fortinet.fortios.fortios_firewall_policy and policyid

[chr00ted]

Quick question on policyid. What policyid would you suggest if I want it to be the 1st rule, but not overwrite an existing policyid #1? Is there a way for a new rule to become rule 1 without deleting another rule?

If I run this playbook as is, it would change my existing rule #1 that does something else.SInce some of my firewalls may have more rules than others, I would never know a good # to put in policyid without having this possibly overwrite another rule doing something else with the same policyid.

• name: Add Block Rules fortinet.fortios.fortios_firewall_policy: vdom: "{{ vdom }}" state: "present" firewall_policy: action: "deny" name: "Blocked IPs" srcintf:

         name: "any"
   dstintf: 
      -
         name: "any"
   srcaddr:
      -
         name: "all"
   dstaddr:
      -
         name: "BLOCKED"
   logtraffic: "all"
   schedule: "always"
   service:
      -
         name: "ALL"
   utm_status: "enable"
   nat: "enable"
   policyid: "1"

[chr00ted]

It looks like I need to add: action: move before: ..... Not sure what to put for mkey... I need for existing rule 1 as that would be different on each fw

[MaxxLiu22]

Hi @chr00ted ,

Thank you for your question. I have prepared a script to create a firewall policy with policy ID 7, query all existing policies to get the first-order policy's ID, and then move the newly created policy to the top position. I hope this will be helpful for your situation.

By the way, if we set the policy ID to 0, FortiOS (FOS) will automatically assign a number to it. Since FOS uses the policy ID to locate specific policies, we need to update the policy ID from 0 to the corresponding assigned policy ID. Otherwise, Ansible will create another new policy with ID 0. If you want to know the assigned policy ID, you can use the fortios_configuration_fact module to query it. You can find the assigned policy ID using fw_info.meta[0].results[-1].policyid.

  tasks:
  - fortios_firewall_policy:
      firewall_policy:
        action: accept
        comments: ansible
        dstaddr:
        - name: all
        dstintf:
        - name: port1
        name: fw-policy
        policyid: 7
        schedule: always
        logtraffic: "all"
        service:
        - name: ALL
        srcaddr:
        - name: all
        srcintf:
        - name: port1
      state: '{{state}}'
      vdom: '{{vdom}}'
    name: create a fw policy with policyid 7

  - name: query all fw policies
    fortios_configuration_fact:
        selectors:
        - selector: firewall_policy
    register: fw_info

  - debug: msg="{{ fw_info.meta[0].results[0].policyid }}"  #<--- get the first policy id
    name: check the first policy's id

  - fortios_firewall_policy:
      vdom: '{{vdom}}'
      self: 7
      before: "{{ fw_info.meta[0].results[0].policyid | int }}"
      action: move
    name: move created fw policy to the top

Thanks, Maxx

[chr00ted]

Maxx, you are the man! Thank you! I'm going to test this out.

[chr00ted]

That worked, thank you Max!