DNS being passed when not permitted

Question

Why is DNS traffic being passed even though it is not explicitly permitted? Such things cause me concern. Is it the DNS helper?

Version: FortiGate-500E v6.0.5,build0268,190507 (GA)

flow trace:

id=20085 trace_id=2449 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=17, 202.xx.17.50:53743->104.44.193.243:53) from agg1.930. " id=20085 trace_id=2449 func=init_ip_session_common line=5654 msg="allocate a new session-07c990cc" id=20085 trace_id=2449 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-122.yy.111.60 via agg1.200" id=20085 trace_id=2449 func=fw_forward_handler line=751 msg="Allowed by Policy-4294967295: SNAT" id=20085 trace_id=2449 func=__ip_session_run_tuple line=3322 msg="SNAT 202.xx.17.50->122.yy.111.61:53743" id=20085 trace_id=2449 func=__ip_session_run_tuple line=3373 msg="run helper-dns-udp(dir=original)"

johnm · Answer

a bit more info... so it appears to be the "implicit-allow-dns". I believe that may be set when choosing NGFW Policy-mode. The problem is that "implicit" rule does not use the central SNAT policy, and does an interface SNAT regardless. bug?

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Concepts%20-%20Firewall/DNS%20traffic%20in%20NGFW%20policy-mode.htm?Highlight=policy%20mode

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded