FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how a parent policy configuration change affects an existing DCERPC expectation session on FortiGate
Scope
All FortiOS versions.
Solution
By default on FortiGate, when a configuration change on a firewall policy is made, all the existing sessions are marked 'dirty' and the subsequent packets on these sessions are re-evaluated.
However this does not apply to expectation sessions since it does not have a 'may_dirty' flag. Therefore, if the parent policy for the DCERPC traffic is modified, (such that traffic is no longer allowed from the host), the existing expectation sessions are not marked 'dirty' and will continue to pass traffic without any re-evaluation.
This is an expected behavior.
The only workaround to avoid this case is to delete the DCERPC session helper. However in this case, since FortiGate can no longer setup 'the predict session', this will have to be done manually to create a policy to open ports TCP/49152-65535 to allow this traffic to make sure the communication is not impacted.
