Edit a Firewall Policy¶
Open an existing policy to change criteria (source, destination, service), action, NAT, security profiles, or logging.
Steps¶
- Policy & Objects → Firewall Policy.
- Click the policy name (or right-click → Edit).
- Change any field (see Add a Firewall Policy for field reference).
- Click OK.
Changes take effect immediately. No "Apply Config" step like UnifiedBX.
Common Edits¶
- Add a new source/destination address: open the field, click the search icon, pick the new object (or create one inline).
- Add a service: same — but for the Service field.
- Attach a security profile: scroll to Security Profiles section, toggle the profile (Antivirus, IPS, etc.), pick the profile config.
- Change logging: scroll to Logging Options, change to
All Sessions(for full visibility) orSecurity Events Only(just AV/IPS hits). - Disable temporarily: toggle Enable this policy to Off. Faster than deleting — preserves the rule for re-enabling.
- Comment what you changed and why: future-you (or the next admin) will thank you.
Verify¶
The policy row reflects your changes immediately. To verify behavior, regenerate test traffic and watch:
# Hit counter:
diagnose firewall iprope show 100004 | grep <policy-id>
# Real-time flow trace:
diagnose debug flow filter saddr <source-ip>
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 10
Generate traffic; the debug output shows which policy matched and what happened.
Common Issues¶
- Change didn't take effect. Browser cache. Hard refresh.
- Active sessions still using old rule. FortiGate evaluates policy per session at session creation. Existing sessions keep their old policy until they expire. Force flush:
diagnose sys session filter src <source-ip> diagnose sys session clear - "Policy in use" warning when trying to delete a referenced object. Edit the policy first to remove the reference, then delete the object.