Skip to main content
ZafirFX
ZafirFX
New Member
June 14, 2022
Question

FortiManager and partially shadowed policies

  • June 14, 2022
  • 2 replies
  • 9699 views

Hi guys,

 

In our FMG I'm using policy package consistency check to check for inconsistency's withn our policies.

As for now I have troubles with one polcy where I'm getting errour about partially shadowed policies

 

So what did I do:

 

Because we wanted to block FTP and ICMP from Subnet 1 to two different hosts in our MGMT I created a rule where I'm blocking both services to those hosts...

 

The rules looks like this at the moment:

 

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "MGMT"
set srcaddr "SUBNET1"
set dstaddr "IP3" "IP4"
set schedule "always"
set service "FTP""ICMP"
set logtraffic disable
set action deny
next
end

 

config firewall policy
edit 2
set srcintf "LAN"
set dstintf "MGMT"
set srcaddr "SUBNET1"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set action accept
next
end

 

Now every time I do a policy check I get an error that policy 2 is partially shadowed by rule 1

Something I don't understand.... In my first rule I'm using two host with action deny for two services while the second one allowes the all other traffic.

 

I know that I can disable the policy check but is there way to get around this? 

Why does the FMG doesn't see that the first rule is an deny rule with two different hosts and services?

 

In my eyes every deny statement on top of the policy wil create partially shadowed policies.

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
June 14, 2022

What version of FMG? I found this with 6.4.6 when we first deployed FMG. And opened a ticket at TAC to complain about it. But as always, ended up "you need to file an NFR(new feature request) via SE". I haven't tried re-enabling automatic policy check since then.

 

Toshi

    ZafirFX
    ZafirFXAuthor
    New Member
    June 16, 2022

    At the moment I'm on 7.0.4

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    June 16, 2022

    That's the very latest of 7.0.x. You generally need to open a TAC ticket to file an NFR and attach the ticket number when you contact an SE. Or if you're lucky, you might be able to get a bug ID from TAC if they've gotten enough complaints and recognized necessity of changing the design.

     

    Toshi

      Israel
      Israel
      New Member
      June 23, 2022

      If I understood it correctly, this message appears because you are blocking traffic that could be authorized by policy 2, I would not consider it an error.

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      June 23, 2022

      Detecting it as "partially shadows" is fine, although that's very normal way of building up policies. But the biggest problem is the policy check fails because of this and we can't install the policy package. That's the problem.

       

      Toshi

        cpierce
        Staff
        cpierce
        Staff
        April 15, 2024

        Toshi- to do what you are describing, this is in the settings for the particular ADOM.

        In the settings, there is an option to do Policy Checks before each install. Underneath that is an option for how Policy Checks act:

        Action When Conflicts Occur During Policy Check - You can turn this on or off. Off still allows you stop the install based on shadowed policies or continue pushing the install.

          Terms & ConditionsAccessibility statement