Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seyuboglu
Staff
Staff

Created on ‎08-28-2024 05:06 AM Edited on ‎08-28-2024 05:57 AM By Moderator

Article Id 336991

Troubleshooting Tip: How to troubleshoot HTTPS admin interface is accessible over heartbeat port on FortiGate Azure deployments

Description This article describes how to troubleshoot if the HTTPS admin interface on the secondary device heartbeat port is an accessible device despite 'unset allowaccess' being enabled on the port. 
Scope FortiGate Azure version 7.2.x, 7.4.x, 7.6.x.
Solution

HTTPS admin interface access to FortiGate should not be possible on the heartbeat port when 'unset allowaccess' is configured on the port. 

 

Scenario: 

Active - passive FortiGate design in Azure.

Heartbeat port: port3.

FortiGate A: Primary device       - IP address on port 3: 10.10.10.10/24.

FortiGate B: Secondary device  - IP address on port 3: 10.10.10.11/24.

Test User: 192.168.1.1/24.

 

Example HA configuration:

 

config system ha (output truncated)

    set group-name "Azure"

    set mode a-p

    set hbdev "port3" 100

        config ha-mgmt-interfaces

            edit 1

                set interface "port5"

                set gateway 10.10.10.1

            next

        end

    set priority 120

    set unicast-hb enable

    set unicast-hb-peerip 10.10.10.10

 

Secondary device:

 

edit "port3"  (output truncated). 
    set ip 10.10.10.11 255.255.255.0

    unset allowaccess    <- Access is disabled.

 

Primary device:

 

edit "port3"  (output truncated).
    set ip 10.10.10.10 255.255.255.0

    unset allowaccess    <- Access is disabled.

 

  • Try to access the HTTPS interface 10.10.10.10 from the test PC. The request will be dropped by FortiGate as expected (unset allowaccess is configured).

  • Try to access HTTPS interface 10.10.10.11 from the test PC. FortiGate and the GUI will accept the HTTPS admin page will be opened. 

 

Troubleshooting steps:

  • Connect the secondary device (FortiGate-B in the example) via an SSH connection and enable the debug flow commands below. 

 

diagnose debug console timestamp enable 

diagnose debug flow filter addr 192.168.1.1 10.10.10.11 and

diagnose debug flow show function-name enable 

diagnose debug flow show iprope enable

diagnose debug flow trace start 1000

diagnose debug enable

 

  • Open a web browser and try to access the IP on the heartbeat port of the secondary device (10.10.10.11 in the example).
  • Example debug output is below: 

 

2024-08-01 10:41:20 id=65308 trace_id=1 func=print_pkt_detail line=5857 msg="vd-vsys_ha:0 received a packet(proto=6, 192.168.1.1:58621->10.10.10.11:443) tun_id=0.0.0.0 from port3. flag [S], seq 477801201, ack 0, win 64240"
2024-08-01 10:41:20 id=65308 trace_id=1 func=init_ip_session_common line=6043 msg="allocate a new session-1129d4a1, tun_id=0.0.0.0"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_dnat_check line=5302 msg="in-[port3], out-[]"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_dnat_check line=5314 msg="result: skb_flags-02000001, vid-0, ret-no-match, act-accept, flag-00000000"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=80000000 gw-0.0.0.0 via vsys_ha"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_access_proxy_check line=439 msg="in-[port3], out-[], skb_flags-02000001, vid-0"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-100017, check-00000000600ea94b"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_policy_group_check line=4729 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_in_check line=472 msg="in-[port3], out-[], skb_flags-02000001, vid-0"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-100011, check-00000000b4e54a8b"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_policy_group_check line=4729 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-100001, check-00000000600ea94b"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_policy_group_check line=4729 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-10000e, check-00000000600ea94b"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-4294967295 is matched, act-drop"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check line=2324 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
2024-08-01 10:41:20 id=65308 trace_id=1 func=iprope_policy_group_check line=4729 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check line=2307 msg="gnum-10000f, check-00000000600ea94b"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2059 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2024-08-01 10:41:20 id=65308 trace_id=1 func=__iprope_check_one_policy line=2277 msg="policy-4294967295 is matched, act-accept"  --- > hit to policy ID 4294967295 and accepted

 

  • Stop the debugging with the commands below:

diagnose debug disable

diagnose debug flow filter clear 

diagnose debug reset 

 

  • Check the session list for the accepted traffic with the commands below:

 

diagnose sys session filter src 192.168.1.1
diagnose sys session list

 

  • Example output is below: 

 

session info: proto=6 proto_state=01 duration=50 expire=3300 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty nosyn_ses                                                                               ------- > the flag is nosyn_ses
statistic(bytes/packets/allow_err): org=10672/152/1 reply=487537/384/1 tuples=2
tx speed(Bps/kbps): 200/20 rx speed(Bps/kbps): 8566/50
orgin->sink: org pre->in, reply out->post dev=5->20/20->5 gwy=0.0.0.0/0.0.0.0  <- Incoming interface 5, outgoing interface 20.
hook=pre dir=org act=noop 192.168.1.1:58621->10.10.10.11:443(0.0.0.0:0)
hook=post dir=reply act=noop 10.10.10.11:443->192.168.1.1:58621(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=2  <- Accepted by policy 4294967295.
serial=1129d4a1 tos=00/00 app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local
total session 1

 

  • Clear the session filter with the commands below:

 

diagnose sys session filter clear

 

  • Check the incoming and outgoing interfaces for this session with the command below. 

Example output is attached:

 

diagnose netlink interface list | grep index=5 

if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0              <- Incoming interface isport 3.
diagnose netlink interface list | grep index=20 

if=vsys_ha family=00 type=772 index=20 mtu=16436 link=0 master=0 <- Outgoing interface isvsys_ha.

  • Based on the output, the incoming interface is port3 and the outgoing interface is vsys_ha. The accepted Policy ID is 4294967295 (FortiGate internal policy).
  • Check the HTTPS (port 443 by default) access in internal policies with the command below:

 

diagnose firewall iprope list | grep 443 

 

Example output is below:

 

[6:0x0:443/(0,65535)->(443,443)] flags:0 helper:auto
[6:0x0:0/(0,65535)->(443,443)] flags:0 helper:auto
nat(1): flag=0 base=x.x.x.x:443 y.y.y.y.y-y.y.y.y.y(443:443)
[6:0x0:0/(443,443)->(0,65535)] flags:0 helper:auto
nat(1): flag=0 base=y.y.y.y:443 x.x.x.x-x.x.x.x(443:443)
[6:0x4:10100/(0,65535)->(443,443)] flags:4 helper:auto
[6:0x4:10100/(0,65535)->(443,443)] flags:4 helper:auto
[6:0x0:0/(1,65535)->(443,443)] flags:0 helper:auto
[6:0x4:10100/(0,65535)->(443,443)] flags:4 helper:auto
[6:0x0:0/(0,65535)->(443,443)] flags:0 helper:auto

 

  • Search for the output's destination IP (port3 heartbeat IP) address. The IP will not be listed in the output.
  • This traffic should be blocked by internal policies but it is allowed due to a software problem.
  • This unexpected behavior is fixed in versions 7.2.9, 7.4.5, and 7.6.0.
  • If the issue persists, save the debug output and open a TAC ticket at support.fortinet.com.
Labels:
397
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.