Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ZafirFX
New Contributor

Created on ‎06-14-2022 05:52 AM Edited on ‎06-14-2022 05:53 AM

FortiManager and partially shadowed policies

Hi guys,

 

In our FMG I'm using policy package consistency check to check for inconsistency's withn our policies.

As for now I have troubles with one polcy where I'm getting errour about partially shadowed policies

 

So what did I do:

 

Because we wanted to block FTP and ICMP from Subnet 1 to two different hosts in our MGMT I created a rule where I'm blocking both services to those hosts...

 

The rules looks like this at the moment:

 

config firewall policy
edit 1
set srcintf "LAN"
set dstintf "MGMT"
set srcaddr "SUBNET1"
set dstaddr "IP3" "IP4"
set schedule "always"
set service "FTP""ICMP"
set logtraffic disable
set action deny
next
end

 

config firewall policy
edit 2
set srcintf "LAN"
set dstintf "MGMT"
set srcaddr "SUBNET1"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set action accept
next
end

 

Now every time I do a policy check I get an error that policy 2 is partially shadowed by rule 1

Something I don't understand.... In my first rule I'm using two host with action deny for two services while the second one allowes the all other traffic.

 

I know that I can disable the policy check but is there way to get around this? 

Why does the FMG doesn't see that the first rule is an deny rule with two different hosts and services?

 

In my eyes every deny statement on top of the policy wil create partially shadowed policies.

Labels:
1981
0 Kudos
5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

Created on ‎06-14-2022 09:26 AM Edited on ‎06-14-2022 09:26 AM

What version of FMG? I found this with 6.4.6 when we first deployed FMG. And opened a ticket at TAC to complain about it. But as always, ended up "you need to file an NFR(new feature request) via SE". I haven't tried re-enabling automatic policy check since then.

 

Toshi

1968
0 Kudos
ZafirFX
New Contributor
In response to Toshi_Esumi

Created on ‎06-16-2022 04:44 AM

At the moment I'm on 7.0.4

1963
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to ZafirFX

Created on ‎06-16-2022 12:12 PM

That's the very latest of 7.0.x. You generally need to open a TAC ticket to file an NFR and attach the ticket number when you contact an SE. Or if you're lucky, you might be able to get a bug ID from TAC if they've gotten enough complaints and recognized necessity of changing the design.

 

Toshi

1960
0 Kudos
Israel
New Contributor

Created on ‎06-23-2022 02:32 PM

If I understood it correctly, this message appears because you are blocking traffic that could be authorized by policy 2, I would not consider it an error.

1935
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to Israel

Created on ‎06-23-2022 02:38 PM

Detecting it as "partially shadows" is fine, although that's very normal way of building up policies. But the biggest problem is the policy check fails because of this and we can't install the policy package. That's the problem.

 

Toshi

1932
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.