Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
okan
New Contributor II

Created on ‎07-02-2024 05:24 AM Edited on ‎07-02-2024 05:24 AM

Block country but allow specific IP addresses

Hello,

 

I am trying to block all traffic from Russia except Yandex mail. I have an address group for all Yandex IP addresses. Can someone explain why my Allow Yandex rule doesn't get priority and SMTP traffic still trying to go through Country Block rule and getting denied? I am attaching the screenshot.

 

yandex.png

 

Thank you very much!

 

 

Labels:
194
0 Kudos
1 Solution
Yurisk
SuperUser
SuperUser

Created on ‎07-02-2024 07:03 AM Edited on ‎07-02-2024 07:05 AM

By all indications it should work, so I'd recommend to look a bit deeper - like look at debug flow for incoming connections to see the decision flow of the FGT:

 

 

dia de reset
dia deb flow filter clear
diagnose debug flow filter addr 178.154.239.0 178.154.239.254
dia deb flow show function
diagnose debug flow trace start 100
dia deb enable

 

 

Also, we don't see incoming/outgoing interfaces pairs, so make sure the incoming SMTP traffic enters via the same interface as the rule below. 

To verify:

 

 

dia  sni pa any 'net 178.154.239.0/24' 4

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
160
7 REPLIES 7
saneeshpv_FTNT
Staff
Staff

Created on ‎07-02-2024 05:40 AM

@okan 

 

As a first step, please enable logging in the policy and please check the traffic logs to see what IP is being matched in the deny policy and see if this IP is in your Yandex_IP_Group. Also check the port on the allow policy is matching with the Denied traffic logs.

 

Best Regards,

Saneesh

184
okan
New Contributor II
In response to saneeshpv_FTNT

Created on ‎07-02-2024 06:15 AM

@saneeshpv_FTNT , hello, thanks for the response. Sure, here is the logs: LogsLogs

 

 

 

And this source address is already specified in the group:

 

addresses.jpg

 

What am I missing here?
Thank you!

172
0 Kudos
hbac
Staff
Staff

Created on ‎07-02-2024 06:48 AM

Hi @okan,

 

Are you trying to allow incoming traffic to your SMTP server? When you specify 'all' in the destination, it will not be matched. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-VIP-traffic-not-matching-the-firewal...

 

Regards, 

164
okan
New Contributor II
In response to hbac

Created on ‎07-02-2024 10:37 PM Edited on ‎07-02-2024 10:51 PM

Thank you very much for the response but can't apply match-vip option on an allow policy. I did it on my deny policy but there is no change in behaviour, it was already blocking everything.

 

We are on 7.4.3 by the way.

71
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎07-02-2024 07:03 AM Edited on ‎07-02-2024 07:05 AM

By all indications it should work, so I'd recommend to look a bit deeper - like look at debug flow for incoming connections to see the decision flow of the FGT:

 

 

dia de reset
dia deb flow filter clear
diagnose debug flow filter addr 178.154.239.0 178.154.239.254
dia deb flow show function
diagnose debug flow trace start 100
dia deb enable

 

 

Also, we don't see incoming/outgoing interfaces pairs, so make sure the incoming SMTP traffic enters via the same interface as the rule below. 

To verify:

 

 

dia  sni pa any 'net 178.154.239.0/24' 4

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
161
okan
New Contributor II

Created on ‎07-02-2024 11:44 PM

Hello @Yurisk ,

 

I have tried your suggestions and apparently incoming traffic wasn't even hitting my allow policy. 

log1.jpg

 

log2.jpg

 

And then @hbac 's response made me think and I modified my allow policy's destination to VIP of mail gateway instead of "all" and then it worked.

 

Thank you very much for your help, @Yurisk  and @hbac ! 

62
Yurisk
SuperUser
SuperUser
In response to okan

Created on ‎07-02-2024 11:52 PM

Great to hear, I was somehow thinking your SMTP server has legal IP w/o NAT. 

Please set the question status to "Solved" so other users on forum will look at it first when searching for this type of issue. 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
55
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.