Today we updated all our FortiGate devices to 7.0.14 due to the security concerns with the ongoing attacks worldwide.
Unfortunately after the upgrade we are facing a lot of blocked connection to applications which were working without problems before.
What I have noticed is the type of block -> local-in-policy.
Is there some new feature that I am missing or is there a way to enable such traffic.
One of the blocked connection is video surveillance system, running on HTTPS:
Solved! Go to Solution.
I found the issue - possibly a bug in 7.0.14.
A had an old Virtual IP, which was not used in any firewall rule on the same IP source address. After updating from 7.0.12 to 7.0.14 the firewall defined this address as an internal, thus preventing the proper routing and enforcing local in policy.
After removing the VIP -> everything works normally and as expected. I raised a ticket to report this bug.
Just to clarify - the VSS system uses two servers with a virtual IP address, managed by them.
The problem is accessing the virtual address.
Can you share the following:
show firewall local-in-policy
I found the issue - possibly a bug in 7.0.14.
A had an old Virtual IP, which was not used in any firewall rule on the same IP source address. After updating from 7.0.12 to 7.0.14 the firewall defined this address as an internal, thus preventing the proper routing and enforcing local in policy.
After removing the VIP -> everything works normally and as expected. I raised a ticket to report this bug.
This is not a bug, it's intended VIP and IP-Pool behavior from 7.0.13 onwards.
Before FortiOS 6.4.9 / 7.0.1 all IP addresses in the IP pool and VIP are considered as local IP if arp-reply is enabled (following the FortiOS logic one IP can be bound to one interface). In FortiOS 6.4.9-6.4.14 / 7.0.1-7.0.12 / 7.2.0-7.2.5 / 7.4.0, the IP pool / VIP IP addresses are no longer considered local.
This change was reverted in versions 6.4.15, 7.0.13, 7.2.6 and 7.4.1. From these versions onwards, IP pools and VIPs will again be considered as local IP addresses.
If ARP-reply is enabled on an IP-pool, the assigned IPs will be considered as being local-in, even if the IP-pool is not in use anywhere.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.