Hi, I after upgrade of FGT60D to 5.2.2. policy is behaving very strange, at least one...
For example I have policy ACCEPT from internal (LAN) to WAN for service ALL .. in short to internet. Now after upgrade http/https is not working, but for example Skype is working normally. So I figured it out that there is something wrong with DNS. So I made new policy just for DNS and now http/https is working.
So my question is why is this necessary after upgrade!? Is it not enough to use SERVICE "ALL"!?
I confirm a similar issue with the same build of FortiOS on a FortiWifi 60C.
In our case, on this specific FortiWifi, we also have a policy that allows all outbound traffic from an internal network to the Internet on all ports/protocols (using the ALL service).
Until the update to the 5.2 branch, there was no issues with this rule. After the update to the latest release, users began reporting issues with their Internet access. In the logs, we have seen there were many entries about denied DNS requests and labeled with a threat level of "high", which is rather strange.
After 2 hours of trial and error and some "googling", we have added a new policy that explicitly accepts outbound DNS requests. And then the Internet connectivity was back. We have later refined the rule to only add those services really needed.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.