Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lobstercreed
Valued Contributor

Cannot set match-vip enable in 6.4.3

Good morning all,

 

I encountered something yesterday that has me really scratching my head.  In 6.0.x I had set a bunch of policies with match-vip enable that no longer appear to have that setting in the CLI.  Furthermore, when I go to add it to a policy that I should be able to add it to, it is not an option.  Let me explain my use-case to make sure we're all on the same page.

 

We have a full AD environment and all our internal users use it for DNS.  We have the occasional BYOD client that has Google DNS programmed so when they should be resolving a public server's internal IP they instead resolve the external IP of that system.  Policies are like this:

 

For external users:

interface:  WAN -> DMZ 

address:  all -> VIP_Server01 (5.5.5.5 -> 10.10.6.70)

 

For internal users:

interface:  LAN -> DMZ 

address:  all -> Server01 (10.10.6.70)

 

So obviously the problem was that the internal users that resolved Server01 to 5.5.5.5 could not find a matching policy but if I changed the internal policy to use the VIP object then the majority of internal users wouldn't match either, and you can't mix VIP and regular address objects on a policy.  To solve this I either needed to duplicate my policies (so that one used the VIP and one used the internal address) OR just "set match-vip enable" on any of my LAN policies with the internal DMZ address that might be reached by a misconfigured BYOD client.  Surely many of y'all have run into this same thing and maybe done the same thing.

 

I ran into a new system I wanted to set this for yesterday now that I'm on 6.4.x and couldn't.  It only seems to be an option if the destination address is "all" which obviously is not the behavior I want because different servers require different services to be available. 

I skipped 6.2.x, but I'm curious if this was one of the things that changed in that version?  Regardless of when it changed though I don't understand why.  It's also worth noting that my old policies that had it set DO still seem to function as if it was set, but it's not visible in the CLI anymore so I can't unset it either.  Is this just a major bug?  I haven't reached out to support yet but figured I'd ask if anyone else has seen this or found a guide that explains it.

 

Thanks! - Daniel

5 REPLIES 5
mr_vaughn
New Contributor

We now have the same problem..

And I have many clients with Fortigates that have it for a hairpin. mathcing the VIP

 

mr_vaughn

Command should be there in n 6.4.3 https://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/311620/firewall-policy

But it is not in 6.4.4.

 

 

mr_vaughn

Are you running vdoms?

 

lobstercreed

I've got a ticket open now (just opened yesterday) regarding this but I've already heard from another forum (Reddit) that this was a change in behavior introduced in 6.4.3 despite what the CLI guide says.  Starting with 6.4.3 it is ONLY available on a deny policy which is idiotic (useful there too I suppose, but far less mission-critical). 

 

I'm raising this issue with my sales team and waiting for TAC to try to provide an answer as to WHY they went and broke such an important part of our configs.  It's also just lovely of them not to DOCUMENT such a drastic change so that we could know they are moving their development in the wrong direction and to stay away from these code versions.

 

Yes, I'm running VDOMs but I fail to see the relevance.  I verified it works the same with or without VDOMs.

akileshc
Staff
Staff

Since 6.4.3 it is only possible to use this option for DENY policies. It is not available anymore for ACCEPT policies (https://docs.fortinet.com/document/fortigate/6.4.3/fortios-release-notes/230510/changes-in-default-b...)