Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eprise
New Contributor

Action shows Deny for HTTPS traffic to mail server

Our Fortigate configuration is fairly simple, with policies set to Accept all traffic with the CAS (e-mail server) as the destination and service as HTTPS. We also don' t have any Deny actions on any of our policies (there is currently a separate firewall for filtering). The Fortigate is only configured for Web filtering, and not for IPS or any other firewall actions. However when I look at the logs I see Action=Deny from different internal Source addresses almost every second. Service is typically HTTPS. Is there anything further I should do to not block these packets, or to get more information about why these are being blocked? We are having an issue with some of our users not being able to set Out of Office, which uses this server, and are trying to determine whether the Fortigate is causing the issue.
4 REPLIES 4
JavBsd
New Contributor II

Hi Eprise, There is a Implicit policy (Deny Action) that is applied when a packet dont match within any rule. Did you see the traffic with tcpdump too? diag sniffer packet <interface_where_traffic_arrives> Maybe you could paste the log to analyze it. Regards. Jav.
emnoc
Esteemed Contributor III

I would start by setting up a diag sys sess filter < install filters for dport and dst> and run the diag sys session and monitor specially during high periods of activity and when you suspect drops. At the same time, I would monitor diag debug flow ( yes it' s your best friend ) with filters to look for the reason of the drop(s). Maybe there' s a reason for the drop ( rpf, packet sanity, etc.....) Next, I would remove all inspection and security profiles and monitor. fwiw; the logs are okay, but the above gives you precise information as to the why . Once you know why, you can then remediate the issues if required.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
rwpatterson
Valued Contributor III

ORIGINAL: eprise However when I look at the logs I see Action=Deny from different internal Source addresses almost every second. Service is typically HTTPS.
Is there additional information in those log entries with regard to policy ID?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Dipen
New Contributor III

First Thing...You don' t have Application Control Set where SSL Application might have been set to block. secondly ...Did I read " Internal Source Addresses" .. Are you trying to access one of your internal Servers [Exchange] via its public IP instead of Private IP If it is an Internal Server please access it via Internal IP only not Public IP[Static NAT] otherwise go for hairpin NAT. KB Article 33976

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

 

Ahead of the Threat. FCNSA v5 / FCNSP v5 Fortigate 1000C / 1000D / 1500D
Labels
Top Kudoed Authors