Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
player
New Contributor

5.2.4

Hi all,

 

After upgrading to 5.2.4 , all some SSL traffic is not passing through and management traffic using SSH/HTTPS to the firewall is not working, there are no proxy configuration nor SSL inspections or any mgmt hardening.

 

Has anyone seen this kind of behavior?

 

player. rock the boat , dont sink the ship
player. rock the boat , dont sink the ship
5 REPLIES 5
emnoc
Esteemed Contributor III

I'm assuming it was working b4  5.2.4 upgrade? If yes than diag debug flow the traffic and see what shows up;

 

e.g

 

diag debug reset

diag debug en

diag debug flow filter port 443

diag debug flow show console enable

diag debug flow trace start 100

 

 

Post the output here and ensure allow access https is still enabled on the interface(s) that your expecting management.

 

When your done,

 

diag debug reset 

diag debug disable

 

 

You might have to open a ticket or revert back to 5.2.3

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vjoshi_FTNT
Staff
Staff

Hello,

 

There is a known issue recently reported on V5.2.4 where only the ssl traffic is effected.

 

Ping works fine.

This is normally seen in a dual wan scenario where https request is received on one interface and response is sent out on another.

 

 As suggested by earlier post, run the debug flow and see if the above said symptoms are seen your case.

player
New Contributor

well, it seems like the firewall is blocking traffic to itself for some reason : (no trusted hosts and ssh is allowed on the interface)

 

id=20085 trace_id=2 func=init_ip_session_common line=4527 msg="allocate a new session-0000038f" id=20085 trace_id=2 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop" id=20085 trace_id=3 func=print_pkt_detail line=4378 msg="vd-in received a packet(proto=6, 1.1.1.1:3555->1.1.1.9:22) from wan2.

 

also tried to ssh the firewall to itself :

 

ssh: connect to host 1.1.1.9 port 22: Connection refused

player. rock the boat , dont sink the ship
player. rock the boat , dont sink the ship
emnoc
Esteemed Contributor III

On the wan interface what does your set allow access show  ( ssh ? )?

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
vjoshi_FTNT
Staff
Staff

Hello,

 

I think, the port on which the Fortigate is listening for SSH must be changed. It is worth to check and confirm under System > Admin > Settings.

 

 

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors