We have fortigate 201F in a HA cluster, there is a Proxy Policy that uses a schedule to filter traffic based on the time of the day. The policy was working alright, but when we upgraded v7.4.5 build2702 it has stopped working. Is there a change that affects schedules in the new version? and how do i check if a configured schedule is currently active or inactive?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @vnkhwazi ,
There is no change in the Schedules function.
You need to check whether the traffic is hitting the correct proxy policy or not.
Please run the following commands to collect some outputs:
di wad filter clear
di wad filter src <x.x.x.x>
di wad session list
Please also share the CLI settings of the proxy policy settings in this issue.
below is the Policy configurations and the associated schedule group and schedules. i have also noted that am seeing forward traffic matches for this policy even at the time when it is inactive. see attached screenshot.
PDC_DC_FW_P (6) # show
config firewall proxy-policy
edit 6
set uuid f0b5aa6c-45a8-51ee-0c07-eba859d91c4d
set name "NBS non working hours"
set proxy explicit-web
set dstintf "Zone_Outside"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "Non working Hours"
set logtraffic all
set utm-status enable
set ssl-ssh-profile "nbs-certificate-inspection"
set av-profile "nbs-default-av"
set webfilter-profile "nbs-unrestricted-proxy-web"
set ips-sensor "nbs-default-ips"
set application-list "nbs-unrestricted-proxy-app"
next
end
PDC_DC_FW_P (Non working Hours) # show
config firewall schedule group
edit "Non working Hours"
set member "Non Working Hours_1" "Non Working Hours_2" "Non Working Hours_3" "Non working Hours_4"
set color 3
next
end
PDC_DC_FW_P (Non Working Hours_1) # show
config firewall schedule recurring
edit "Non Working Hours_1"
set start 12:00
set end 13:30
set day monday tuesday wednesday thursday friday
set color 3
next
end
PDC_DC_FW_P (Non Working Hours_2) # show
config firewall schedule recurring
edit "Non Working Hours_2"
set start 17:00
set end 23:59
set day monday tuesday wednesday thursday friday
set color 3
next
end
PDC_DC_FW_P (Non Working Hours_3) # show
config firewall schedule recurring
edit "Non Working Hours_3"
set day sunday saturday
set color 3
next
end
PDC_DC_FW_P (Non working Hours_4) # show
config firewall schedule recurring
edit "Non working Hours_4"
set end 07:30
set day monday tuesday wednesday thursday friday
set color 15
next
end
Hi @vnkhwazi ,
My FGT is running 7.4.5 and I just did a quick test. No issue for me.
However, I did not test with proxy policy.
My suggestion:
1) Do not use Schedule Group.
2) Create 4 new firewall policies and apply the Schedules to them individually.
Then check whether you still have this issue.
@dingjerry_FTNT i tried removing the schedule group and put one schedule which was active at that time, but still it is not working.
deleted and re-created the schedule, not working still. Policies are matching even when the schedule is inactive.
As @dingjerry_FTNT mentioned, There is no change in schedules.
you can verify if the correct policy matches, this may be due to some other issue or wrong policy matching.
Dig into ZTNA to replace VPN completely. Idk if Forticlient is the best solution for it but HPE has a really nice looking one called Axis Security. Also see a lot about Zscaler. I plan to try it with FortiClient and look at Axis if it’s a disaster. From what I’ve seen the biggest hurdle is Kerberos and DFS over the ZTNA connections.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.