Foritgate FW version : 7.4.4
I have created two proxy policy with different schedule, office hour and non office hour.
and i notice that the traffic is matched with non office hour schedule and policy when I access internet in office hour.
anyone have experience this issue ?
Observed Update on 8/July/2024:
Traffic between 4PM to 3 AM will go to office hour policy with schedule 8AM-7PM
Traffic between 3AM to 4 PM will go to non office hour policy with schedule 7PM-8AM
It happen all the time.
The "fast-policy-match" is not configurated, is it default enable ? shall i disable it ?
Hi,
- When was the Policy created? I can see the issue started from 8th of June. Was the Policy created on 7th of June?
- In the screenshot we can see the schedule status is showing as inactive. But if you edit the policy and go into the policy then check the status of schedule, does it show inactive or active?
- I think I am able to reproduce the issue in the lab. I did not face the issue yesterday. But today I am seeing the issue. So I am assuming it was matching office-hours proxy policy first. Then during non-office hours it was matching the non-office policy and it has not changed back to office hours policy.
- I would suggest you to open a support case. Replication should be possible in version 7.4.4 but I think we need to give one day time. If you have already opened the case let me know the case number.
Regards,
Shiva
Hi,
I can see couple of open bugs reported internally in 7.4.4 which looks same. I am assuming the wad process is not getting the correct time so it is matching the incorrect policy.
Regards,
Shiva
- The original policy was created year ago, the test policy was created on 3 July.
- The schedule time is show as active for both office and non office hour in the edit mode
- Yes i have created a support case already and one of your engineer have remoted to check it - Ticket No. 9677466
I think it is related to session lifetime. When the correct schedule is matched, a session is allowed to be established. Then the schedule expires, but the session is not re-evaluated ('dirty').
Isn't there an option to force that lookup?
There is an option which governs the behavior of active sessions vs. schedule expiration:
config firewall policy
edit <nn>
set schedule-timeout enable
If enabled, sessions will be terminated on schedule expiry. If disabled, active sessions are allowed to continue while new sessions will be prevented. Disabled is the default.
I'd give it a try.
After some test, its seems that the scheduler is using the GMT+0 as the measure time instead of my local time GMT+8
Yes! Same here, today i updated from 7.4.2 to 7.4.4 and the schedules stopped working.
During research i found this post and moving the schedule 2 hours in the past is working here also.
Thanks for the hint!
Hey guys,
thanks for the info and detective work you've already done!
I had a look through the internal bug database, but didn't find anything for 7.4 and scheduler issues; I did find something for 7.2 that necessitated a fix for the scheduler, so perhaps something went slightly wrong? I've posted an update to the engineering team regarding this.
Cheers,
Debbie
Hi @Debbie_FTNT,
i noticed also that this problem is only when using schedules in the web proxy config. When using schedules for switching on/off WLAN SSID's the schedules are working normal.
Thanks for the clarification, SRaudi :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.