Firewall schedules

Firewall schedules

Firewall schedules control when policies are in effect. When you add a security policy on a FortiGate unit you need to set a schedule to determine the time frame in which that the policy will be functioning. While it is not set by default, the normal schedule would be always. This would mean that the policy that has been created is always function and always policing the traffic going through the FortiGate. The time component of the schedule is based on a 24 hour clock notation or military time as some people would say.

There are two types of schedules: One-time schedules and recurring schedules.

One-Time schedules are in effect only once for the period of time specified in the schedule. This can be useful for testing to limit how long a policy will be in effect in case it is not removed, or it can be used for isolated events such as a conference where you will only need a temporary infrastructure change for a few days.

The time frame for a One-time schedule is configured by using a start time which includes, Year | Month | Day | Hour | Minute and a Stop time which includes the same variables. So while the frequency of the schedule is only once it can last anywhere from 1 minute to multiple years.

Recurring schedules are in effect repeatedly at specified times of specified days of the week. The Recurring schedule is based on a repeating cycle of the days of the week as opposed to every x days or days of the month. This means that you can configure the schedule to be in effect on Tuesday, Thursday, and Saturday but not every 2 days or on odd numbered days of the month.

If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next.

 

Creating a recurring schedule object

1. Go to Policy & Objects > Schedules.

2. Select Create New. A drop down menu is displayed. Select Schedule.

3. From the Type options, choose Recurring.

4. Input a Name for the schedule object.

5. From the Days options, choose the day of the week that you would like this schedule to apply to. The schedule will be in effect on the days of the week that have a check mark in the checkbox to the left of the name of the weekday.

6. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in

24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

7. Choose a Stop Time.

Configuration is the same as Start Time.

8. Press OK.

 

Creating a One-time schedule object

1. Go to Policy & Objects > Schedules.

2. Select Create New. A drop down menu is displayed. Select Schedule.

3. From the Type options, choose One-time.

4. Input a Name for the schedule object.

5. Choose a Start Date.

Selecting the field with the mouse will bring up a interactive calendar graphic that will allow the user to select the date.The date can also be typed in using the format YYYY/MM/DD.

6. Choose an End Date.

Configuration is the same as Start Date.

7. Choose a Start Time.

The Start Time is composed of two fields, Hour and Minute. Think of setting the time for a digital clock in

24 hour mode. The Hour value can be an integer from 0 and 23. The Minute value can be from 0 to 59. 0 and 0 would be midnight at the start of the day and 23 and 59 would be one minute to midnight at the end of the day. The value can be entered by keyboard or by using the up and down arrows in the field to select the value.

8. Choose a Stop Time.

Configuration is the same as Start Time.

9. Enable/Disable Preexpiration event log.

This configures the system to create an event log 1 to 100 days before the End Date as a warning in case the schedule needs to be extended.

10. If the Preexpiration event log is enabled, set the value for Number of days before.

11. Press OK.

 

Example

You want to schedule the use of Skype to only between noon (12:00) and 1 p.m. (13:00). You could create a schedule that allows Skype traffic:

  • Starting at Hour:12 and Minute: 00
  • Stopping at Hour:13 and Minute: 00
  • Set for days of the week: Sunday | Monday |Tuesday |Wednesday | Thursday | Friday | Saturday

 

Or you could have a schedule that blocks Skype traffic:

  • Starting at Hour:13 and Minute: 00 (and goes to the next day)
  • Stopping at Hour:12 and Minute: 00
  • Set for days of the week: Sunday | Monday |Tuesday |Wednesday | Thursday | Friday | Saturday

 

Either way is effective for the task but other factors may make one method work better than another in certain situations of it could be just a preference in approach.

 

Schedule Groups

You can organize multiple firewall schedules into a schedule group to simplify your security policy list. The schedule parameter in the policy configuration does not allow for the entering of multiple schedules into a single policy so if you have a combination of time frames that you want to schedule the policy for then the best approach, rather than making multiple policies is to use a schedule group.

 

Creating a recurring schedule object

1. Go to Policy & Objects > Schedules.

2. Select Create New. A drop down menu is displayed. Select Schedule Group

3. Input a Name for the schedule object.

4. In the Members field, select the “+” to bring forth the panel for selecting entries.

5. Press OK.

Example

Your Internet policy allows employees to visit Social Media sites from company computers but not during what is considered working hours. The offices are open a few hours before working hours and the doors are not locked until a few hours after official closing so work hours are from 9 to 5 with a lunch break from Noon to 1:00 p.m.

Your approach is to block the traffic between 9 and noon and between 1:00 p.m. and 5:00 p.m. This means you will need two schedules for a single policy and the schedule group handles this for you. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups.

 

Schedule Expiration

The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.

For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.

Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command:

set schedule-timeout enable

By default, this is set to disable.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

3 thoughts on “Firewall schedules

  1. Kemoy Brown

    Question after creating the schedule how do you apply it to a policy for example you create a schedule to block access to netflix between cschool hours between 8am to 2pm how do you create an IPV4 policy to make it work

    Reply
    1. Mike Post author

      The policy has a schedule selector (when you are in the edit menu) that by default is set to always. Just change it to the new schedule you have.

      Reply
  2. Kemoy Brown

    Did that and nothing happens do I need to block the category in application control or signatures for netflix in the application control.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.