FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 220165
Description

This article describes the issue that can be faced when having multiple authenticated policies and having traffic dropped by FortiGate.

Scope FotiGate, FortiOS
Explanation

There are two policies configured and both are using user authentication. 

 

# config firewall policy
    edit 100
        set srcintf "INT-1"
        set dstintf "INT-2"
        set srcaddr "all"
        set dstaddr "192.168.1.100"
        set action accept
        set schedule "always"
        set service "RDP"

        set logtraffic all
        set groups "User_Access"
    next

 

# config firewall policy

    edit 101
        set srcintf "INT-1"
        set dstintf "INT-3"
        set srcaddr "all"
        set dstaddr "192.168.1.100"
        set action accept
        set schedule "always"
        set service "RDP"
        set logtraffic all
        set groups "User_Access"
    next

 

 After the user is authenticated, it shows up as follow: 

 

FGT-A # diagnose firewall auth list

10.1.1.150, test_user
src_mac: b0:c5:3c:68:9b:5c
type: fw, id: 0, duration: 3262, idled: 3260
expire: 25540
flag(804): hard no_idle
packets: in 0 out 6, bytes: in 0 out 304
user_id: 16777250
group_id: 1
group_name: User_Access

 

The traffic works when using first policy but fails when using the second policy. 

Solution

It would help if packets can be captured and reviewed in wireshark. 

 

Captures when accessing INT-1 --> INT-2 traffic: 

 

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_64:9e:58 (b0:c5:3c:68:9b:5c), Dst: Fortinet_09:00:02 (00:09:0f:09:00:02)
    Destination: Fortinet_09:00:02 (00:09:0f:09:00:02)
    Source: Cisco_64:9e:58 (b0:c5:3c:64:9e:58)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.1.1.150, Dst: 192.168.1.100
Transmission Control Protocol, Src Port: 64704, Dst Port: 3389, Seq: 0, Len: 0

 

MAC address matches the mac address of the user in auth list. 


Captures when accessing INT-1 --> INT-3 traffic:

 

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits)
Ethernet II, Src: Cisco_79:26:58 (ac:4a:67:79:26:58), Dst: Fortinet_09:00:02 (00:09:0f:09:00:02)
Destination: Fortinet_09:00:02 (00:09:0f:09:00:02)
Source: Cisco_79:26:58 (ac:4a:67:79:26:58)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.1.1.150, Dst: 192.168.1.100
Transmission Control Protocol, Src Port: 64498, Dst Port: 3389, Seq: 0, Len: 0

 

MAC address does not match MAC address of the user in auth list which is causing authentication failure and traffic drops.

 

Contributors