Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pathik_mehta
Staff
Staff

Created on ‎09-26-2024 12:12 AM

Article Id 344474

Technical Tip: RDP sessions found in the local traffic logs initiated by FortiGate interface

Description This article explains in which situation RDP sessions are found in local traffic logs initiated by the firewall interface.
Scope FortiGate.
Solution

Setup:

  • SSL VPN web mode is enabled.
  • Bookmark configuration is not mandatory.

 

LAB (root) # config vpn ssl web portal
LAB (portal) # edit "web-access"
LAB (web-access) # show
config vpn ssl web portal
edit "web-access"
set web-mode enable
next
end
LAB (web-access) #

 

Here 'user1' is used to login to SSL VPN web mode.

 

sslvpn auth mapping.png 

portal setting.png

 

When the user is connected to the SSL VPN through the browser, the option 'Quick connection' will be visible upon successful authentication to SSLV PN web mode. The logon event will be captured in the VPN event logs.

 

user1 authenticated.png

 

Upon selecting the quick connection, there will be multiple options to check the connectivity with the server.

 

quick connection.png

 

Here, the connection was initiated for the server 10.212.3.1 for port 3389.

 

LAB (root) # get router info routing-table details 10.212.3.1

Routing table for VRF=0
Routing entry for 10.212.3.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, dmz

LAB (root) #

 

config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.212.3.101 255.255.255.0
        set allowaccess ping
        set type physical
        set explicit-web-proxy enable
        set description "INTERFACE CONNECTED TO DMZ SWITCH"
        set alias "DMZ-NW"
        role lan
        set snmp-index 1
    next
end

 

date=2024-09-24 time=18:07:07 eventtime=1727186827774232733 tz="+0400" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.212.3.101 srcport=16259 srcintf="Leasedline" srcintfrole="undefined" dstip=10.212.3.1 dstport=3389 dstintf="dmz" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=160893 proto=6 action="server-rst" policyid=0 service="RDP" trandisp="noop" app="RDP" duration=121 sentbyte=89711 rcvdbyte=1218169 sentpkt=987 rcvdpkt=1574 appcat="unscanned" dstosname="Windows" dstswversion="10 / 2016" masterdstmac="00:6d:65:72:2c:01" dstmac="00:6d:65:72:2c:01" dstserver=0

 

Since the traffic is generated by the firewall itself, it is expected that the policyid will be 0.  The session will be visible in the local traffic logs, once it ends and cleared from the session table.
990
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.