Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MIsmail
New Contributor

Blocked HTTPS Traffic

Hii
Could someone help me please to identify the problem 
I don't know why this traffic is blocked and it affects our ADSync Server online syncronization 

 

Screenshott.png

2 Solutions
Markus_M

First remove the webfilter from the policy to see if it starts working in the first place. Based on the policy view there is no web filter applied at this time. Just to make sure.

If it fails working, there is no point troubleshooting anything on the webfilter since it has no direct affect. The traffic is blocked BEFORE the webfilter will be applied.

When the traffic is working fine, then apply webfilter etc. to the traffic. You will also need minimum certificate inspection, better a deep inspection as FortiGate can only block what it can read. Encrypted traffic cannot be read.

 

Next is that your initial screenshot show a different source interface (port1 vs port2). See if that is the pattern on the failure.

Check if the interface group/zone called "outside" contains both port1 and port2 - I would suspect that is not the case, based on the logs.

 

 

Best regards,

 

Markus

View solution in original post

sw2090
SuperUser
SuperUser

He is getting "implicit deny" as one of the first repliers already wrote.

This means that traffic did not hit ANY policy but policy #0 ("implicit deny") and thus got denied.

So it is of no use to try to disable Filters on policies because they are not hit.

I would suggest to check why this traffic doesn't hit any policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
13 REPLIES 13
funkylicious
SuperUser
SuperUser

Hi,

Implicit deny means it's hitting the default implicit firewall rule, that denies all traffic.

Is your ADSync fw rule based on ISDB, IP ranges or FQDN wildcard ? Because it appears that some domains/IPs have not been whitelisted.

You could either add those IPs/fqdn to the explicit rule that has been created to permit the traffic.

"jack of all trades, master of none"
"jack of all trades, master of none"
MIsmail

Hi geek
Thanks for reply, I tried to whitelist some domains on web filter but the blocking traffic still happening, actually i'm not an expert on fortigate so could you please explain how to start over to troubleshoot this issue.
Thanks

Screenshottt.png

kvimaladevi

Hi,

 

Please check the policy that this traffic is hitting. If it is hitting the policy which has the web filter profile that you have shown in the previous reply, you can try to allow *.microsoftonline.com as a wildcard type, clear the sessions or try to access from an incognito window to check if the traffic is allowed. 

You can also, try to create a policy for a single source without any UTM and keep it on top of the current policy to check if the traffic is allowed, this is to isolate if the issue is because of the UTM or any ISP blocking.

 

Regards,

Vimala

MIsmail

Hi Vimala,
Thanks for reply, I did all these steps and still show traffic blocked
but i noticed from logs that the FW allow and deny same traffic simultaneously with same source and distination as shown 
do you have any idea what cause this

Screensho1.pngScreensho3.png

msanjaypadma

Hi @MIsmail ,

 

Could you please share specific firewall policy configuration?

Run below to different putty session and collect the output at the same time.

 

Putty1:

diag debug reset
diag debug disable
diag debug console timestamp enable
diag debug flow trace stop
diag debug flow filter clear
diag debug flow filter addr x.x.x.x <--- IP address of the destination
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug flow trace start 9999999
diag debug enable


Putty 2:
diag sniffer packet any “host y.y.y.y “ 6 0 l <<<<<<<where y.y.y.y is destination ip address

 

and generate traffic and when you see its blocked , stop the debug and sniffer using below commands.

Putty1 :
di de di

Putty2: 
Press Ctrl + C

 

Mayur Padma
MIsmail

Hi Mayur Padma

Thanks for reply,
I did the steps as you asked 

 

Screenshot_36.png

 

Screenshot_37.png

msanjaypadma

Hi @MIsmail ,

 

Can you attached the log files?

Mayur Padma
MIsmail

Hi Mayur Padma,
I'm  sorry i just don't know how to attach files so i uploaded on we transfer 

 

.

MIsmail


h

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors