Commiting firewall rule failed because of parameters order
Opened this issue · 0 comments
blakkheimgw commented
Hello there,
I've faced this issue and waste a bit of time to debug it but I've finally hunt it !
I use this bit of code to add new firewall rules :
d.load_config('firewall policy')
newRule05 = FortiConfig(config_type='edit', name='0')
newRule05.set_param('srcintf', subnetDescription)
newRule05.set_param('dstintf', firewallIntercoZone[0])
newRule05.set_param('srcaddr', 'all')
newRule05.set_param('dstaddr', fwObjectGrpSrvTransverses)
newRule05.set_param('action', 'accept')
newRule05.set_param('status', 'enable')
newRule05.set_param('service', fwObjectGrpServicesTransverses)
newRule05.set_param('schedule', 'always')
d.candidate_config['firewall policy']['0'] = newRule05
d.commit()
The commit failed intermittently with this generic error :
raise exceptions.FailedCommit(wrong_commands)
pyFG.exceptions.FailedCommit: [('-3', 'set dstaddr grp-srv-transverses')]
Sometimes it works without error and before this bit of code, the script commits dozens of other rules. The problem is :
- in this rule, the firewall object named grp-srv-transverses is a address group full of addresses attached to one interface
- if you don't specify the dstintf parameter first, you can't specify the dstaddr parameter with this kind of group attached to an interface
- pyFG generates the config section in random order. See the 2 examples beyond for the same rule :
edit 0
set action accept
set schedule always
set status enable
set srcaddr all
set service grp-services-transverses
set srcintf PP-SUMIT-BD
set dstintf Interco-TechRH-HProd
set dstaddr grp-srv-transverses
next
AND :
edit 0
set srcaddr all
set status enable
set service grp-services-transverses
set dstaddr grp-srv-transverses
set action accept
set schedule always
set srcintf PP-SUMIT-BD
set dstintf Interco-TechRH-HProd
next
The generation of the rule set should be in a sequential order to avoid this bug.
Regards.