Hi, I after upgrade of FGT60D to 5.2.2. policy is behaving very strange, at least one...
For example I have policy ACCEPT from internal (LAN) to WAN for service ALL .. in short to internet. Now after upgrade http/https is not working, but for example Skype is working normally. So I figured it out that there is something wrong with DNS. So I made new policy just for DNS and now http/https is working.
So my question is why is this necessary after upgrade!? Is it not enough to use SERVICE "ALL"!?
Regards
Is that a user authenticated policy? DNS used to be allowed implicitly on IBP but is not in v5.2.
No it is not user authenticated policy just from one to another interface ... if I use for service "ALL_TCP" and "ALL_UDP" under "GENERAL" everything is working, just not "ALL" ....
It have a bug.
Please check it with CLI:show full firewall service custom ALL
I confirm a similar issue with the same build of FortiOS on a FortiWifi 60C.
In our case, on this specific FortiWifi, we also have a policy that allows all outbound traffic from an internal network to the Internet on all ports/protocols (using the ALL service). Until the update to the 5.2 branch, there was no issues with this rule. After the update to the latest release, users began reporting issues with their Internet access. In the logs, we have seen there were many entries about denied DNS requests and labeled with a threat level of "high", which is rather strange.
After 2 hours of trial and error and some "googling", we have added a new policy that explicitly accepts outbound DNS requests. And then the Internet connectivity was back. We have later refined the rule to only add those services really needed.
Cindy B.
Hi
i have the same issue with "Deny: DNS error Fortigate" error.
But even when i added the policy for outbound requests DNS, i have the same error on forward traffic.
so if there are same news about any solutions on this issue please let me know.
I have : FORTIGATE 60D with 5.4 build
Regards.
Hi Houssem.Alios!
Did you try to enable "Allow and log DNS traffic" under the Application Control Security Profile?
Br,
Jan-Ivar
As I recall, there was something with the 'all' user object during the upgrade. Something had to be changed from IP=0 to IP=6 (or something similar). Looking for the post now.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
It's mentioned in KB FD36247, though vaguely recall the discussion Bob is referring to, though can't seem to find that post either.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
@Bob: the 'ALL' service was changed from 'protocol 0' to 'protocol 6' during an upgrade to 5.0.x by an internal script. So, udp, icmp and other protocols were blocked afterwards, tcp not.
And a DNS request is...udp/53. So if you block udp, DNS resolution will fail.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.