Description
This article describes how to configure two or more firewall schedules to control when policies take effect. The schedule parameter in the policy configuration does not allow multiple schedules into a single policy.
Scope
FortiGate.
Solution
In this example one customer needs to allow the traffic for a policy from monday to friday (08:00-17:30) and on saturdays (08:00-12:00).
To achieve this, follow this procedure:
Firewall schedule from monday to friday (08:00-17:30h):
config firewall schedule recurring
edit "Monday_Friday"
set start 08:00
set end 17:30
set day monday tuesday wednesday thursday friday
next
end
Firewall schedule for saturdays (08:00-12:00h).
config firewall schedule recurring
edit "weekend"
set start 08:00
set end 12:00
set day saturday
next
end
3) Configure a firewall schedule group including the above configured recurring schedules:
config firewall schedule group
edit Custom_Schedule
set member Monday_Friday weekend < ---
next
end
Assign the schedule profile to a firewall policy and position it at the top.
config firewall policy
edit 1
set srcintf "Internal"
set dstintf "WAN1"
set srcaddr "Internal_users"
set dstaddr "all"
set action accept
set schedule "Custom_Schedule" < ---
set schedule-timeout enable < ---
set service "ALL"
set nat enable
end
Enable schedule-timeout option on the firewall policy.
The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. The policy is active for a given time frame and as long as the session is open, it means, that once a session is allowed and established through the schedule recurring, the traffic might continue to flow even after schedule expiration.
