Description
This article provides information on how to configure a schedule for firewall policies to have policies active only at select times. For example, to have policies applied during office hours, but not applied out of office hours.
Scope
FortiGate.
Solution
Create a new schedule for office hours. Go to Policy & Objects -> Schedules.
There are 2 types.
- Recurring: schedules are in effect repeatedly at specified times on specified days of the week.
- One-time: schedules are in effect only once for the period specified in the schedule.
Create a policy that allows traffic to be scheduled. An example is allowing Microsoft Outlook during normal office hours.
Configure the scheduled policy via CLI:
config firewall schedule recurring
edit "Mon-Fri"
set start 09:00
set end 18:00
set day monday tuesday wednesday thursday friday
next
end
config firewall policy
edit 4
set name "Allow_Microsoft-Outlook"
set uuid 8b555bd6-318d-51eb-9670-a10af2dd0a14
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set internet-service enable
set internet-service-name "Microsoft-Outlook"
set schedule "Mon-Fri"
set logtraffic disable
next
end
Results.
This policy will always allow the Microsoft Outlook traffic during the scheduled time.
Note:
There is an option that dictates what happens to the active sessions once the session time-out takes place:
For example, under the same policy:
config firewall policy
edit 4
set schedule-timeout enable/disable
next
end
The option Enable forces current sessions to end when the schedule object times out.
The option Disable allows them to end due to inactivity.
It is an expected behaviour to see some logs in the forward traffic even after the scheduled time. The new session will be blocked, but the old session will stay in the session table until it reaches the session expiration time (option: set schedule-timeout disable).
For more information, read this article: Technical Tip: 'Dirty' session about how firewalls evaluate sessions.
Related article:
