FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff
Article Id 219273
Description This article describes how to fix the issue when the user uses Line call but the user cannot select answer Line call.
Scope FortiGate v6.x.
Solution

When the user uses Line application to call each other,the user can send the message properly.

But when the other user call in with Line application, the user can see incoming Line call.

But the user cannot select to accept Line call to talk each other.

 

If the FortiGate allows only the specific service like HTTP ,HTTPS, PING and DNS, notice that there are some Line application packet trying to send out with the different ports via sniffer and debug flow as below.


At Sniffer:

 

When the user uses Line application to call each other,the user can send the message properly.

But when the other user call in with Line application, the user can see incoming Line call.

But the user cannot select to accept Line call to talk each other.

 

If the FortiGate unit allows only the specific service like HTTP ,HTTPS, PING ,and DNS,  notice that there are some Line application packet trying to send out with the different ports via sniffer and debug flow as below.


At Sniffer (CLI):

 

FGT # diagnose sniffer packet any "host 192.168.45.15 and portrange 10000-10020" 6 0 l

 

2022-08-01 17:00:28.037920 internal in 192.168.45.15.62984 -> 147.92.169.45.10011: syn 1097102938
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1177 c0a8 2d0f 935c.@..@.?..w..-..\
0x0020 a92d f608 271b 4164 765a 0000 0000 b002.-..'.AdvZ......
0x0030 ffff c5fa 0000 0204 05b4 0103 0305 0101................
0x0040 080a cd34 a4a9 0000 0000 0402 0000 ...4..........

 

2022-08-01 17:00:29.039650 internal in 192.168.45.15.62984 -> 147.92.169.45.10011: syn 1097102938
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1177 c0a8 2d0f 935c.@..@.?..w..-..\
0x0020 a92d f608 271b 4164 765a 0000 0000 b002.-..'.AdvZ......
0x0030 ffff c211 0000 0204 05b4 0103 0305 0101................
0x0040 080a cd34 a892 0000 0000 0402 0000 ...4..........


2022-08-01 17:01:29.882850 internal in 192.168.45.15.62989 -> 147.92.169.100.10012: syn 639653196
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1140 c0a8 2d0f 935c.@..@.?..@..-..\
0x0020 a964 f60d 271c 2620 554c 0000 0000 b002.d..'.&.UL......
0x0030 ffff 51d7 0000 0204 05b4 0103 0305 0101..Q.............
0x0040 080a 5357 cebf 0000 0000 0402 0000 ..SW..........

 

2022-08-01 17:01:30.876229 internal in 192.168.45.15.62989 -> 147.92.169.100.10012: syn 639653196
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1140 c0a8 2d0f 935c.@..@.?..@..-..\
0x0020 a964 f60d 271c 2620 554c 0000 0000 b002.d..'.&.UL......
0x0030 ffff 4dee 0000 0204 05b4 0103 0305 0101..M.............
0x0040 080a 5357 d2a8 0000 0000 0402 0000 ..SW..........

 

- From sniffer, it is possible to see only one way traffic.

At Debug Flow:

 

When the user uses Line application to call each other,the user can send the message properly.

But when the other user call in with Line application, the user can see incoming Line call.

But the user cannot select to accept Line call to talk each other.

 

If the FortiGate unit allows only the specific service like HTTP ,HTTPS, PING and DNS,  notice that there are some Line application packet trying to send out with the different ports via sniffer and debug flow as below.


At Sniffer:

 

When the user uses Line application to call each other,the user can send the message properly.

But when the other user call in with Line application, the user can see incoming Line call.

But the user can not select to accept Line call to talk each other.

 

If the FortiGate unit allows only the specific service like HTTP ,HTTPS, PING ,and DNS,  notice that there are some Line application packet trying to send out with the different ports via sniffer and debug flow as below.


At Sniffer (CLI):

 

FGT # diagnose sniffer packet any "host 192.168.45.15 and portrange 10000-10020" 6 0 l

 

2022-08-01 17:00:28.037920 internal in 192.168.45.15.62984 -> 147.92.169.45.10011: syn 1097102938
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1177 c0a8 2d0f 935c.@..@.?..w..-..\
0x0020 a92d f608 271b 4164 765a 0000 0000 b002.-..'.AdvZ......
0x0030 ffff c5fa 0000 0204 05b4 0103 0305 0101................
0x0040 080a cd34 a4a9 0000 0000 0402 0000 ...4..........

 

2022-08-01 17:00:29.039650 internal in 192.168.45.15.62984 -> 147.92.169.45.10011: syn 1097102938
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1177 c0a8 2d0f 935c.@..@.?..w..-..\
0x0020 a92d f608 271b 4164 765a 0000 0000 b002.-..'.AdvZ......
0x0030 ffff c211 0000 0204 05b4 0103 0305 0101................
0x0040 080a cd34 a892 0000 0000 0402 0000 ...4..........


2022-08-01 17:01:29.882850 internal in 192.168.45.15.62989 -> 147.92.169.100.10012: syn 639653196
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1140 c0a8 2d0f 935c.@..@.?..@..-..\
0x0020 a964 f60d 271c 2620 554c 0000 0000 b002.d..'.&.UL......
0x0030 ffff 51d7 0000 0204 05b4 0103 0305 0101..Q.............
0x0040 080a 5357 cebf 0000 0000 0402 0000 ..SW..........

 

2022-08-01 17:01:30.876229 internal in 192.168.45.15.62989 -> 147.92.169.100.10012: syn 639653196
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0040 0000 4000 3f06 1140 c0a8 2d0f 935c.@..@.?..@..-..\
0x0020 a964 f60d 271c 2620 554c 0000 0000 b002.d..'.&.UL......
0x0030 ffff 4dee 0000 0204 05b4 0103 0305 0101..M.............
0x0040 080a 5357 d2a8 0000 0000 0402 0000 ..SW..........


- From sniffer, it is possible to see only one way traffic.


At Debug Flow :

 

FGT # diagnose debug reset
FGT # diagnose debug disable
FGT # diagnose debug flow filter clear
FGT # diagnose debug flow trace stop

 

FGT # diagnose debug flow filter port 10000 10020
FGT # diagnose debug flow show function-name enable
show function name
FGT # diagnose debug flow trace start 959595
FGT # diagnose debug console timestamp enable
FGT # diagnose debug enable


2022-08-01 17:00:28 id=20085 trace_id=40880 func=print_pkt_detail line=5528 msg="vd-root received a packet(proto=6, 192.168.45.15:62984->147.92.169.45:10011) from internal. flag [S], seq 1097102938, ack 0, win 65535"
2022-08-01 17:00:28 id=20085 trace_id=40880 func=init_ip_session_common line=5692 msg="allocate a new session-00d4d67b"
2022-08-01 17:00:28 id=20085 trace_id=40880 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-171.6.48.1 via ppp1"
2022-08-01 17:00:28 id=20085 trace_id=40880 func=fw_forward_handler line=601 msg="Denied by forward policy check (policy 18)"
2022-08-01 17:00:29 id=20085 trace_id=40881 func=print_pkt_detail line=5528 msg="vd-root received a packet(proto=6, 192.168.45.15:62984->147.92.169.45:10011) from internal. flag [S], seq 1097102938, ack 0, win 65535"
2022-08-01 17:00:29 id=20085 trace_id=40881 func=init_ip_session_common line=5692 msg="allocate a new session-00d4d688"
2022-08-01 17:00:29 id=20085 trace_id=40881 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-171.6.48.1 via ppp1"
2022-08-01 17:00:29 id=20085 trace_id=40881 func=fw_forward_handler line=601 msg="Denied by forward policy check (policy 18)"


2022-08-01 17:01:29 id=20085 trace_id=40898 func=print_pkt_detail line=5528 msg="vd-root received a packet(proto=6, 192.168.45.15:62989->147.92.169.100:10012) from internal. flag [S], seq 639653196, ack 0, win 65535"
2022-08-01 17:01:29 id=20085 trace_id=40898 func=init_ip_session_common line=5692 msg="allocate a new session-00d4d74b"
2022-08-01 17:01:29 id=20085 trace_id=40898 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-171.6.48.1 via ppp1"
2022-08-01 17:01:29 id=20085 trace_id=40898 func=fw_forward_handler line=601 msg="Denied by forward policy check (policy 18)"
2022-08-01 17:01:30 id=20085 trace_id=40899 func=print_pkt_detail line=5528 msg="vd-root received a packet(proto=6, 192.168.45.15:62989->147.92.169.100:10012) from internal. flag [S], seq 639653196, ack 0, win 65535"
2022-08-01 17:01:30 id=20085 trace_id=40899 func=init_ip_session_common line=5692 msg="allocate a new session-00d4d74d"
2022-08-01 17:01:30 id=20085 trace_id=40899 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-171.6.48.1 via ppp1"
2022-08-01 17:01:30 id=20085 trace_id=40899 func=fw_forward_handler line=601 msg="Denied by forward policy check (policy 18)"

 

-From debug flow, it is possible to see the message that the packet has been denied by any firewall policy ID or it can be denied by firewall policy ID 0.

 

Solution to fix the issue:

 

-In case the firewall policy ID has to handle Line application and the user can send the message via Line application with mobile phone.

But when the users try to select to pick up Line call, the user cannot select to pick up Line call to talk as expected.

 

- Consider to add more TCP port 10000 to 10020 and UDP port 10000 to 10020. 

Then, put those services to add more in the firewall policy ID to focus on.

At CLI command of FortiGate:

 

# config firewall service custom

    edit "TCP10000-10020"

        set tcp-portrange 10000-10020

    next

    edit "UDP10000-10020"

        set udp-portrange 10000-10020

    next

end

 

# config firewall policy

    edit xx

        set service "ALL_ICMP" "DNS" "HTTP" "HTTPS" "PING" "TCP10000-10020" "UDP10000-10020"

    next

end

 

'xx' is the firewall policy ID to allow Line Call application via mobile phone.

 

-After it is allowed or add more TCP port 10000 to 10020 and UDP port 10000 to 10020 following the suggestion above, it will be possible to see 2 ways traffic following the sniffer and debug flow as below.

At sniffer (CLI):

 

2022-08-01 16:56:39.001455 internal in 192.168.45.15.42375 -> 147.92.169.99.10005: psh 2781284184 ack 4177701491
0x0000 0000 0000 0001 1027 f56d c11d 0800 4500.......'.m....E.
0x0010 0076 8a5b 4000 3f06 86af c0a8 2d0f 935c.v.[@.?.....-..\
0x0020 a963 a587 2715 a5c7 0758 f902 aa73 8018.c..'....X...s..
0x0030 0246 7cb0 0000 0101 080a 3da7 a855 7c61.F|.......=..U|a
0x0040 9a3f d03e 8000 9060 099c 0014 2080 0000.?.>...`........
0x0050 0066 0240 0000 6b61 1a6f cee5 4cc1 db0b.f.@..ka.o..L...
0x0060 a37e 8481 2808 d96e 4940 e5b8 e203 58d6.~..(..nI@....X.
0x0070 e4b9 0b2d f9ce f55a 2435 c833 b300 bb08...-...Z$5.3....
0x0080 60eb fb81 `...

 

 

2022-08-01 16:56:39.019539 internal out 147.92.169.99.10015 -> 192.168.45.15.62970: psh 3603336123 ack 1612649230
0x0000 0000 0000 0000 085b 0ec5 5441 0800 4500.......[..TA..E.
0x0010 0371 8970 4000 3206 919f 935c a963 c0a8.q.p@.2....\.c..
0x0020 2d0f 271f f5fa d6c6 8bbb 601f 130e 8018-.'.......`.....
0x0030 005a 7ffd 0000 0101 080a 7c61 9a58 abb2.Z........|a.X..
0x0040 9633 d339 8000 9061 08e0 0027 1c24 0000.3.9...a...'.$..
0x0050 0070 0200 0000 f99b b035 047a bf99 3ce6.p.......5.z..<.
0x0060 b695 935c 0157 0675 7166 2b81 442e 4223...\.W.uqf+.D.B#
0x0070 db74 8d57 fe08 73ee e400 9b07 c174 deb0.t.W..s......t..
0x0080 b040 6d14 17fe ef1a 22b7 643a eae4 1938.@m.....".d:...8
0x0090 acaf 8848 1fe2 1c06 4549 3d65 a456 af62...H....EI=e.V.b
0x00a0 d85f c4c8 8487 5977 936e f87a 7240 d6bf._....Yw.n.zr@..
0x00b0 d06e 9b65 46b2 3c23 07f3 0f70 d46b 9d49.n.eF.<#...p.k.I
0x00c0 2f7d e558 446a 0d53 6f54 3f82 6657 d426/}.XDj.SoT?.fW.&
0x00d0 6d16 5260 fc3c d709 0a94 efc4 fb63 d463m.R`.<.......c.c
0x00e0 fdd5 9ead 1f98 f8a4 dc1a 5203 fc96 8502..........R.....
0x00f0 4f33 f4f0 cb17 699f 525d bd6a e84a 3fdeO3....i.R].j.J?.
0x0100 43bd ec3b 541f 970b 086d 9d7a cccb 493cC..;T....m.z..I<
0x0110 1084 ca73 73e9 3498 f14f e6f1 e13b 2c4a...ss.4..O...;,J
0x0120 05cc 3d58 43b8 7146 ad93 30ad 7cb9 ca84..=XC.qF..0.|...
0x0130 07b5 991d 5086 4c99 464f b7c1 9a33 9470....P.L.FO...3.p
0x0140 d14b ff21 302c d975 edc9 4da3 bb52 20e0.K.!0,.u..M..R..
0x0150 d335 78c1 9957 3745 e454 1839 0511 66bc.5x..W7E.T.9..f.
0x0160 f49b 4b1b 40fb 05f9 fbff 6788 8525 bbe5..K.@.....g..%..
0x0170 2ec1 f050 7702 d0a6 7672 87a0 70f2 478b...Pw...vr..p.G.
0x0180 ca1b 9b4c dc7e ba2d 210f 5399 a7b4 ed33...L.~.-!.S....3
0x0190 d7e1 32e0 f2df bc3d f3a6 0497 ca68 ed29..2....=.....h.)
0x01a0 be23 eaea 7216 34f2 98f4 ce81 4e80 2e72.#..r.4.....N..r
0x01b0 7b14 a109 9c01 24f5 1a55 e651 07f4 2e17{.....$..U.Q....
0x01c0 33f0 0e05 bf83 46b8 eb4c f4b3 8308 9ebf3.....F..L......
0x01d0 b053 213c b9b9 6f04 73b3 c963 ff19 f75c.S!<..o.s..c...\
0x01e0 bd78 2ea8 9c81 3a38 66e7 43b1 e009 5c7a.x....:8f.C...\z
0x01f0 9395 3ae4 4d3e 7599 027a 1bde 1c4f cd2c..:.M>u..z...O.,
0x0200 f269 b299 5216 c76c d331 9f57 8296 05f5.i..R..l.1.W....
0x0210 f99a 17d8 7ef3 8e22 5b5c a961 79bd 424f....~.."[\.ay.BO
0x0220 3c3b 3161 e37d e372 aa5a db91 71bf 8f51<;1a.}.r.Z..q..Q
0x0230 f087 3b81 d2c4 174d ed8a 9d21 14ff 7504..;....M...!..u.
0x0240 84b7 4255 7069 cb71 f69e 3671 bc5f c517..BUpi.q..6q._..
0x0250 53fc 6201 e11b a7e5 ac46 585e ff07 0e7aS.b......FX^...z
0x0260 b507 524a 1c10 a933 5d14 9294 71e5 2167..RJ...3]...q.!g
0x0270 0abd 043f 671f 7602 6852 9587 02bc 2030...?g.v.hR.....0
0x0280 3559 909f a2a8 9f68 026f d9e6 8480 91fd5Y.....h.o......
0x0290 a634 c8cc f163 0a0a 43c7 54bf 75db 3fe0.4...c..C.T.u.?.
0x02a0 d785 b92b 0690 069d a74c 63cb 309d 5115...+.....Lc.0.Q.
0x02b0 4355 3ac4 dfab 1f58 b452 3ef2 6da4 172bCU:....X.R>.m..+
0x02c0 af42 36ce a014 b0d6 9298 1f97 a930 427f.B6..........0B.
0x02d0 e904 8ba5 03a9 f5de d8e6 8855 b7a0 793c...........U..y<
0x02e0 6c79 d2a0 eb97 33f4 4e9a 1add 0249 9f74ly....3.N....I.t
0x02f0 0a54 3e86 2aef d4cc b8e8 dd46 ac44 696c.T>.*......F.Dil
0x0300 4c7a 5fd7 a13d 61af 97fc 9c44 6e37 0c04Lz_..=a....Dn7..
0x0310 1d20 790d 2878 c16e b31b 2fe4 878c 926e..y.(x.n../....n
0x0320 2052 847d bb43 d5b1 4cb1 8291 0fbe 13a8.R.}.C..L.......
0x0330 fdd6 24c2 15a6 c488 6162 751e 9f42 3ce1..$.....abu..B<.
0x0340 c52a 39ed 82db c9c8 4693 9466 fa81 5574.*9.....F..f..Ut
0x0350 0f40 8ed6 0724 3da5 21b3 9157 84ac 3f95.@...$=.!..W..?.
0x0360 8695 15aa c263 05b2 848e 7a3c e0b2 f590.....c....z<....
0x0370 bbee b0c1 9146 c1ac 82e9 edb2 4700 c4 .....F......G..

 

At Debug flow:

 

2022-08-01 16:56:39 id=20085 trace_id=14201 func=print_pkt_detail line=5528 msg="vd-root received a packet(proto=6, 192.168.45.15:42375->147.92.169.99:10005) from internal. flag [.], seq 2781284184, ack 4177701491, win 582"
2022-08-01 16:56:39 id=20085 trace_id=14201 func=resolve_ip_tuple_fast line=5608 msg="Find an existing session, id-00d4d430, original direction"
2022-08-01 16:56:39 id=20085 trace_id=14201 func=npu_handle_session44 line=921 msg="Trying to offloading session from internal to ppp1, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00040001"
2022-08-01 16:56:39 id=20085 trace_id=14201 func=__ip_session_run_tuple line=3351 msg="SNAT 192.168.45.15->171.6.50.68:42375"

 


2022-08-01 16:56:39 id=20085 trace_id=14202 func=print_pkt_detail line=5528 msg="vd-root received a packet(proto=6, 147.92.169.99:10015->171.6.50.68:62970) from ppp1. flag [.], seq 3603336123, ack 1612649230, win 90"
2022-08-01 16:56:39 id=20085 trace_id=14202 func=resolve_ip_tuple_fast line=5608 msg="Find an existing session, id-00d4d412, reply direction"
2022-08-01 16:56:39 id=20085 trace_id=14202 func=__ip_session_run_tuple line=3365 msg="DNAT 171.6.50.68:62970->192.168.45.15:62970"
2022-08-01 16:56:39 id=20085 trace_id=14202 func=npu_handle_session44 line=921 msg="Trying to offloading session from ppp1 to internal, skb.npu_flag=00000400 ses.state=00000204 ses.npu_state=0x00040001"

 

 

Contributors