New Member

Question

Schedules not working after upgrading to FortiOS 7.4.5

Forum|Forum|1 year ago
November 21, 2024
3 replies
2663 views

We have fortigate 201F in a HA cluster, there is a Proxy Policy that uses a schedule to filter traffic based on the time of the day. The policy was working alright, but when we upgraded v7.4.5 build2702 it has stopped working. Is there a change that affects schedules in the new version? and how do i check if a configured schedule is currently active or inactive?

FortiGate

dingjerry_FTNT

Staff

Hi @vnkhwazi ,

There is no change in the Schedules function.

You need to check whether the traffic is hitting the correct proxy policy or not.

Please run the following commands to collect some outputs:

di wad filter clear

di wad filter src <x.x.x.x>

di wad session list

Please also share the CLI settings of the proxy policy settings in this issue.

vnkhwaziAuthor

New Member

below is the Policy configurations and the associated schedule group and schedules. i have also noted that am seeing forward traffic matches for this policy even at the time when it is inactive. see attached screenshot.

PDC_DC_FW_P (6) # show
config firewall proxy-policy
edit 6
set uuid f0b5aa6c-45a8-51ee-0c07-eba859d91c4d
set name "NBS non working hours"
set proxy explicit-web
set dstintf "Zone_Outside"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "Non working Hours"
set logtraffic all
set utm-status enable
set ssl-ssh-profile "nbs-certificate-inspection"
set av-profile "nbs-default-av"
set webfilter-profile "nbs-unrestricted-proxy-web"
set ips-sensor "nbs-default-ips"
set application-list "nbs-unrestricted-proxy-app"
next
end

PDC_DC_FW_P (Non working Hours) # show
config firewall schedule group
edit "Non working Hours"
set member "Non Working Hours_1" "Non Working Hours_2" "Non Working Hours_3" "Non working Hours_4"
set color 3
next
end

PDC_DC_FW_P (Non Working Hours_1) # show
config firewall schedule recurring
edit "Non Working Hours_1"
set start 12:00
set end 13:30
set day monday tuesday wednesday thursday friday
set color 3
next
end

PDC_DC_FW_P (Non Working Hours_2) # show
config firewall schedule recurring
edit "Non Working Hours_2"
set start 17:00
set end 23:59
set day monday tuesday wednesday thursday friday
set color 3
next
end

PDC_DC_FW_P (Non Working Hours_3) # show
config firewall schedule recurring
edit "Non Working Hours_3"
set day sunday saturday
set color 3
next
end

PDC_DC_FW_P (Non working Hours_4) # show
config firewall schedule recurring
edit "Non working Hours_4"
set end 07:30
set day monday tuesday wednesday thursday friday
set color 15
next
end

Policy matches.jpg

dingjerry_FTNT

Staff

Hi @vnkhwazi ,

My FGT is running 7.4.5 and I just did a quick test. No issue for me.

However, I did not test with proxy policy.

My suggestion:

1) Do not use Schedule Group.

2) Create 4 new firewall policies and apply the Schedules to them individually.

Then check whether you still have this issue.

rosatechnocrat

Explorer III

As @dingjerry_FTNT mentioned, There is no change in schedules.

you can verify if the correct policy matches, this may be due to some other issue or wrong policy matching.

Subscribe "ROSA Technocrat" on Youtube for Fortinet Videos and Troubleshooting https://www.youtube.com/@rosatechnocrat

kolenbo2

New Member

Dig into ZTNA to replace VPN completely. Idk if Forticlient is the best solution for it but HPE has a really nice looking one called Axis Security. Also see a lot about Zscaler. I plan to try it with FortiClient and look at Axis if it’s a disaster. From what I’ve seen the biggest hurdle is Kerberos and DFS over the ZTNA connections https://speedtest.vet/ .

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded