Hi Team,
I hope you could help with the issue I am having with FortiGate 300E running OS version 60.0.12
I have created a scheduled policy from LAN to WAN to allow traffic on Thursdays from 3pm-6pm.
I have applied certain security profiles to allow Games, however when it comes to Thursday at 3pm when the users are trying to access games website, the access is blocked by another policy which is set to be below the scheduled policy that has no restrictions.
I have checked the system time and it looks to be ok and synced.
the policy is as below:
config firewall policy edit 1041 set name "OUT_A_LAN_INTERNET_ESPORTS" set srcintf "port5" "lan.140" set dstintf "VLAN500" set srcaddr "all" set dstaddr "all" set action accept set schedule "3pm-6pm_THU" set service "ALL" set utm-status enable set logtraffic all set fsso disable set av-profile "default" set webfilter-profile "web_basic_default" set ips-sensor "ips_client-high" set application-list "app_basic_default" set profile-protocol-options "custom-default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
I have noticed a strange behaviour that the same policy was triggered on last Friday at 7am but not on Thursday, and also I tried to open the policy to all time and the traffic starting hitting this policy just fine.
Any thoughts or ideas please?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Someone else can correct me if I'm thinking wrong, but based on what you've described I think the same clients that are allowed to game during that time are matching a different allow rule farther down that doesn't allow them to, right? When the scheduled policy becomes active it will only get matched by new connections, but if there are existing sessions on the restricted rule it will not reevaluate them until they timeout. If that's correct then the clients should just need to reboot or have you clear their sessions on the firewall and then this should work the way you designed it.
What I'm not sure is what happens at 6pm. I think existing connections are allowed to stay connected on that policy but new connections would fall down to the next one, so you might be continuing to allow gaming after 6pm unless you clear those sessions at that time also.
Perhaps you could approach this in reverse. Add a deny rule above the allow rule with the denial hours in it. If a session is established below, it will be dropped when the deny hits. Likewise when the deny rule stops, connections should again be allowed afterward. Just a thought. A deny rule won't hold sessions open like the allow rule will.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.