| Description | This article describes the expected behavior of an inactive firewall policy when it is being used outside of the allowed schedule. |
| Scope | FortiGate. |
| Solution |
A policy is configured as below that allows users to access the Internet during weekdays:
The following shows the configuration of the schedule configuration:
The users may not know that their Internet access is being restricted, hence users may be complaining that it is not possible to access the Internet. In this example, user tries to access the Internet on weekend, which is out of the allowed schedule.
It is possible to check the debug flow of the user with the following command:
# diag deb flow filter saddr < source_IP> # diag deb flow filter daddr <dest_IP> # diag deb flow show function-name en # diag deb flow show iprope en # diag deb flow trace start 10 # diag deb en
When the user tries to access the resources out of the schedule, it is possible to see that the traffic is hitting the implicit deny policy (policy 0) despite there is policy 1 that was configured and enabled to allow the traffic.
It is possible to see that the debug flow filter highlighted that policy 1 is not active when the user tried to access the Internet:
Inform the user with regards to the resource access policy or review the firewall policy to determine whether to allow the users to access the resources out of the current defined schedule. |
