Good morning all,
I encountered something yesterday that has me really scratching my head. In 6.0.x I had set a bunch of policies with match-vip enable that no longer appear to have that setting in the CLI. Furthermore, when I go to add it to a policy that I should be able to add it to, it is not an option. Let me explain my use-case to make sure we're all on the same page.
We have a full AD environment and all our internal users use it for DNS. We have the occasional BYOD client that has Google DNS programmed so when they should be resolving a public server's internal IP they instead resolve the external IP of that system. Policies are like this:
For external users:
interface: WAN -> DMZ
address: all -> VIP_Server01 (5.5.5.5 -> 10.10.6.70)
For internal users:
interface: LAN -> DMZ
address: all -> Server01 (10.10.6.70)
So obviously the problem was that the internal users that resolved Server01 to 5.5.5.5 could not find a matching policy but if I changed the internal policy to use the VIP object then the majority of internal users wouldn't match either, and you can't mix VIP and regular address objects on a policy. To solve this I either needed to duplicate my policies (so that one used the VIP and one used the internal address) OR just "set match-vip enable" on any of my LAN policies with the internal DMZ address that might be reached by a misconfigured BYOD client. Surely many of y'all have run into this same thing and maybe done the same thing.
I ran into a new system I wanted to set this for yesterday now that I'm on 6.4.x and couldn't. It only seems to be an option if the destination address is "all" which obviously is not the behavior I want because different servers require different services to be available.
I skipped 6.2.x, but I'm curious if this was one of the things that changed in that version? Regardless of when it changed though I don't understand why. It's also worth noting that my old policies that had it set DO still seem to function as if it was set, but it's not visible in the CLI anymore so I can't unset it either. Is this just a major bug? I haven't reached out to support yet but figured I'd ask if anyone else has seen this or found a guide that explains it.
Thanks! - Daniel
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We now have the same problem..
And I have many clients with Fortigates that have it for a hairpin. mathcing the VIP
Command should be there in n 6.4.3 https://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/311620/firewall-policy
But it is not in 6.4.4.
Are you running vdoms?
I've got a ticket open now (just opened yesterday) regarding this but I've already heard from another forum (Reddit) that this was a change in behavior introduced in 6.4.3 despite what the CLI guide says. Starting with 6.4.3 it is ONLY available on a deny policy which is idiotic (useful there too I suppose, but far less mission-critical).
I'm raising this issue with my sales team and waiting for TAC to try to provide an answer as to WHY they went and broke such an important part of our configs. It's also just lovely of them not to DOCUMENT such a drastic change so that we could know they are moving their development in the wrong direction and to stay away from these code versions.
Yes, I'm running VDOMs but I fail to see the relevance. I verified it works the same with or without VDOMs.
Since 6.4.3 it is only possible to use this option for DENY policies. It is not available anymore for ACCEPT policies (https://docs.fortinet.com/document/fortigate/6.4.3/fortios-release-notes/230510/changes-in-default-b...)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.