I hope you could help with the issue I am having with FortiGate 300E running OS version 60.0.12
I have created a scheduled policy from LAN to WAN to allow traffic on Thursdays from 3pm-6pm.
I have applied certain security profiles to allow Games, however when it comes to Thursday at 3pm when the users are trying to access games website, the access is blocked by another policy which is set to be below the scheduled policy that has no restrictions.
I have checked the system time and it looks to be ok and synced.
the policy is as below:
config firewall policy
set name "OUT_A_LAN_INTERNET_ESPORTS"
set srcintf "port5" "lan.140"
set dstintf "VLAN500"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "3pm-6pm_THU"
set service "ALL"
set utm-status enable
set logtraffic all
set fsso disable
set av-profile "default"
set webfilter-profile "web_basic_default"
set ips-sensor "ips_client-high"
set application-list "app_basic_default"
set profile-protocol-options "custom-default"
set ssl-ssh-profile "certificate-inspection"
set nat enable
I have noticed a strange behaviour that the same policy was triggered on last Friday at 7am but not on Thursday, and also I tried to open the policy to all time and the traffic starting hitting this policy just fine.
Someone else can correct me if I'm thinking wrong, but based on what you've described I think the same clients that are allowed to game during that time are matching a different allow rule farther down that doesn't allow them to, right? When the scheduled policy becomes active it will only get matched by new connections, but if there are existing sessions on the restricted rule it will not reevaluate them until they timeout. If that's correct then the clients should just need to reboot or have you clear their sessions on the firewall and then this should work the way you designed it.
What I'm not sure is what happens at 6pm. I think existing connections are allowed to stay connected on that policy but new connections would fall down to the next one, so you might be continuing to allow gaming after 6pm unless you clear those sessions at that time also.
Perhaps you could approach this in reverse. Add a deny rule above the allow rule with the denial hours in it. If a session is established below, it will be dropped when the deny hits. Likewise when the deny rule stops, connections should again be allowed afterward. Just a thought. A deny rule won't hold sessions open like the allow rule will.