Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itmdadmin
New Contributor II

Created on ‎07-03-2024 09:26 PM Edited on ‎07-08-2024 12:53 AM

Traffic match with wrong Schedule

Foritgate FW version : 7.4.4

I have created two proxy policy with different schedule, office hour and non office hour.

and i notice that the traffic is matched with non office hour schedule and policy when I access internet in office hour. 

anyone have experience this issue ? 

 

Observed Update on 8/July/2024:

Traffic between 4PM to 3 AM will go to office hour policy with schedule 8AM-7PM

Traffic between 3AM to 4 PM will go to non office hour policy  with schedule 7PM-8AM  

 

 

Office_Hour.pngNon_office_hour.pngTraffic_log.png

 

 

Labels:
1459
0 Kudos
19 REPLIES 19
itmdadmin
New Contributor II
In response to smaruvala

Created on ‎07-08-2024 06:47 PM

It happen all the time.

The "fast-policy-match" is not configurated, is it default enable ? shall i disable it ?

494
0 Kudos
smaruvala
Staff
Staff
In response to itmdadmin

Created on ‎07-08-2024 11:52 PM

Hi,

 

- When was the Policy created? I can see the issue started from 8th of June. Was the Policy created on 7th of June?

- In the screenshot we can see the schedule status is showing as inactive. But if you edit the policy and go into the policy then check the status of schedule, does it show inactive or active?

- I think I am able to reproduce the issue in the lab. I did not face the issue yesterday. But today I am seeing the issue. So I am assuming it was matching office-hours proxy policy first. Then during non-office hours it was matching the non-office policy and it has not changed back to office hours policy.

- I would suggest you to open a support case. Replication should be possible in version 7.4.4 but I think we need to give one day time. If you have already opened the case let me know the case number.

 

Regards,

Shiva

480
smaruvala
Staff
Staff
In response to smaruvala

Created on ‎07-09-2024 01:06 AM

Hi,

 

I can see couple of open bugs reported internally in 7.4.4 which looks same. I am assuming the wad process is not getting the correct time so it is matching the incorrect policy.

 

Regards,

Shiva

466
itmdadmin
New Contributor II
In response to smaruvala

Created on ‎07-09-2024 02:23 AM

- The original policy was created year ago, the test policy was created on 3 July.

- The schedule time is show as active for both office and non office hour in the edit mode

- Yes i have created a support case already and one of your engineer have remoted to check it - Ticket No. 9677466

  

446
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎07-09-2024 01:22 AM Edited on ‎07-09-2024 02:10 AM

I think it is related to session lifetime. When the correct schedule is matched, a session is allowed to be established. Then the schedule expires, but the session is not re-evaluated ('dirty').

Isn't there an option to force that lookup?

 

There is an option which governs the behavior of active sessions vs. schedule expiration:

config firewall policy

edit <nn>

set schedule-timeout enable

 

If enabled, sessions will be terminated on schedule expiry. If disabled, active sessions are allowed to continue while new sessions will be prevented. Disabled is the default.

I'd give it a try.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
461
itmdadmin
New Contributor II

Created on ‎07-09-2024 02:47 AM

After some test, its seems that the scheduler is using the GMT+0 as the measure time instead of my local time GMT+8

438
SRaudi
New Contributor III
In response to itmdadmin

Created on ‎09-07-2024 08:20 AM

Yes! Same here, today i updated from 7.4.2 to 7.4.4 and the schedules stopped working.

 

During research i found this post and moving the schedule 2 hours in the past is working here also.

 

Thanks for the hint!

212
Debbie_FTNT
Staff
Staff

Created on ‎09-10-2024 02:48 AM

Hey guys,

 

thanks for the info and detective work you've already done!

I had a look through the internal bug database, but didn't find anything for 7.4 and scheduler issues; I did find something for 7.2 that necessitated a fix for the scheduler, so perhaps something went slightly wrong? I've posted an update to the engineering team regarding this.

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
176
SRaudi
New Contributor III
In response to Debbie_FTNT

Created on ‎09-10-2024 03:53 AM

Hi @Debbie_FTNT,

 

i noticed also that this problem is only when using schedules in the web proxy config. When using schedules for switching on/off WLAN SSID's the schedules are working normal.

167
0 Kudos
Debbie_FTNT
Staff
Staff
In response to SRaudi

Created on ‎09-10-2024 05:56 AM

Thanks for the clarification, SRaudi :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
162
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.