Description
This article provides information on how to configure a schedule policy. For example, to have policies being applied during office hours, but not applied out of office hours.
Scope
FortiGate.
Solution
Create a new schedule for office hours. Go to policy & objects -> Schedules.
There are 2 types.
- Recurring: schedules are in effect repeatedly at specified times on specified days of the week.
- One-time: schedules are in effect only once for the period specified in the schedule.
Create a policy that allows traffic to be scheduled. An example is allowing Microsoft Outlook during normal office hours.
Configure the scheduled policy via CLI:
config firewall schedule recurring
edit "Mon-Fri"
set start 09:00
set end 18:00
set day monday tuesday wednesday thursday friday
next
end
config firewall policy
edit 4
set name "Allow_Microsoft-Outlook"
set uuid 8b555bd6-318d-51eb-9670-a10af2dd0a14
set srcintf "port1"
set dstintf "port2"
set srcaddr "all"
set internet-service enable
set internet-service-name "Microsoft-Outlook"
set schedule "Mon-Fri"
set logtraffic disable
next
end
Results.
This policy will always allow the Microsoft Outlook traffic in the duration of the scheduled time.
Note:
It is an expected behaviour to see some logs in the forward traffic even after scheduled time. The new session will be blocked but the old session will stay in the session table until it reaches the session expiration time. For more information read this article Technical Tip: 'Dirty' session about how firewalls evaluate sessions.
Related srticle:
