- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Multiple ID based policies failing in 5.0.x -...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple ID based policies failing in 5.0.x - 5.0.1
So I took the jump this weekend and upgraded from 4mr3 train to 5.0.1. Bad idea.
At my site we use user authentication to protect some sensitive networks (about 40). Policies are configured to match against specific groups in AD based on the destination of the traffic. Unfortunately Fortigate decided that they would simply remove the ability to do authentication based on destination from policies in 5.x.
There is a one line sentence in the release notes for 5.0 that states this. Unfortunately, it does not mention user authentication or anything like that. They refer to it as ID-Based policies. While accurate it does not do a very good job of calling out the change.
I realize this is a feature many may not be using, but it is a critical function for us. Way to go Fortinet on removing working features. This isn' t the first time this has happened either.
There is simply no way to know if an upgrade is going to work with the features you are using anymore and you have to play detective to hopefully find all the crumbs they put in their release notes. Other vendors have upgrade utilities and ways to check configurations. Fortigate.. nothing to my knowledge.
I certainly appreciate new features, but I would more appreciate not losing my entire weekend because the new features they put in, were put there at the expense of features I was already using.
-GM
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you elaborate on your topology?
Can you give an example of a policy that worked for you in 4.3 that will not work in 5.0?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a high level, we have a set of untrusted networks that may need to go into a set of protected networks. The protected networks have amonst other things, user authentication placed on them so that when a user tries to access them, they must first enter user/pass creds. We have about 40 of these protected networks.
In my firewall policies, I have each policy set to authenticate a user based on their destination. So for instance, untrusted network going to protected network1. Protected network 1 will have a specific ldap group assigned to it. protected network2 would have a different group, and so on for about 40 fw policies.
In 5.0 they removed the ability to have a firewall policy that was using identity based user authentication be configured using a destination network. There was also no log information upon boot, and no warning anywhere. The upgrade just changed all these rules and removed the destination parameter. So the only policy that applied to anything was the first one that was configured in the policy order. Below is an example of before and after policies:
Before
edit 271
set srcintf " any"
set dstintf " zn-RED-PROJECTS"
set srcaddr " grp-RFC1918"
set dstaddr " net-10.166.40.0/24"
set action accept
set comments " project maui"
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set utm-status enable
set groups " ldap-prj-maui"
set service " ANY"
set av-profile " av-standard"
set ips-sensor " ips-standard-srv"
set profile-protocol-options " po-standard"
next
end
next
After:
edit 271
set srcintf " any"
set dstintf " zn-RED-PROJECTS"
set srcaddr " grp-RFC1918"
set action accept
set comments " project maui"
set identity-based enable
config identity-based-policy
edit 1
set schedule " always"
set utm-status enable
set groups " ldap-prj-maui"
set dstaddr " net-10.166.40.0/24"
set service " ALL"
set av-profile " av-standard"
set ips-sensor " ips-standard-srv"
set profile-protocol-options " po-standard"
set deep-inspection-options " po-standard"
next
end
next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It' s not removed, destination address is part of the split policy criteria now.
You can see " set dstaddr net-10.166.40.0/24" within your identity-based policy rule.
edit 271 set srcintf " any" set dstintf " zn-RED-PROJECTS" set srcaddr " grp-RFC1918" set action accept set comments " project maui" set identity-based enable config identity-based-policy edit 1 set schedule " always" set utm-status enable set groups " ldap-prj-maui" set dstaddr " net-10.166.40.0/24" set service " ALL" set av-profile " av-standard" set ips-sensor " ips-standard-srv" set profile-protocol-options " po-standard" set deep-inspection-options " po-standard" next end next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is removed from the firewall policy so traffic does not match based on the destination anylonger. I agree it is in the id based portion, but it does not have any effect.
This is from the release notes for 5.0 on page 17:
ID-based firewall policy will not use destination addresses as the behavior in FortiOS v4.0 MR3.
Work around Need to re-arrange the sequence of the firewall policies that are below the identity based policy. If any of the firewall policies that are below the identity based policy has the same source as the identity based policy, those polices will not be hit. You would need to move those firewall policies above the identity based policyThis sort of presumes you have only one id based policy. That is not the case in my environment, and so the work around does not actually function.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see. In 5.0.2, there is a new option that might help with this type of topology.
For each identity-based policy, you can enable an option to fall-through to the next identity-based policy in order. In short, the option skips the implicit deny at the end of each identity-based rule set.
Perhaps you can try it out and provide some early feedback on the new option after 5.0.2 is available?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had opened a ticket regarding this. What you said previously was correct. It hadn' t occured to me that instead of having 30-40 individual policies with the destination network in them, I should have one with individual id-policies within the firewall policy.
I haven' t tested it to be sure it works, but I am fairly certain this will resolve my problem.
Unfortunately I can' t really configure it until I am on 5.x, which means I have to munge a bunch of rules together right after upgrade. Not exactly a seemless upgrade process.
Below is what I plan to do:
edit 271 set srcintf " any" set dstintf " zn-RED-PROJECTS" set srcaddr " grp-RFC1918" set action accept set identity-based enable config identity-based-policy edit 1 set schedule " always" set utm-status enable set groups " ldap-prj-maui" set dstaddr " net-10.166.40.0/24" set service " ALL" set av-profile " av-standard" set ips-sensor " ips-standard-srv" set profile-protocol-options " po-standard" set deep-inspection-options " po-standard" next edit 2 set schedule " always" set utm-status enable set groups " ldap-prj-x" set dstaddr " net-10.166.41.0/24" set service " ALL" set av-profile " av-standard" set ips-sensor " ips-standard-srv" set profile-protocol-options " po-standard" set deep-inspection-options " po-standard" next end next
Related Posts
- Moving away from Software Switches -... 218 Views
- Multiple Site to Site vs Hub... 199 Views
- Fortigate with Mikrotik Site to site... 491 Views
- Fortigate 80E Policy not being recognized 454 Views
- Need Assistance Creating Policy to Encompass... 271 Views
Labels
-
FortiGate
6,607 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
103 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
26 -
SD-WAN
26 -
FortiConnect
24 -
High Availability
22 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.