Reorder Firewall Policies

Firewall policies are matched top-down. The first policy whose criteria match a flow is the one that fires. If you have a broad ACCEPT above a specific DENY, the DENY never matches — order matters.

When to Reorder

• A more-specific rule isn't taking effect — it's below a broader rule.
• You added a new DENY that should apply before existing ACCEPTs.
• Cleanup: organizing related policies into logical sections.

Steps (GUI)

1. Policy & Objects → Firewall Policy.
2. Click and hold the drag handle (usually a ⋮⋮ icon on the left of each row).
3. Drag the policy up or down.
4. Release to drop.

The new order is saved immediately.

Steps (CLI)

config firewall policy
    move 5 before 3      # move policy ID 5 to before ID 3
    move 5 after 10      # move policy ID 5 to after ID 10
end

Rules of Thumb for Order

1. Specific DENYs (block one source/dest/service) — at the top.
2. Specific ACCEPTs (allow narrowly) — next.
3. Broad ACCEPTs (LAN → WAN, etc.) — lower.
4. Implicit deny is automatic at the bottom — never need to add it.

Group related policies together (all VPN-related policies in one block, all DMZ policies in another) — easier to maintain.

Verify

After reordering, observe hit counts in the policy list. If a previously-busy policy stops getting hits, a higher policy is now catching them — check intent.

diagnose firewall iprope show 100004 | grep "rule "
# Lists policies in evaluation order with hit counts.

Common Issues

• Reorder broke production traffic. Test reorders in low-traffic windows; have rollback plan.
• GUI shows old order after refresh. Browser cache; hard-reload (Ctrl+Shift+R).
• Drag-and-drop not working. Browser issue; use CLI move instead.
• "Policy in section" feature. Some FortiOS versions group policies by "section" for visual organization — sections don't change evaluation order, just visual grouping.

Related Pages

• Add a Firewall Policy
• Edit a Firewall Policy