Hot!Fortigate 60E with 5.4.4 Changes to Policies not being enforced until reboot

Author
netengwi
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/01/18 09:15:32
  • Status: offline
2017/11/08 14:59:49 (permalink)
0

Fortigate 60E with 5.4.4 Changes to Policies not being enforced until reboot

I have had a couple of our Fortigate 60E firewalls (5.4.4) exhibit an issue where changes to the iPV4 policies are not actually applying until a reboot.  If I make a new rule or add services to an existing rule the changes appear in the GUI and CLI but the new rules are not applied to any traffic. 
 
Example:
 
1. Created a service for TCP Port 10020.
2. Modified an existing firewall rule to add this as an allowed service.
 
Result
Traffic still blocked to 10020.  After rebooting the firewall the rule applies correctly.
 
Additionally, in some of my testing I created a new rule to allow all traffic and put it as the first entry in a policy.  The byte counter never increments and in FortiView it shows all of the connections are still using the policies below the new one.  Even if I disable the policies and delete existing sessions, new sessions show up using the disabled policies.  I have even tried disabling a VLAN interface that was part of a policy and re-enabling it to see if that would force the changes to actually be enforced.  This didn't work either.  Only a reboot results in the add/remove/changes actually applying properly.
 
Is there any other thing I can try apart from rebooting the firewall to force the policies to re-apply?
 
Sincerely,
 
Shane
post edited by netengwi - 2017/11/08 15:01:10
#1
emnoc
Expert Member
  • Total Posts : 4490
  • Scores: 259
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Fortigate 60E with 5.4.4 Changes to Policies not being enforced until reboot 2017/11/08 19:15:00 (permalink)
0
The cil  diag debug flow is  your friend. I afraid iI have not seen that issue in   v5.4.4 or any v5.4.x versions
 
Ken
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#2
StevieC
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/17 18:06:40
  • Status: offline
Re: Fortigate 60E with 5.4.4 Changes to Policies not being enforced until reboot 2018/01/17 18:11:44 (permalink)
0
We have a FortiWiFi 30E running v5.4.3,build1111 (GA) that runs fine after a reboot and then at some point, any changes to policies or new policies won't apply or take effect until the unit is rebooted.
 
Starting to get a bit annoying having to reboot the unit to get a simple policy to work.
 
Thanks
 
Steve
#3
romanr
Platinum Member
  • Total Posts : 872
  • Scores: 18
  • Reward points: 0
  • Joined: 2004/06/08 08:29:56
  • Location: Vienna/Austria
  • Status: offline
Re: Fortigate 60E with 5.4.4 Changes to Policies not being enforced until reboot 2018/01/17 23:59:35 (permalink)
0
Hi,
 
I remember, that we ran into the same issue once also. On 50E models I believe...
 
New Policies have been displayed in the config on GUI and CLI. But did not match - After a reboot those policies did work..
 
Upgrading to current 5.4 builds did solve this issue!
 
Br,
Roman
#4
Jump to:
© 2018 APG vNext Commercial Version 5.5