Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cyodesigns
New Contributor

GUI Policy Lookup with FSSO Group

Hi,

 

I have a Fortigate 3200D running 6.4.11, when I do a Policy Lookup in the 'Firewall Policy' section of the GUI, if I have 'normal' subnet groups in the source and destination (and no FSSO groups) the Policy Lookup will highlight the precise policy in the GUI that allows the traffic, as expected, or give a message that no suitable policy was found. However, if in addition to the the 'normal' subnet groups in the Firewall Policy there is also a Group Type of FSSO Single Sign-On (in the source or destination), no policy is ever returned by Policy Lookup. This happens if I am using a source/destination IP from within the range of the 'normal' subnet groups within the Firewall Policy. Is this expected behaviour?

 

Note there is no equivalent PBR in place which could interfere with the traffic.

 

The only difference I can see between policies that work and those that don't, is the addition of FSSO groups. Also I am not referring to Firewall Policies that only have FSSO groups in either the source or destination, but Firewall Policies that have both 'normal' subnet groups AND FSSO type groups.

 

Has anyone seen this before?

 

Thanks

Mark

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello Mark,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
cyodesigns

Hi Anthony,

 

It would be good if someone with a version 7.x Fortigate could test a 'Policy Lookup' with/without FSSO groups. Can anyone do that?

 

Regards
Mark

Anthony_E
Community Manager
Community Manager

Hi Mark,

 

I will share your post to a FortiGate expert and we will come back to you ASAP.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hi Mark,

 

Our engineers will proceed the test and will come back to you.

 

Regards,

 

Anthony-Fortinet Community Team.
akanibek
Staff
Staff

Hi Mark,

it should be expected behavior, firewall policy lookup does not show matched policy if policy has authentication group on it.

 

Asset
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors