fortinet.fortios.fortios_firewall_policy and policyid
Closed this issue · 4 comments
Quick question on policyid. What policyid would you suggest if I want it to be the 1st rule, but not overwrite an existing policyid #1?
Is there a way for a new rule to become rule 1 without deleting another rule?
If I run this playbook as is, it would change my existing rule #1 that does something else.SInce some of my firewalls may have more rules than others, I would never know a good # to put in policyid without having this possibly overwrite another rule doing something else with the same policyid.
- name: Add Block Rules
fortinet.fortios.fortios_firewall_policy:
vdom: "{{ vdom }}"
state: "present"
firewall_policy:
action: "deny"
name: "Blocked IPs"
srcintf:
-
name: "any"
dstintf:
-
name: "any"
srcaddr:
-
name: "all"
dstaddr:
-
name: "BLOCKED"
logtraffic: "all"
schedule: "always"
service:
-
name: "ALL"
utm_status: "enable"
nat: "enable"
policyid: "1"
It looks like I need to add:
action: move
before: ..... Not sure what to put for mkey... I need for existing rule 1 as that would be different on each fw
Hi @chr00ted ,
Thank you for your question. I have prepared a script to create a firewall policy with policy ID 7, query all existing policies to get the first-order policy's ID, and then move the newly created policy to the top position. I hope this will be helpful for your situation.
By the way, if we set the policy ID to 0, FortiOS (FOS) will automatically assign a number to it. Since FOS uses the policy ID to locate specific policies, we need to update the policy ID from 0 to the corresponding assigned policy ID. Otherwise, Ansible will create another new policy with ID 0. If you want to know the assigned policy ID, you can use the fortios_configuration_fact module to query it. You can find the assigned policy ID using fw_info.meta[0].results[-1].policyid
.
tasks:
- fortios_firewall_policy:
firewall_policy:
action: accept
comments: ansible
dstaddr:
- name: all
dstintf:
- name: port1
name: fw-policy
policyid: 7
schedule: always
logtraffic: "all"
service:
- name: ALL
srcaddr:
- name: all
srcintf:
- name: port1
state: '{{state}}'
vdom: '{{vdom}}'
name: create a fw policy with policyid 7
- name: query all fw policies
fortios_configuration_fact:
selectors:
- selector: firewall_policy
register: fw_info
- debug: msg="{{ fw_info.meta[0].results[0].policyid }}" #<--- get the first policy id
name: check the first policy's id
- fortios_firewall_policy:
vdom: '{{vdom}}'
self: 7
before: "{{ fw_info.meta[0].results[0].policyid | int }}"
action: move
name: move created fw policy to the top
Thanks,
Maxx
Maxx, you are the man! Thank you! I'm going to test this out.
That worked, thank you Max!