Possible Bug: VPN Tunnel Name Change causes Firewall Policies to not work
I don't know if this is the correct place to post this but we found a possible bug. We had our test IPSec Dialup tunnel successfully setup and routing rules implemented. Last week our team started converting the setting from our test setup to how we want our production settings to be.
During this process the team changed the PSK, Peer ID and name of the VPN tunnel. After these changes were saved traffic no longer was being routed to the correct destination. I found that DNS queries were traveling down the tunnel and traffic was being denied. We changed everything back to the way it was during testing and there was no change to behavior. Everything was still being blocked.
Then I was reviewing the interface for the VPN tunnel and noticed that the 'Security Fabric Connection' was still checked from a previous test we were working on. I unchecked the box it okay and all traffic for the VPN tunnel started routing correctly again.
So I went back to the VPN tunnel and changed the name again. As soon as that happens the VPN tunnel drops. I connect back and traffic is again blocked. I now go to the interface for the VPN tunnel and check 'HTTPS' and click ok. Traffic immediately starts flowing again. I then uncheck 'HTTPS' and traffic still flows.
So it seems that re-naming tunnels can cause an issue with how the Firewall evaluates the traffic causing unintended routing problems. Hopefully this helps someone in the future as this was by pure luck that we found the problem.
We are currently running 7.4.8 with FortiClient 7.4.3.