Cli method to show the firewall rule that blocks a site?

aseques · ‎10-29-2015

When I'm in trouble I use all the time the diagnose mode, the issue I'm having now is that the old commands don't work:

diag debug flow filter addr 1.1.1.1
diag debug flow show console enable
diagnose debug flow trace start 100
diagnose debug enable

There's no mention of the message that appears on the browser reading that the site has ben blocked by the firewall, so it makes it very difficult to find the origin of the policy that restricted that user when there are multiple blocks and web profiles. Anyone know about a proper CLI syntax to get this information? I've been searching a lot in the forums but haven't been able to find anything.

Regards,

Joan

emnoc · ‎10-29-2015

The syntax above is correct but did you enable the debug ?

diag debug enable

PCNSE

NSE

StrongSwan

aseques · ‎10-29-2015

Yes, it's the last of the lines I pasted, just to double check I changed the order of the commands and the result is the same, I see the rules that affect the traffic flow, but I don't see anythin related to the web filtering.

Any idea of how would it look like?

emnoc · ‎10-29-2015

So you have a match to the fw-policy? Does it have a url filter attached? and are you expecting it to block or pass ?

I believe theirs a diag debug app < something for url/web flter> command but I'm not in the office at this time. You might want to search the diag debug app options.

Ken

PCNSE

NSE

StrongSwan

gschmitt · ‎10-30-2015

aseques wrote:

diag debug flow filter addr 1.1.1.1

Did you do a

diag debug flow filter clear

diag debug reset

before? :D

aseques · ‎10-30-2015

Sure, it's clean (I'm testing with test.com domain ip=69.172.200.235)

# diagnose  debug flow filter  
        vf: any                                                                                                                               
        proto: any                                                                                                                            
        host addr: 69.172.200.235-69.172.200.235 
        Host saddr: any 
        Host daddr: any 
        port: any 
        sport: any 
        dport: any

I get the attached output (anonymized) with one of the lines being probably the redirection to the error page

vd-root received a packet(proto=6, 10.1.1.10:52311->69.172.200.235:8008)

But still it doesn't mention anything about the captive portal

Iescudero · ‎11-02-2015

Hello!

I Think that is because the antivirus, proxy, web filter or captive portal are considered by fortigate like applications, which means that works in a different layer than diagnose debug flow.

if you enable it, you can see web filter blocks in Log section.

Hope Helps

aseques · ‎11-02-2015

I have enabled the UTM logging for these rules, but both on the FAZ or the fortigate, the rule numbers aren't shown, so I can see what urls where blocked, but I can't see by which rule where they blocked (that's my main concern).

See the attached capture from fortianalyzer

ede_pfau · ‎11-02-2015

From the logfw.txt debug file (flow debug), there is one new session allocated which is allowed by policy 4 ("msg="Allowed by Policy-4: AV SNAT").

Policies are only inspected before traffic is offloaded onto the NP ASIC. If you want to see the policy ID in the debug output just make sure you kill all sessions before, or wait until timed out.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

aseques · ‎11-02-2015

ede_pfau wrote:
From the logfw.txt debug file (flow debug), there is one new session allocated which is allowed by policy 4 ("msg="Allowed by Policy-4: AV SNAT").

Policies are only inspected before traffic is offloaded onto the NP ASIC. If you want to see the policy ID in the debug output just make sure you kill all sessions before, or wait until timed out.

The message I see in the browser is telling me that my connection was blocked, but in the firewall the traffic is allowed by a policy (might be sending it to the web filter engine?)

So I don't get much info from the logs