You can organize multiple firewall schedules into a schedule group to simplify your security policy list. The schedule parameter in the policy configuration does not allow for the entering of multiple schedules into a single policy so if you have a combination of time frames that you want to schedule the policy for then the best approach, rather than making multiple policies is to use a schedule group.
Creating a Schedule Group object
- Go to Policy & Objects > Schedules.
- Select Create New. A drop down menu is displayed. Select Schedule Group
- Input a Name for the schedule object.
- In the Members field, select the “+” to bring forth the panel for selecting entries.
- Press OK.
Your Internet policy allows employees to visit Social Media sites from company computers but not during what is considered working hours. The offices are open a few hours before working hours and the doors are not locked until a few hours after official closing so work hours are from 9 to 5 with a lunch break from Noon to 1:00 p.m.
Your approach is to block the traffic between 9 and noon and between 1:00 p.m. and 5:00 p.m. This means you will need two schedules for a single policy and the schedule group handles this for you. Schedule groups can contain both recurring and one-time schedules. Schedule groups cannot contain other schedule groups.
The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.
For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.
Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command: set schedule-timeout enable
By default, this option is set to disable.
A few further settings are needed to make this work.
config firewall policy edit ID set firewall-session-dirty check-new end config system settings
set firewall-session-dirty check-policy-option
The firewall-session-dirty setting has three options
|check-all||CPU flushes all current sessions and re-evaluates them. [default]|
|check-new||CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.|
|check-policy-option||Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).|
Before you begin Secure Web Gateway, WAN Optimization, Web Caching and WCCP
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU