Closed chr00ted closed 2 weeks ago
It looks like I need to add: action: move before: ..... Not sure what to put for mkey... I need for existing rule 1 as that would be different on each fw
Hi @chr00ted ,
Thank you for your question. I have prepared a script to create a firewall policy with policy ID 7, query all existing policies to get the first-order policy's ID, and then move the newly created policy to the top position. I hope this will be helpful for your situation.
By the way, if we set the policy ID to 0, FortiOS (FOS) will automatically assign a number to it. Since FOS uses the policy ID to locate specific policies, we need to update the policy ID from 0 to the corresponding assigned policy ID. Otherwise, Ansible will create another new policy with ID 0. If you want to know the assigned policy ID, you can use the fortios_configuration_fact module to query it. You can find the assigned policy ID using fw_info.meta[0].results[-1].policyid
.
tasks:
- fortios_firewall_policy:
firewall_policy:
action: accept
comments: ansible
dstaddr:
- name: all
dstintf:
- name: port1
name: fw-policy
policyid: 7
schedule: always
logtraffic: "all"
service:
- name: ALL
srcaddr:
- name: all
srcintf:
- name: port1
state: '{{state}}'
vdom: '{{vdom}}'
name: create a fw policy with policyid 7
- name: query all fw policies
fortios_configuration_fact:
selectors:
- selector: firewall_policy
register: fw_info
- debug: msg="{{ fw_info.meta[0].results[0].policyid }}" #<--- get the first policy id
name: check the first policy's id
- fortios_firewall_policy:
vdom: '{{vdom}}'
self: 7
before: "{{ fw_info.meta[0].results[0].policyid | int }}"
action: move
name: move created fw policy to the top
Thanks, Maxx
Maxx, you are the man! Thank you! I'm going to test this out.
That worked, thank you Max!
Quick question on policyid. What policyid would you suggest if I want it to be the 1st rule, but not overwrite an existing policyid #1? Is there a way for a new rule to become rule 1 without deleting another rule?
If I run this playbook as is, it would change my existing rule #1 that does something else.SInce some of my firewalls may have more rules than others, I would never know a good # to put in policyid without having this possibly overwrite another rule doing something else with the same policyid.
name: Add Block Rules fortinet.fortios.fortios_firewall_policy: vdom: "{{ vdom }}" state: "present" firewall_policy: action: "deny" name: "Blocked IPs" srcintf: