Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rafiki
New Contributor

New policy install drops established connections traffic

Fortigate 1500D

Firmwarev6.0.4 build0231 (GA)

Mode NAT (Flow-based)System

 

Hello,

When I install a new policy, the firewall drops the estabilished connections packets affected by the new rule.

E.g. If I have a nfs connection, after policy applying, I have to restart it. It happens the same with database connections.

Is there any workaround to avoid restart systems?

 

Thank you

Rafa

1 Solution
ede_pfau
Esteemed Contributor III

I'd say that is application dependent. Of course, changing the policy will make the FGT end all sessions running across it. With HTTP, a new session buildup will only take milliseconds. With other protocols and/or applications it might be different.

 

So the workaround is to not change the policy too often. Ending sessions allowed in it's previous incarnation and re-evaluation them is a principle, not a flaw.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
1 REPLY 1
ede_pfau
Esteemed Contributor III

I'd say that is application dependent. Of course, changing the policy will make the FGT end all sessions running across it. With HTTP, a new session buildup will only take milliseconds. With other protocols and/or applications it might be different.

 

So the workaround is to not change the policy too often. Ending sessions allowed in it's previous incarnation and re-evaluation them is a principle, not a flaw.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors