FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff
Staff
Description This article describes the expected behavior of an inactive firewall policy when it is being used outside of the allowed schedule.
Scope FortiGate.
Solution

A policy is configured as below that allows users to access the Internet during weekdays:

 

Policy.png

 

The following shows the configuration of the schedule configuration:

 

Schedule.png

 

The users may not know that their Internet access is being restricted, hence users may be complaining that it is not possible to access the Internet.

In this example, user tries to access the Internet on weekend, which is out of the allowed schedule.

 

It is possible to check the debug flow of the user with the following command:

 

# diag deb flow filter saddr < source_IP>

# diag deb flow filter daddr <dest_IP>

# diag deb flow show function-name en

# diag deb flow show iprope en

# diag deb flow trace start 10

# diag deb en

 

When the user tries to access the resources out of the schedule, it is possible to see that the traffic is hitting the implicit deny policy (policy 0) despite there is policy 1 that was configured and enabled to allow the traffic.

 

It is possible to see that the debug flow filter highlighted that policy 1 is not active when the user tried to access the Internet:

 

Not active.png

 

Inform the user with regards to the resource access policy or review the firewall policy to determine whether to allow the users to access the resources out of the current defined schedule.

Contributors