Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vnkhwazi
New Contributor

Schedules not working after upgrading to FortiOS 7.4.5

We have fortigate 201F in a HA cluster, there is a Proxy Policy that uses a schedule to filter traffic based on the time of the day. The policy was working alright, but when we upgraded v7.4.5 build2702 it has stopped working.  Is there a change that affects schedules in the new version?  and how do i check if a configured schedule is currently active or inactive?

Vitu
Vitu
8 REPLIES 8
dingjerry_FTNT

Hi @vnkhwazi ,

 

There is no change in the Schedules function.

 

You need to check whether the traffic is hitting the correct proxy policy or not.

 

Please run the following commands to collect some outputs:

 

di wad filter clear

di wad filter src <x.x.x.x>

di wad session list

 

Please also share the CLI settings of the proxy policy settings in this issue.

Regards,

Jerry
vnkhwazi

below is the Policy configurations and the associated schedule group and schedules. i have also noted that am seeing forward traffic matches for this policy even at the time when it is inactive. see attached screenshot.

 

PDC_DC_FW_P (6) # show
config firewall proxy-policy
edit 6
set uuid f0b5aa6c-45a8-51ee-0c07-eba859d91c4d
set name "NBS non working hours"
set proxy explicit-web
set dstintf "Zone_Outside"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "Non working Hours"
set logtraffic all
set utm-status enable
set ssl-ssh-profile "nbs-certificate-inspection"
set av-profile "nbs-default-av"
set webfilter-profile "nbs-unrestricted-proxy-web"
set ips-sensor "nbs-default-ips"
set application-list "nbs-unrestricted-proxy-app"
next
end


PDC_DC_FW_P (Non working Hours) # show
config firewall schedule group
edit "Non working Hours"
set member "Non Working Hours_1" "Non Working Hours_2" "Non Working Hours_3" "Non working Hours_4"
set color 3
next
end


PDC_DC_FW_P (Non Working Hours_1) # show
config firewall schedule recurring
edit "Non Working Hours_1"
set start 12:00
set end 13:30
set day monday tuesday wednesday thursday friday
set color 3
next
end


PDC_DC_FW_P (Non Working Hours_2) # show
config firewall schedule recurring
edit "Non Working Hours_2"
set start 17:00
set end 23:59
set day monday tuesday wednesday thursday friday
set color 3
next
end

PDC_DC_FW_P (Non Working Hours_3) # show
config firewall schedule recurring
edit "Non Working Hours_3"
set day sunday saturday
set color 3
next
end


PDC_DC_FW_P (Non working Hours_4) # show
config firewall schedule recurring
edit "Non working Hours_4"
set end 07:30
set day monday tuesday wednesday thursday friday
set color 15
next
end

 

Policy matches.jpg

Vitu
Vitu
dingjerry_FTNT

Hi @vnkhwazi ,

 

My FGT is running 7.4.5 and I just did a quick test. No issue for me. 

 

However, I did not test with proxy policy.

 

My suggestion:

 

1) Do not use Schedule Group.  

2) Create 4 new firewall policies and apply the Schedules to them individually.

 

Then check whether you still have this issue.

Regards,

Jerry
vnkhwazi

@dingjerry_FTNT  i tried removing the schedule group and put one schedule which was active at that time, but still it is not working.

Vitu
Vitu
dingjerry_FTNT

Hi @vnkhwazi ,

 

Then please try to delete and recreate the schedules for a try.

Regards,

Jerry
vnkhwazi

deleted and re-created the schedule, not working still. Policies are matching even when the schedule is inactive.

Vitu
Vitu
rosatechnocrat
Contributor II

As @dingjerry_FTNT mentioned, There is no change in schedules. 

 

you can verify if the correct policy matches, this may be due to some other issue or wrong policy matching. 

Rosa Technocrat --

Also on YouTube---

Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
kolenbo2
New Contributor

Dig into ZTNA to replace VPN completely. Idk if Forticlient is the best solution for it but HPE has a really nice looking one called Axis Security. Also see a lot about Zscaler. I plan to try it with FortiClient and look at Axis if it’s a disaster. From what I’ve seen the biggest hurdle is Kerberos and DFS over the ZTNA connections.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors