FortiGate fails to log traffic for Fortinet owned IP address range

FortiGate fails to log traffic for Fortinet owned IP address range

Summary

FortiGate may fail to record traffic destined to Fortinet owned IP addresses i.e. traffic destined to the following subnets: 173.243.128.0/20, 96.45.32.0/20 

As an example, traffic generated by FortiClient/FortiClient EMS via the FortiGate in order to request updates from the FortiGuard distributed servers may not be logged under Logs > forward traffic logs.

Affected Products

FortiGate versions 6.0.11 and below.
FortiGate versions 6.2.5 and below.

This issue is triggered ONLY when fabric/fortiheartbeat/endpoint-compliance is enabled at the interface level.

Solutions

Please upgrade to FortiGate Version 6.4.0 or above.


Workaround:

For FortiGate versions 6.2.5 and below, please disable Fabric/Fortiheartbeat on all interfaces and reboot the FortiGate.

config system interface
edit
set fortiheartbeat disable
next
end

or

config system interface
edit
set allowaccess ping https http ssh fabric -----------> remove fabric
next
end


For FortiGate versions 6.0.11 and below, disable endpoint-compliance on all interfaces and reboot the FortiGate

config system interface
edit
set endpoint-compliance disable
next
end

Acknowledgement

Fortinet is pleased to thank Michael Weinstein from NetTects LLC for reporting this vulnerability under responsible disclosure.