Troubleshooting Tip: Incompatibilities with NGFW Policy mode due to large scan-range detection requirements

Kraven2323 · ‎10-11-2022

Description

This article describes why errors indicating incompatibility with an NGFW Policy mode appear on FortiGate in NGFW policy-based mode when trying to add certain applications to the firewall policy on version 6.4.10.

Scope

FortiGate v6.4.10 and above.

Solution

When adding some applications to the firewall policy, the following error may occur:

Examples of trying to add large scan-range applications include:

'Gmail_Personal'.

This cannot be added to the firewall policy.
This is an expected behavior when it comes to NGFW policy-based setup.
The signatures of 20% of applications exceed the limit of 4096 bytes of data.
The 4096 limitation represents the maximum number of bytes that will be allowed through the policy before IPS declares that the signature does not match.

The maximum scan range value setting is located under config ips global.

config ips global

set ngfw-max-scan-range 4096

end

This value can be adjusted, but it is set to 4096 bytes by default.

This large scan-range application is removed in the 7.0.x version and later as per the screenshot below:

One way to make FortiGate accept this behavior is to use a Custom Application Group.
The IPS is not visible in the groups at the time of configuration, which can affect what is allowed to be configured in the first place.
If some applications were able to be configured previously but then suddenly cannot be configured, this means there was an update to the Application Signatures and the signature for the specific Application increased over the limit.