| Description |
This article describes that the cluster may show out of sync in 'application.list' after an upgrade and how to fix it. |
| Scope | FortiGate cluster after upgrade to v7.2.x. |
| Solution |
Log into both cluster units, and enter the following commands:
config application list show | grep "allow-dns" -f
'set options allow-dns' is a default setting and default values are not shown in the 'show' command. Only via 'show full'.
Thus, if some outputs are visible:
config application list set other-application-log enable
There are two options to overcome the issue, if you see the output of above command on Primary only:
On the GUI, navigate to Security Profile -> Application Control -> 'double-click' the profile stated from the CLI output, disable the option 'Allow and Log DNS Traffic', and select 'OK'.
2. The option is actually needed: Re-enter the profile, enable the option 'Allow and Log DNS Traffic' again, and select 'OK'.
After that, the setting should not be visible with the 'show' command:
sh application list | grep "allow-dns" -f
There are two options to overcome the issue, if you see the output of the below command on Secondary only:
config application list show | grep "allow-dns" -f
Go inside the application list profile that you have from the output of the above command, first unset the option and come out of the profile, again go into the profile and set the option to allow-dns , let's say the profile name is "WhatsApp-Block"
config application list edit "WhatsApp-Block" unset options next edit "WhatsApp-Block" set options allow-dns end
And now the cluster should be in sync again. |
