What is a Policy ID used for in FortiGates?

Since we've been chatting about firewalls recently, I want to clarify a term I often see misused/misunderstood: Policy ID. Most firewalls (including FortiGate) process rule entries in a top-down fashion; first-come, first serve. Because of this, it natural to assume that this Policy ID represents the order/place where the policy resides in the overall sequence.

It does not.

A FortiGate policy ID is a permanent numeric identifier for a policy. When you create a new policy, you can either manually specify an ID for it, or FortiGate will automatically assign one. Either way, that ID value stays with the policy and never changes. So even if you move the policy to a higher or lower position in the list/rank, it still will have the same ID value.

Why? For a few reasons:

• Integrity and Logging - Policy IDs are used extensively in logs, diagnostics, and internal processes. Changing an ID on the fly would break historical logging and could lead to inconsistencies.
• Simplicity of Implementation - It's simpler for the FortiGate's operating system to assign a permanent ID and manage the policy's position in the list separately.

For additional information, check out the following:

How to find policy ID

This article explains how to find the IPv4 policy id for troubleshooting. Scope FortiGate. Solution Navigate to Policy and Objects -> Firewall Policy. Select the gear icon and select 'ID' as shown below. A new column 'ID' will show up on the right which shows policy IDs fo…

fortinetnnair