Fortigate 6.2.3 fails to log traffic to IP addresses 173.243.138.98 - 173.243.138.110

Summary

FortiGate may fail to record traffic destined to Fortinet owned IP addresses i.e. traffic destined to the following subnets: 173.243.128.0/20, 96.45.32.0/20 As an example, traffic generated by FortiClient/FortiClient EMS via the FortiGate in order to request updates from the FortiGuard distributed servers may not be logged under Logs > forward traffic logs.

Affected Products

FortiGate versions 6.0.11 and below.
FortiGate versions 6.2.5 and below.
This issue is triggered ONLY when fabric/fortiheartbeat/endpoint-compliance is enabled at the interface level.

Solutions

Please upgrade to FortiGate Version 6.4.0 or above. Workaround: For FortiGate versions 6.2.5 and below, please disable Fabric/Fortiheartbeat on all interfaces and reboot the FortiGate. config system interface edit set fortiheartbeat disable next end or config system interface edit set allowaccess ping https http ssh fabric -----------> remove fabric next end For FortiGate versions 6.0.11 and below, disable endpoint-compliance on all interfaces and reboot the FortiGate config system interface edit set endpoint-compliance disable next end

Acknowledgement

Fortinet is pleased to thank Michael Weinstein from NetTects LLC for reporting this vulnerability under responsible disclosure.