibility. Allow Unnamed Policies can be found under Additional Features. Here you can toggle the requirement on and off.

CLI

To change the requirement in the CLI, use the following syntax:

config system settings set gui-advance policy [enable|disable] end