Skip to main content
gerristg
gerristg
New Member
September 15, 2015
Solved

Outbound traffic blocked?

  • September 15, 2015
  • 1 reply
  • 10255 views

Hi All,

 

1. I'm very new to Fortigate

2. It's a Fortigate 60D

3. I did not configure the router myself and there is no document on how it was done :(

4. Some program wants to reach an external website on port 8008. Somehow I have the feeling that the Fortigate is not allowing that. 

5. Can anyone point me in the right direction to check this 'blocking' behaviour and make sure this traffic is allowed?

 

All help appreciated,

Regards,

Gerard

    Best answer by emnoc

    Hi

     

    1st welcome to the fortigate. The #1 dignostic command is the diag debug flow. It's a cli cmd so I 'm not aware of any means of running diagnostic from the WebGUI.

     

    if you believe the  fortigate is blocking this execute the command and review the output;

     

    1st login into the cli ( ssh, or connectedconsole  via the WEbGUI )

     

    2nd reset the diagnostic and enable it

     

    diag debug reset

    diag debug enable

     

    3rd in your case it's probably best to use the flow diagnostic with a filter

     

    diag dbeug flow filter port 8080

     

    Lastly you enable the diagnostic flow

     

     

    diag debug flow show console enable

    diag debug flow trace start 100

     

     

    this will enable and capture the 1st 100 trace. if you need more trace run it with a hgher number. Now direct your client to trying to access port 8080 and monitor the diagnostic flow output on you screen.

     

    When your done, you disable & reset the diagnostics;

     

    diag debug reset

    diag debug disable

     

    1 reply

    emnoc
    emnocAnswer
    New Member
    September 15, 2015

    Hi

     

    1st welcome to the fortigate. The #1 dignostic command is the diag debug flow. It's a cli cmd so I 'm not aware of any means of running diagnostic from the WebGUI.

     

    if you believe the  fortigate is blocking this execute the command and review the output;

     

    1st login into the cli ( ssh, or connectedconsole  via the WEbGUI )

     

    2nd reset the diagnostic and enable it

     

    diag debug reset

    diag debug enable

     

    3rd in your case it's probably best to use the flow diagnostic with a filter

     

    diag dbeug flow filter port 8080

     

    Lastly you enable the diagnostic flow

     

     

    diag debug flow show console enable

    diag debug flow trace start 100

     

     

    this will enable and capture the 1st 100 trace. if you need more trace run it with a hgher number. Now direct your client to trying to access port 8080 and monitor the diagnostic flow output on you screen.

     

    When your done, you disable & reset the diagnostics;

     

    diag debug reset

    diag debug disable

     

    gerristg
    gerristgAuthor
    New Member
    September 15, 2015

    Thank you so much for this answer.

     

    I think the output proves the port we are using is not blocked but somehow gets scr*wed at the application server. Do I read that correctly?

     

    FGT-MultiMetaal # diag debug flow trace start 100

    FGT-MultiMetaal # id=13 trace_id=26 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=26 msg="allocate a new session-03392447" id=13 trace_id=26 msg="find a route: gw-139.156.151.64 via ppp1" id=13 trace_id=26 msg="use addr/intf hash, len=8" id=13 trace_id=26 msg="find SNAT: IP-92.68.113.25, port-61106" id=13 trace_id=26 msg="Allowed by Policy-11: AV SNAT" id=13 trace_id=26 msg="send to application layer" id=13 trace_id=27 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=27 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=28 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=28 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=28 msg="send to application layer" id=13 trace_id=29 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=29 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=29 msg="send to application layer" id=13 trace_id=30 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=30 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=31 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=31 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=32 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=32 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=33 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=33 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=33 msg="send to application layer" id=13 trace_id=34 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=34 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=34 msg="send to application layer" id=13 trace_id=35 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=35 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=35 msg="send to application layer" id=13 trace_id=36 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=36 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=37 msg="vd-root received a packet(proto=6, 149.210.170.14:8008->192.168.1.6:61103) from local." id=13 trace_id=37 msg="Find an existing session, id-0339242c, reply direction" id=13 trace_id=38 msg="vd-root received a packet(proto=6, 192.168.1.6:61103->149.210.170.14:8008) from internal." id=13 trace_id=38 msg="Find an existing session, id-0339242c, original direction" id=13 trace_id=38 msg="send to application layer" id=13 trace_id=39 msg="vd-root received a packet(proto=6, 192.168.1.6:61103->149.210.170.14:8008) from internal." id=13 trace_id=39 msg="Find an existing session, id-0339242c, original direction" id=13 trace_id=39 msg="send to application layer" id=13 trace_id=40 msg="vd-root received a packet(proto=6, 149.210.170.14:8008->192.168.1.6:61103) from local." id=13 trace_id=40 msg="Find an existing session, id-0339242c, reply direction"

     

    Gerard

    rwpatterson
    rwpatterson
    New Member
    September 15, 2015

    Not an answer to your question, but I would strongly urge you to change IP addresses and possibly names when posted in a public forum. That small bit of information together may give an undesirable enough information to do malicious deeds...

    Terms & ConditionsAccessibility statement