Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Created on ‎09-07-2023 05:49 AM

Firewall action Allow in policy 0?

Hi all,

 

Recently I 've update my Fortigate 600E to 7.0.12 and I have Fortianalyzer 400E with v7.2.3. I've observed that I have a lot of  Firewall "Allow action" matching policy 0. The traffic is not passing (there are no received packets) but it's confusing for me when I study logs. I've read the release notes and I don't have find a bug talking about this.

 

picture.JPG

 

Why I see Accept action when the policy ID is 0? Thanks

 

 

Labels:
2381
0 Kudos
16 REPLIES 16
srajeswaran
Staff
Staff
In response to fortimaster

Created on ‎09-11-2023 04:17 AM

These are interim traffic logs generated with the Log ID of 20, and the sentdelta/rcvddelta fields filled in with an increment of bytes which are sent/received after the start of the session or previous interim traffic log.
Can you check the logs for session ID 266593319 (or any other session ID from one of these logs), I would expect to see multiple entries for this session and the first one will have the actual policy ID.


You can find more details on interim logs on https://docs.fortinet.com/document/fortianalyzer/6.2.0/new-features/902615/fortiview-long-lived-sess...

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

604
0 Kudos
fortimaster
Contributor
In response to srajeswaran

Created on ‎09-12-2023 01:03 AM

Thanks for your help.

If I search for session ID 266593319 I found 256 entries. The first one matches policy 0, like all the other.

I attach you a picture. I think the best would be to open a case... id0.JPG

587
0 Kudos
srajeswaran
Staff
Staff
In response to fortimaster

Created on ‎09-12-2023 01:07 AM

Yes, opening TAC ticket will be ideal for detailed investigation.
Can you run the same filter for some other sessions as well to confirm if the behavior is same?

Also I see the logs are between Sep9 to Sep12, do you see the entries for all 3 days? If so, I would suggest checking the logs for a larger duration.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

584
fortimaster
Contributor
In response to srajeswaran

Created on ‎09-12-2023 10:58 AM

I've checked another sessions and the result is the same. All matches policy 0 with an allow action.

 

I didn't try that session for a longer time than 3 days, because it ended the same day... 

 

I have opened a case. I'll keep you informed. Thanks ¡¡

569
srajeswaran
Staff
Staff
In response to fortimaster

Created on ‎09-21-2023 06:52 AM

While checking another issue I could see an internal bug reported for this issue and the fix is there in 7.2.4 onwards. Is it possible for you to upgrade to 7.2.5 (latest and check the behavior)?

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

527
fortimaster
Contributor
In response to srajeswaran

Created on ‎09-21-2023 07:33 AM Edited on ‎09-21-2023 07:34 AM

I have a case open with fortinet... Could you give me the bug id?

On the other hand, I don't want to upgrade to a feature version... My current version is the recommended for my firewalls model and it's a mature version, not feature like 7.2xxx

Thanks for your help.

520
0 Kudos
fortimaster
Contributor

Created on ‎11-27-2023 03:19 AM

Thanks to all. It was a bug, Fortinet is going to fix it in new 7.0 releases.

378
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.