This article describes an issue when the firewall policy does not work with a proxy policy after an upgrade from 7.4.3 to 7.4.4.
Scope
FortiGate v7.4.4.
Solution
This issue is caused by a bug introduced in 7.4.4 where FortiGate blocks traffic if a one-time schedule or recurring schedule is used in the explicit proxy policy. The traffic matches the implicit deny policy even though the schedule is showing active (not expired) due to WAD getting the wrong time zone after chroot.
execute time diag test app wad 1000 diag test app wad 2300 diag test app wad 156 diagnose debug enable diagnose debug console timestamp enable diagnose wad debug enable level info diagnose wad debug enable category policy
Sample output:
Ertiga-kvm10 # [I]2024-08-02 16:36:35.846993 [p:2075][s:305508864][r:227] wad_http_conn_req_classify :6140 no security profil e HTTPS/HTTP, tport=443 [I]2024-08-02 16:36:35.850427 [p:2075][s:305508864][r:227] wad_fast_match_is_enable :3678 fast matching is enabled [I]2024-08-02 16:36:35.850472 [p:2075][s:305508864][r:227] wad_fast_match_pol_array :3499 fw_pol_id=1(pol_ctx:xhcf|Ad|7?|=p ) pol_id=0(pflag:H|W|U|A) asyn_info=1 [W]2024-08-02 16:36:35.850494 [p:2075][s:305508864][r:227] wad_fast_match_pol_array :3537 No policy matched [I]2024-08-02 16:36:35.850499 [p:2075][s:305508864][r:227] wad_fw_policy_async_match :5319 pol_ctx:xhcf|Ad|7?|=d [I]2024-08-02 16:36:35.850512 [p:2075][s:305508864][r:227] wad_http_req_policy_set :11172 match policy-id=0(pol_ctx:xhcf|Ad |7?|=d) vd=0(ses_ctx:x|Ph|Me|Hh|C|A7|O) (10.160.2.30:57574@4 -> 172.217.25.196:443@3) [E]2024-08-02 16:36:35.850556 [p:2075][s:305508864][r:227] wad_http_req_proc_policy :10729 POLICY DENIED [W]2024-08-02 16:36:35.974849 [p:2075][s:305508851][r:228] wad_http_req_check_policy :12877 configuration changed pol_res->co nf_gen=10 g_wad.config_gen/vd.policy=11/11
This issue is fixed in FortiOS 7.6.0.