Skip to main content
Vichu_94
Staff
Vichu_94
Staff
September 3, 2022

Technical Tip: Configuring a schedule firewall policy expiration

  • September 3, 2022
  • 0 replies
  • 12687 views
Description The article describes how to configure the scheduled firewall policy expiration.
Scope FortiGate.
Solution

The feature will allow scheduling a firewall policy to expire after a certain period for a special event on the network.

To configure firewall policy expiration in the GUI, the feature must first be enabled in Feature Visibility.

  1. Go to System -> Feature visibility.
  2. Enable workflow management.

 

Screenshot 2025-04-10 190341.png


Next, go to Policy & Objects -> Firewall and select 'Create New' to create the firewall policy. 
After configuring the required source and destination interface/IP address, it is possible to see the section workflow Management.

 

Vichu_94_0-1662212992895.png


By default, the policy would expire in 30 days, whereas in Specify to can specify the date and time for the expiration.

 

Vichu_94_1-1662213123386.png

 

To configure the same on the CLI, follow the command below. 

 

config firewall policy
    edit <Policy ID>
        set policy-expiry enable
        set policy-expiry-date 2022-10-03 15:45:12     
end


The Date and time format to be followed on the CLI would be YYY-MM-DD HH:MM:SS.

 

Run the following command to show all configured one-time schedules:

 

show firewall schedule onetime

 

Once the policy is added, a log entry will be generated under the System Event Logs, as shown below:
Logs & Report -> System Event logs -> General Event logs:

 

image (7).png
Once a policy reaches its expiration time, a warning icon appears next to the policy name, as shown below:


image 9.jpg

 

When Workflow Management is enabled, a Summarize Change Pane is open and required. This summary is used for Audit purposes. This Audit Trail is only supported by FortiGate models with disk logging.

 

summary.png

 

To review the Audit Trail on the GUI, go to: Policy & Objects -> Firewall Policy.

Edit the desired policy. In the right-side panel, select Audit Trail.

 

audit trial.png

 

This will open the Audit trail for Firewall Policy Pane and will display the change summaries.

 

change summary.png

 

NOTE: When a policy has expired, the following debug output will be shown any traffic matching an expired policy which is highlighted in blue...

 

diag debug reset
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow filter clear
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow trace start 1000

diag debug enable

 

To disable:

diag debug disable

diag debug reset

2026-03-25 16:06:18 id=65308 trace_id=1 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
2026-03-25 16:06:18 id=65308 trace_id=1 func=__iprope_check_one_policy line=2390 msg="gnum-100004 policy-1 is not active"  
2026-03-25 16:06:18 id=65308 trace_id=1 func=__iprope_check_one_policy line=2151 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2026-03-25 16:06:18 id=65308 trace_id=1 func=__iprope_user_identity_check line=1914 msg="ret-matched"
2026-03-25 16:06:18 id=65308 trace_id=1 func=__iprope_check_one_policy line=2385 msg="policy-0 is matched, act-drop"
2026-03-25 16:06:18 id=65308 trace_id=1 func=__iprope_fwd_check line=846 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0

 

Note: The above output is an indicator that a policy is inactive due to the policy expiration feature being enabled.  If the traffic does not match any other firewall policies, the traffic will match the implicit deny policy and be dropped.


Related documents:
Add Policy change summary and Policy expiration to Workflow Management

Technical Tip: Configuring a Firewall Policy which is valid only at certain days or hours by using a schedule

Technical Tip: How to apply a schedule to a firewall policy
    Terms & ConditionsAccessibility statement