Hi all,
Recently I 've update my Fortigate 600E to 7.0.12 and I have Fortianalyzer 400E with v7.2.3. I've observed that I have a lot of Firewall "Allow action" matching policy 0. The traffic is not passing (there are no received packets) but it's confusing for me when I study logs. I've read the release notes and I don't have find a bug talking about this.
Why I see Accept action when the policy ID is 0? Thanks
These are interim traffic logs generated with the Log ID of 20, and the sentdelta/rcvddelta fields filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
Can you check the logs for session ID 266593319 (or any other session ID from one of these logs), I would expect to see multiple entries for this session and the first one will have the actual policy ID.
You can find more details on interim logs on https://docs.fortinet.com/document/fortianalyzer/6.2.0/new-features/902615/fortiview-long-lived-sess...
Thanks for your help.
If I search for session ID 266593319 I found 256 entries. The first one matches policy 0, like all the other.
I attach you a picture. I think the best would be to open a case...
Yes, opening TAC ticket will be ideal for detailed investigation.
Can you run the same filter for some other sessions as well to confirm if the behavior is same?
Also I see the logs are between Sep9 to Sep12, do you see the entries for all 3 days? If so, I would suggest checking the logs for a larger duration.
I've checked another sessions and the result is the same. All matches policy 0 with an allow action.
I didn't try that session for a longer time than 3 days, because it ended the same day...
I have opened a case. I'll keep you informed. Thanks ¡¡
While checking another issue I could see an internal bug reported for this issue and the fix is there in 7.2.4 onwards. Is it possible for you to upgrade to 7.2.5 (latest and check the behavior)?
Created on ‎09-21-2023 07:33 AM Edited on ‎09-21-2023 07:34 AM
I have a case open with fortinet... Could you give me the bug id?
On the other hand, I don't want to upgrade to a feature version... My current version is the recommended for my firewalls model and it's a mature version, not feature like 7.2xxx
Thanks for your help.
Thanks to all. It was a bug, Fortinet is going to fix it in new 7.0 releases.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.