Skip to main content
aguerriero
aguerriero
Explorer
July 31, 2023
Question

Fortigate SSLVPN client/server will not pass traffic unless "diag firewall iprope flush" is issued.

  • July 31, 2023
  • 4 replies
  • 4197 views

This is across multiple firewall client types running 7.0.12 and 7.2.5.

The VPN head end is running 7.2.5.

When configuring the fortigate as an SSL VPN Client connecting to another fortigate acting as an SSL VPN concentrator the tunnel will come up but traffic will not pass until the command "diag firewall iprope flush" is issued from CLI. Traffic will immediately start passing as soon as the command is issued.

If the device is rebooted the device will again not be able to pass traffic until the command is run.

I guess this command could be scheduled hourly but I would rather identify the issue so the command does not need to be entered at all.

4 replies

aguerriero
aguerrieroAuthor
Explorer
August 1, 2023

I created an automation stitch that will issue the cli command "diag firewall iprope flush" for log event  interface status change log id 20099 and interface status of UP.

For it to it to work consistently I had to issue the same action twice with ~15 and ~7.5 seconds of delay between trigger and actions.

srajeswaran
Staff
srajeswaran
Staff
August 1, 2023

Great finding the workaround. Can you collect "diagnose firewall iprope list 00100004 " during the issue state /before flushing the iprope table and then collect same command after the fix?

We can check if there is any changes to the policies and then investigate further.

aguerriero
aguerrieroAuthor
Explorer
August 1, 2023

I eran the list and then the flush. From the image below it looks like I don't get anything from that list command after flushing. 

 

Capture234.PNG

A
Anonymous_User
New Contributor III
August 1, 2023

Hi,

 

Please share the below details at the time of the traffic issue:-

get router info routing-table details <src IP>
get router info routing-table details <dst IP>
++ Do you have any policy route or SDWAN configured at the client site?

 

dia sniffer packet any "host <server_IP>" 4 0 a 

 

Regards

Priyanka

 

aguerriero
aguerrieroAuthor
Explorer
August 5, 2023

The stitch actually ended up breaking some of our logging functions and also broke SSL remote access to any site that performed the iprope flush command.

We ended up enabling HA and setting the management ip on the tunnel interface.

For our specific application we only needed to add this interface on about 500 of our remote firewalls.

lol
Staff
lol
Staff
December 14, 2023

Hello,

 

It should be mentioned that the "diagnose firewall iprope flush" command is a hidden command for reasons. It will wipe _all_ policies from the fortigate and leave the iprope table empty. The FortigGate will not have any rules anymore, neither implict nor firewall, proxy or local in policies and will basically act as a router.

 

This command should not be used on a production firewall unless recommended by support in very rare cases.

 

It is absolutely not recommended to run it periodically in a script.

 

Regards

Terms & ConditionsAccessibility statement