Fortinet black logo

Handbook

Schedule expiration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:916241
Download PDF

Schedule expiration

The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.

For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.

Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command:

set schedule-timeout enable

By default, this option is set to disable.

A few further settings are needed to make this work.

config firewall policy

edit ID

set firewall-session-dirty check-new

end

config system settings

set firewall-session-dirty check-policy-option

end

note icon The Policy window will indicate when a policy has become invalid due to its schedule parameters referring only to times in the past.

Firewall-session-dirty setting

The firewall-session-dirty setting has three options

check-all CPU flushes all current sessions and re-evaluates them. [default]
check-new CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.
check-policy-option Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).

Schedule expiration

The schedule in a security policy enables certain aspects of network traffic to occur for a specific length of time. What it does not do however, is police that time. That is, the policy is active for a given time frame, and as long as the session is open, traffic can continue to flow.

For example, in an office environment, Skype use is allowed between noon and 1pm. During that hour, any Skype traffic continues. As long as that session is open, after the 1pm end time, the Skype conversations can continue, yet new sessions will be blocked. Ideally, the Skype session should close at 1pm.

Using a CLI command you can set the schedule to terminate all sessions when the end time of the schedule is reached. Within the config firewall command enter the command:

set schedule-timeout enable

By default, this option is set to disable.

A few further settings are needed to make this work.

config firewall policy

edit ID

set firewall-session-dirty check-new

end

config system settings

set firewall-session-dirty check-policy-option

end

note icon The Policy window will indicate when a policy has become invalid due to its schedule parameters referring only to times in the past.

Firewall-session-dirty setting

The firewall-session-dirty setting has three options

check-all CPU flushes all current sessions and re-evaluates them. [default]
check-new CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss.
check-policy-option Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).