Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kashifnazeer
New Contributor

Config MS Teams access via Fortigate 6.2

Dear All,

 

i am trying to configure fortigate for a group of users who dont have internet access to be able to use "Ms Teams".

have configured a policy with  "Microsoft teams & skype " as destination from "internet services" but teams is not connecting error (failed to connect to end point settings. below is traffic capture log. any suggestions? 

 

 
2020-11-17 17:02:00 id=20085 trace_id=1972 func=print_pkt_detail line=5460 msg="vd-Core_FW:0 received a packet(proto=6, 172.17.30.68:50344->40.90.189.152:443) from User_SO Vlan30. flag , seq 3789154442, ack 0, win 64240"
2020-11-17 17:02:00 id=20085 trace_id=1972 func=init_ip_session_common line=5625 msg="allocate a new session-0d6ad801"
2020-11-17 17:02:00 id=20085 trace_id=1972 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-192.168.22.2 via DC-EDGE0"
2020-11-17 17:02:00 id=20085 trace_id=1972 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"
2020-11-17 17:02:00 id=20085 trace_id=1973 func=print_pkt_detail line=5460 msg="vd-Core_FW:0 received a packet(proto=6, 172.17.30.68:50267->52.113.194.132:443) from User_SO Vlan30. flag , seq 1154946683, ack 0, win 64240"
2020-11-17 17:02:00 id=20085 trace_id=1973 func=init_ip_session_common line=5625 msg="allocate a new session-0d6ad80b"
2020-11-17 17:02:00 id=20085 trace_id=1973 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-192.168.22.2 via DC-EDGE0"
2020-11-17 17:02:00 id=20085 trace_id=1973 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"
2020-11-17 17:02:01 id=20085 trace_id=1974 func=print_pkt_detail line=5460 msg="vd-Core_FW:0 received a packet(proto=6, 172.17.30.68:50314->52.113.194.132:443) from User_SO Vlan30. flag , seq 3296699697, ack 0, win 64240"
2020-11-17 17:02:01 id=20085 trace_id=1974 func=init_ip_session_common line=5625 msg="allocate a new session-0d6ad84b"
2020-11-17 17:02:01 id=20085 trace_id=1974 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-192.168.22.2 via DC-EDGE0"
2020-11-17 17:02:01 id=20085 trace_id=1974 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"
2020-11-17 17:02:02 id=20085 trace_id=1975 func=print_pkt_detail line=5460 msg="vd-Core_FW:0 received a packet(proto=6, 172.17.30.68:50344->40.90.189.152:443) from User_SO Vlan30. flag , seq 3789154442, ack 0, win 64240"
2020-11-17 17:02:02 id=20085 trace_id=1975 func=init_ip_session_common line=5625 msg="allocate a new session-0d6ad8e8"
2020-11-17 17:02:02 id=20085 trace_id=1975 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-192.168.22.2 via DC-EDGE0"
2020-11-17 17:02:02 id=20085 trace_id=1975 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"
2020-11-17 17:02:03 id=20085 trace_id=1976 func=print_pkt_detail line=5460 msg="vd-Core_FW:0 received a packet(proto=6, 172.17.30.68:50363->172.17.30.251:8013) from User_SO Vlan30. flag , seq 3463839351, ack 0, win 64240"
2020-11-17 17:02:03 id=20085 trace_id=1976 func=init_ip_session_common line=5625 msg="allocate a new session-0d6ad94a"
2020-11-17 17:02:03 id=20085 trace_id=1976 func=vf_ip_route_input_common line=2596 msg="find a route: flag=84000000 gw-172.17.30.251 via Core_FW"
2020-11-17 17:02:03 id=20085 trace_id=1976 func=fw_local_in_handler line=432 msg="iprope_in_check() check failed on policy 0, drop"

 

Regards,
Regards,
1 REPLY 1
boneyard
Valued Contributor

I see two IP addresses which seem to get denied, you can look this up and see which category they fall.

 

# diagnose internet-service match root 40.90.189.152 255.255.255.255 Internet Service: 327839(Microsoft-WNS), matched num: 2 Internet Service: 327786(Microsoft-Azure), matched num: 2 Internet Service: 327681(Microsoft-Web), matched num: 4 Internet Service: 327682(Microsoft-ICMP), matched num: 1 Internet Service: 327683(Microsoft-DNS), matched num: 2 Internet Service: 327684(Microsoft-Outbound_Email), matched num: 4 Internet Service: 327686(Microsoft-SSH), matched num: 1 Internet Service: 327687(Microsoft-FTP), matched num: 2 Internet Service: 327688(Microsoft-NTP), matched num: 2 Internet Service: 327689(Microsoft-Inbound_Email), matched num: 4 Internet Service: 327694(Microsoft-LDAP), matched num: 4 Internet Service: 327695(Microsoft-NetBIOS.Session.Service), matched num: 2 Internet Service: 327696(Microsoft-RTMP), matched num: 2 Internet Service: 327704(Microsoft-NetBIOS.Name.Service), matched num: 1 Internet Service: 327680(Microsoft-Other), matched num: 2 # diagnose internet-service match root 52.113.194.132 255.255.255.255 Internet Service: 327880(Microsoft-Office365.Published), matched num: 12 Internet Service: 327781(Microsoft-Skype_Teams), matched num: 5 Internet Service: 327681(Microsoft-Web), matched num: 4 Internet Service: 327682(Microsoft-ICMP), matched num: 1 Internet Service: 327683(Microsoft-DNS), matched num: 2 Internet Service: 327684(Microsoft-Outbound_Email), matched num: 4 Internet Service: 327686(Microsoft-SSH), matched num: 1 Internet Service: 327687(Microsoft-FTP), matched num: 2 Internet Service: 327688(Microsoft-NTP), matched num: 2 Internet Service: 327689(Microsoft-Inbound_Email), matched num: 4 Internet Service: 327694(Microsoft-LDAP), matched num: 4 Internet Service: 327695(Microsoft-NetBIOS.Session.Service), matched num: 2 Internet Service: 327696(Microsoft-RTMP), matched num: 2 Internet Service: 327704(Microsoft-NetBIOS.Name.Service), matched num: 1 Internet Service: 327680(Microsoft-Other), matched num: 2

the first makes sense because it is not in the Microsoft Skype & Teams group, you will need to add for example Microsoft-Web.

 

the second is kinda odd, because for me it hits on the Skype & Teams. you can double check with above command, perhaps your ISDB is not getting updated?

 

is the firewall rule in the correct section from User_SO Vlan30 to DC-EDGE0?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors