Schedule expiration for firewall policy

Question

Hi All,

On 5.4.9 I've got some users who are working around scheduled firewall rules by staying logged into apps, or by staying on the web page that will become blocked once the allowing policy's schedule ends.

Per the docs (http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Objects/Schedule%20expiration.htm) it looks like I should be able to:

config firewall policy
 edit ID
 set schedule-timeout enable

But I don't understand the documentation's directions that change the default setting for config system setting, firewall-session-dirty from check-all to check-policy-option, and then change the (only available with the system setting set) firewall policy firewall-session-dirty to check-new, like so:

config firewall policy
 edit ID
 set firewall-session-dirty check-new
 end
 
config system settings
 set firewall-session-dirty check-policy-option
end

If the default value for system setting firewall-session-dirty is check-all, won't that, well, check them all?

Or are the additional changes to the firewall policy and the system settings purely for performance reasons, since the schedule-timeout enable would force sessions to be restarted?

It seems like leaving it set to check-all would still allow the schedule-timeout to function, or am I missing something?

Any pointers on making sure that schedule termination will terminate sessions managed by the policy using the schedule?

Any catches with moving this over to 5.6.x?

Thanks.

tanr · Answer

Or, to simplify the question:  Anybody using schedule-timeout in their firewall policy objects?  If so, any comments on best ways to use it?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded