Description
This article explains why, after a software upgrade between major releases, the traffic that was previously matching policies correctly with the ISDB object no longer matches. A solution is offered.
Scope
FortiGate.
Solution
When performing a major version upgrade (such as from 6.2 to 6.4, 6.4 to 7.0, etc), the policies that contain ISDB objects do not match traffic correctly for some time immediately after the upgrade.
This issue occurs because after each major version upgrade, the ISDB database is discarded by default and a new version matching the new OS needs to be downloaded.
Immediately after the upgrade, the following can be seen in the CLI:
diag autoupdate versions
................
Internet-service Database Apps
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using manual update on Mon Jan 1 00:00:00 2001
Last Update Attempt: Tue Oct 31 15:01:14 2023
Result: No Updates
Internet-service Full Database Maps
---------
Version: 0.00000
Contract Expiry Date: n/a
Last Updated using manual update on Mon Jan 1 00:00:00 2001
Last Update Attempt: Tue Oct 31 15:01:14 2023
Result: No Updates
.................
The database will be populated once that automatic upgrade process starts, is occasionally just delayed due to other processes taking precedence. Traffic loss may occur in the meantime.
It is highly recommended to start the upgrade process manually after the upgrade so that the traffic downtime will be minimal. Use the following CLI commands to do so:
diag debug application update -1
diag debug enable
execute update-now
Once the update process has ended, check the ISDB status using the command 'diag autoupdate versions'.
