Skip to main content
AndrArt
AndrArt
New Member
September 9, 2022
Solved

Sniffer theory: incomming packets are seen on Sniffer, but not logged on session view

  • September 9, 2022
  • 1 reply
  • 3009 views

Good morning,

 

My question is probably more of theory nature:

 

Our customer is using Proxy IP telephony provider. For that we had to configure Custom Service to communicate with the provider. Recently our customer started receiving multiple spam calls directly to their softphones. Together with Fortigate support we found a misconfiguration in the Custom service /firewall policy pair and spam calls have stopped.

  Before that, I could see a lot of connected sessions to the ports used by telephony service providers from the attacking IP's random ports. Now, I don't see those any more. BUT when I start a sniffer, I still see packets from same IP with SIP INVITES hitting my external interface: the output looks like this:

 

AndrArt_0-1662704664019.png

 

I am not good in interpreting the sniffer data yet so I am not sure of what I am I looking at.

 

Since the Forti View session does not show any sessions established from these IP's, and there is nothing on the external ports from the sniffer data, is it correct to say, that those connection attempts are dropped by the firewall policy?

 

 

 

Best answer by sagha

Hi AndrArt, 

 

Yes, it could mean that packets are getting dropped by the firewall policy in place.

 

You can have a better understanding of how FGT is dealing with packets by using the following commands: 

 

diag de flow filter addr x.x.x.x

diag de flow trace start 1000

diag de en

 

Replace x.x.x.x with one of the source addresses that you are blocking. 

 

More details on filters here: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing-the/ta-p/195025

 

You will see how FGT is dealing with that traffic. 

 

Hope this helps. 


Regards, 

Shahan Agha

1 reply

sagha
Staff
saghaAnswer
Staff
September 9, 2022

Hi AndrArt, 

 

Yes, it could mean that packets are getting dropped by the firewall policy in place.

 

You can have a better understanding of how FGT is dealing with packets by using the following commands: 

 

diag de flow filter addr x.x.x.x

diag de flow trace start 1000

diag de en

 

Replace x.x.x.x with one of the source addresses that you are blocking. 

 

More details on filters here: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing-the/ta-p/195025

 

You will see how FGT is dealing with that traffic. 

 

Hope this helps. 


Regards, 

Shahan Agha

AndrArt
AndrArtAuthor
New Member
September 9, 2022

Hi sagha,

 

Thank you for the explanation and guidance this was really helpful. The debug flow shows that the incoming packets do not hit the SIP communication rule, and are dropped by the implicit deny rule.

 

 

Terms & ConditionsAccessibility statement