In our FMG I'm using policy package consistency check to check for inconsistency's withn our policies.
As for now I have troubles with one polcy where I'm getting errour about partially shadowed policies
So what did I do:
Because we wanted to block FTP and ICMP from Subnet 1 to two different hosts in our MGMT I created a rule where I'm blocking both services to those hosts...
The rules looks like this at the moment:
config firewall policy edit 1 set srcintf "LAN" set dstintf "MGMT" set srcaddr "SUBNET1" set dstaddr "IP3" "IP4" set schedule "always" set service "FTP""ICMP" set logtraffic disable set action deny next end
config firewall policy edit 2 set srcintf "LAN" set dstintf "MGMT" set srcaddr "SUBNET1" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set action accept next end
Now every time I do a policy check I get an error that policy 2 is partially shadowed by rule 1
Something I don't understand.... In my first rule I'm using two host with action deny for two services while the second one allowes the all other traffic.
I know that I can disable the policy check but is there way to get around this?
Why does the FMG doesn't see that the first rule is an deny rule with two different hosts and services?
In my eyes every deny statement on top of the policy wil create partially shadowed policies.
What version of FMG? I found this with 6.4.6 when we first deployed FMG. And opened a ticket at TAC to complain about it. But as always, ended up "you need to file an NFR(new feature request) via SE". I haven't tried re-enabling automatic policy check since then.
That's the very latest of 7.0.x. You generally need to open a TAC ticket to file an NFR and attach the ticket number when you contact an SE. Or if you're lucky, you might be able to get a bug ID from TAC if they've gotten enough complaints and recognized necessity of changing the design.
Detecting it as "partially shadows" is fine, although that's very normal way of building up policies. But the biggest problem is the policy check fails because of this and we can't install the policy package. That's the problem.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.