Hello,
I am trying to block all traffic from Russia except Yandex mail. I have an address group for all Yandex IP addresses. Can someone explain why my Allow Yandex rule doesn't get priority and SMTP traffic still trying to go through Country Block rule and getting denied? I am attaching the screenshot.
Thank you very much!
Solved! Go to Solution.
By all indications it should work, so I'd recommend to look a bit deeper - like look at debug flow for incoming connections to see the decision flow of the FGT:
dia de reset
dia deb flow filter clear
diagnose debug flow filter addr 178.154.239.0 178.154.239.254
dia deb flow show function
diagnose debug flow trace start 100
dia deb enable
Also, we don't see incoming/outgoing interfaces pairs, so make sure the incoming SMTP traffic enters via the same interface as the rule below.
To verify:
dia sni pa any 'net 178.154.239.0/24' 4
As a first step, please enable logging in the policy and please check the traffic logs to see what IP is being matched in the deny policy and see if this IP is in your Yandex_IP_Group. Also check the port on the allow policy is matching with the Denied traffic logs.
Best Regards,
Saneesh
@saneeshpv_FTNT , hello, thanks for the response. Sure, here is the logs:
And this source address is already specified in the group:
What am I missing here?
Thank you!
Hi @okan,
Are you trying to allow incoming traffic to your SMTP server? When you specify 'all' in the destination, it will not be matched. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-VIP-traffic-not-matching-the-firewal...
Regards,
Created on 07-02-2024 10:37 PM Edited on 07-02-2024 10:51 PM
Thank you very much for the response but can't apply match-vip option on an allow policy. I did it on my deny policy but there is no change in behaviour, it was already blocking everything.
We are on 7.4.3 by the way.
By all indications it should work, so I'd recommend to look a bit deeper - like look at debug flow for incoming connections to see the decision flow of the FGT:
dia de reset
dia deb flow filter clear
diagnose debug flow filter addr 178.154.239.0 178.154.239.254
dia deb flow show function
diagnose debug flow trace start 100
dia deb enable
Also, we don't see incoming/outgoing interfaces pairs, so make sure the incoming SMTP traffic enters via the same interface as the rule below.
To verify:
dia sni pa any 'net 178.154.239.0/24' 4
Great to hear, I was somehow thinking your SMTP server has legal IP w/o NAT.
Please set the question status to "Solved" so other users on forum will look at it first when searching for this type of issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.