Description
This article provides information on how to configure a schedule for firewall policies to activate them only at specific times. For example, to have policies applied during office hours but not outside of office hours.
Scope
FortiGate.
Solution
Create a new schedule for office hours. Go to Policy & Objects -> Schedules.
There are 2 types.
- Recurring: schedules are in effect repeatedly at specified times on specified days of the week.
- One-time: schedules are in effect only once for the period specified in the schedule.
Create a policy that allows traffic to be scheduled. An example is allowing Microsoft Outlook during normal office hours.
Configure the scheduled policy via CLI:
config firewall schedule recurring
edit "Mon-Fri"
set start 09:00
set end 18:00
set day monday tuesday wednesday thursday friday
next
end
config firewall policy
edit 4
set name "Allow_Microsoft-Outlook"
set uuid 8b555bd6-318d-51eb-9670-a10af2dd0a14
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set internet-service enable
set internet-service-name "Microsoft-Outlook"
set schedule "Mon-Fri"
set logtraffic disable
next
end
Results.
This policy will always allow the Microsoft Outlook traffic during the scheduled time.
Note:
There is an option that dictates what happens to the active sessions once the session time-out takes place:
For example, under the same policy:
config firewall policy
edit 4
set schedule-timeout enable/disable
next
end
The option Enable forces current sessions to end when the schedule object times out.
The option Disable allows them to end due to inactivity.
It is an expected behaviour to see some logs in the forward traffic even after the scheduled time. The new session will be blocked, but the old session will stay in the session table until it reaches the session expiration time (option: set schedule-timeout disable).
For more information, read this article: Technical Tip: 'Dirty' session about how firewalls evaluate sessions.
When the 'schedule-timeout' option is enabled in the Firewall policy, FortiGate adds a flag called 'hlife' in the iprope table and session details. This is helpful for the Administrator to know that the traffic is matching a policy that has a scheduler and 'schedule-timeout' option is enabled. Below is an example of the same.
diagnose sys session list
session info: proto=1 proto_state=00 duration=17 expire=42 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00 hlife ----> hlife flag
statistic(bytes/packets/allow_err): org=28/1/1 reply=28/1/1 tuples=2
tx speed(Bps/kbps): 1/0 rx speed(Bps/kbps): 1/0
orgin->sink: org pre->post, reply pre->post dev=12->11/11->12 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.110.18.185:35191->1.1.1.1:8(10.5.128.164:35191)
hook=pre dir=reply act=dnat 1.1.1.1:35191->10.5.128.164:0(10.110.18.185:35191)
misc=0 policy_id=1 pol_uuid_idx=15746 auth_info=0 chk_client_info=0 vd=0
serial=00617dff tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
total session 1
# diag firewall iprope list 100004
policy index=1 uuid_idx=15746 action=accept
flag (8050109): log redir nat master use_src pol_stats
flag2 (7000): hlife log_fail resolve_sso ----> hlife flag
flag3 (a0): link-local best-route
schedule(VQMC)
cos_fwd=255 cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 12 -> zone(1): 11
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15732,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=15732,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
Related article:
