Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Medo
New Contributor

Scheduled policy is not getting triggered

Hi Team,

 

I hope you could help with the issue I am having with FortiGate 300E running OS version 60.0.12

 

I have created a scheduled policy from LAN to WAN to allow traffic on Thursdays from 3pm-6pm.

 

I have applied certain security profiles to allow Games, however when it comes to Thursday at 3pm when the users are trying to access games website, the access is blocked by another policy which is set to be below the scheduled policy that has no restrictions.

 

I have checked the system time and it looks to be ok and synced.

 

the policy is as below:

 

config firewall policy edit 1041 set name "OUT_A_LAN_INTERNET_ESPORTS" set srcintf "port5" "lan.140" set dstintf "VLAN500" set srcaddr "all" set dstaddr "all" set action accept set schedule "3pm-6pm_THU" set service "ALL" set utm-status enable set logtraffic all set fsso disable set av-profile "default" set webfilter-profile "web_basic_default" set ips-sensor "ips_client-high" set application-list "app_basic_default" set profile-protocol-options "custom-default" set ssl-ssh-profile "certificate-inspection" set nat enable next end

 

 

I have noticed a strange behaviour that the same policy was triggered on last Friday at 7am but not on Thursday, and also I tried to open the policy to all time and the traffic starting hitting this policy just fine.

 

Any thoughts or ideas please?

2 REPLIES 2
lobstercreed
Valued Contributor

Someone else can correct me if I'm thinking wrong, but based on what you've described I think the same clients that are allowed to game during that time are matching a different allow rule farther down that doesn't allow them to, right?  When the scheduled policy becomes active it will only get matched by new connections, but if there are existing sessions on the restricted rule it will not reevaluate them until they timeout.  If that's correct then the clients should just need to reboot or have you clear their sessions on the firewall and then this should work the way you designed it.

 

What I'm not sure is what happens at 6pm.  I think existing connections are allowed to stay connected on that policy but new connections would fall down to the next one, so you might be continuing to allow gaming after 6pm unless you clear those sessions at that time also.

rwpatterson
Valued Contributor III

Perhaps you could approach this in reverse. Add a deny rule above the allow rule with the denial hours in it. If a session is established below, it will be dropped when the deny hits. Likewise when the deny rule stops, connections should again be allowed afterward.  Just a thought. A deny rule won't hold sessions open like the allow rule will.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com