Running a test FortiGate in the cloud to test some upgrade procedures.
After completing the first part, I factory reset it. After fixing the login and reloading the previous good configuration, I am having an issue that the policies quit working, and everything gets blocked by the default deny. It seems to happen after I update a policy, or create a new one. Rebooting the device seems to bring everything back. But need to figure this out.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What version of FortiOS are you running? Also, do you have any policy routes in your configuration?
No policy routes. 6.4.12
I do have the explicit proxy enabled as well. And using that, clients can get out. Those rules seem unaffected. But the "Firewall Policy" rules are affected.
It could be related to bug 769100 on release notes: https://docs.fortinet.com/document/fortigate/6.4.12/fortios-release-notes/236526/known-issues
This is fixed already in 7.0, you could upgrade to 7.0 and see if you still have the problem or not, or wait for 6.4.13.
The other suggestion would be to run "diag debug flow filter" with the source IP of the test device and see if the egress interface is expected or not. It could be you are being sent out the wrong port so you don't have a firewall policy because traffic should not flow that way. I experienced a similar issue.
One other thing I see in the logs. When it was working. srcintf=port2, dstintf=port1
Now both src and dst say port2 (internal)
Explains why it is bypassing the port2->port1 rules
Hmm. 3rd reboot. Is working again. Made some changes in policies, so far so good. Will wait a while to see if it's still working later.
Thanks for the response. Am wanting to use this to test some upgrade procedures. Need to know it's stable first.
11:22 Pacific - Flipped out again. Was working for around 40 minutes. Made several policy rule changes over the last 40 without problems. Stopped working right after creating some new FQDN addresses and a new address group, and deleting a firewall proxy rule a couple of minutes earlier.
Yes, sounds like the issue I had. only happens when changing address objects used in policies. I would suggest upgrading to 7.0.x or 6.4.13 when it comes out.
Any idea if there is a temporary workaround or quick fix other than rebooting?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.