Description | This article describes how a parent policy configuration change affects an existing DCERPC expectation session on FortiGate |
Scope | All FortiOS versions. |
Solution |
By default on FortiGate, when a configuration change on a firewall policy is made, all the existing sessions are marked 'dirty' and the subsequent packets on these sessions are re-evaluated.
However this does not apply to expectation sessions since it does not have a 'may_dirty' flag. Therefore, if the parent policy for the DCERPC traffic is modified, (such that traffic is no longer allowed from the host), the existing expectation sessions are not marked 'dirty' and will continue to pass traffic without any re-evaluation. This is an expected behavior.
The only workaround to avoid this case is to delete the DCERPC session helper. However in this case, since FortiGate can no longer setup 'the predict session', this will have to be done manually to create a policy to open ports TCP/49152-65535 to allow this traffic to make sure the communication is not impacted. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.