Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Destination Interface unknown-0

Hello experts,

today we deployed FGT200E to part of the network. We terminated two parts of the network - vlan666 and vlan777 - both networks are WiFi and both have DHCP on FGT. DNS is Google DNS Everything works ok, only in the log we have very often a message: Deny-policy violation - dst iface unknow-0. Although it is legitimate traffic to be routed to the internet. No BGP or OSPF is used, NAT is performed on an IP pool on a public IP address.

 

config firewall policy
    edit 26
        set name "UINIFI Guest->WAN"
        set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f
        set srcintf "VLAN777"
        set dstintf "wan1"
        set srcaddr "UNIFI Guest"
        set dstaddr "all"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set dscp-match disable
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool enable
        set poolname "NAT_UniFi_GUEST"
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-type single
        set av-profile ''
        set webfilter-profile "UniFiGuest"
        set dnsfilter-profile ''
        set spamfilter-profile ''
        set dlp-sensor ''
        set ips-sensor ''
        set application-list "UniFiGuest"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set ssh-filter-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set match-vip disable
    next
end

 

# diag debug reset
# diag debug enable
# diag debug flow filter dport 80
# diag debug flow filter saddr 10.9.8.118
# diag debug flow trace start 100


FG200E-xxx # id=20085 trace_id=1 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=1 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=2 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=2 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=3 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=3 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=4 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=4 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=5 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=5 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=6 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=6 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=7 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=7 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=8 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=8 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=9 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=9 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=10 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=10 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=11 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=11 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=12 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=12 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=12 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=13 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag , seq 3290449723, ack 0, win 65535"
id=20085 trace_id=13 func=init_ip_session_common line=5544 msg="allocate a new session-0002041f"
id=20085 trace_id=13 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=13 func=fw_forward_handler line=751 msg="Allowed by Policy-26: AV SNAT"
id=20085 trace_id=13 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=13 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=14 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=14 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=14 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=14 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=14 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=15 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag , seq 261364636, ack 0, win 14600"
id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=15 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=16 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=16 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=16 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=16 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=16 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=17 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=17 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=18 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=18 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=19 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364838, ack 1997785115, win 3918"
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=19 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=20 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449925, ack 3398102765, win 1369"
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=20 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=20 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=21 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=21 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=22 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=22 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=23 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=23 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=23 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=24 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=24 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=24 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=25 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=26 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=26 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=26 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=27 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=27 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=27 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=28 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=28 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=28 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=29 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=29 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=29 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=30 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=30 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=30 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=31 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=31 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=31 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=32 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=32 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=32 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=33 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=33 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=33 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=34 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=34 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=34 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=35 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=35 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=35 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=36 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=36 func=fw_forward_dirty_handler line=335 msg="no session matched"

 

I have read a few similar posts, but there is no definitive solution. Does anyone have any idea what else to check? In my opinion, this is a standard setup that always works. FortiOS 6.0.3

Thank you, Jirka

 

1 Solution
emnoc
Esteemed Contributor III

The message is informational and mean things causes destination unknown ?

 

   asymmetrical

   interface  link-state change

   routing path and protocol changes

   vpn state  changes

 

Typically something external to the firewall. It means you have a network, link or path issues

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
27 REPLIES 27
Jirka1
Contributor III

emnoc wrote:

Yes I agreed and I see  various applications kick out  additional tcp packets when the session is long dead. is it always the same  address and  service ports?

 

Ken Felix

Hi Ken, yes, the destination port is always 80 and 443. Dst address is changing.

 

Jirka1

Dave Hall wrote:

What is the type or size of the IP Pool?

 

If I recall a long while back, a similar problem where the IP pool was alternating the source address at some point that it cause the source to no longer match any firewall policies. 

 

Hi Dave, Pool I have configured so that every internal range / 23 or / 24 is NATed on one public IP address - see screenshot.

 

Jirka1
Contributor III

Now I have found one interesting thing.

Once the Device (Devide detection) or User (we have FSSO connection to AD) is defined in the Source, the connection will be successful. If only the IP address is in the log, I get message: Destination Interface unknown-0 - no session matched

How is it possible that FGT equire a user or device when we do not have anything like that in Policy?

 

 

    edit 3
        set name "SOFT->WAN"
        set uuid c24835b2-e50b-51e8-602f-d1b030e8b18b
        set srcintf "VLAN10"
        set dstintf "wan1"
        set srcaddr "172.22.64.0/24"
        set dstaddr "all"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set dscp-match disable
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool enable
        set poolname "NAT_SOFT"
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-type single
        set av-profile "default"
        set webfilter-profile "xxxxxxx"
        set dnsfilter-profile ''
        set spamfilter-profile ''
        set dlp-sensor ''
        set ips-sensor "protect_client"
        set application-list "xxxxxx"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set ssh-filter-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set match-vip disable
    next
end

 

edit 26
        set name "UNIFI Guest->WAN"
        set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f
        set srcintf "VLAN777"
        set dstintf "wan1"
        set srcaddr "UNIFI Guest"
        set dstaddr "all"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set dscp-match disable
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool enable
        set poolname "NAT_UniFi_GUEST"
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-type single
        set av-profile ''
        set webfilter-profile "UniFiGuest"
        set dnsfilter-profile ''
        set spamfilter-profile ''
        set dlp-sensor ''
        set ips-sensor "protect_client"
        set application-list "UniFiGuest"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set ssh-filter-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set match-vip disable
    next
end

 

Jirka

 

emnoc
Esteemed Contributor III

User Device ID detection is typical enable at the interface level. What does you full  interface configuration look like?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jirka1
Contributor III

emnoc wrote:

User Device ID detection is typical enable at the interface level. What does you full  interface configuration look like?

 

Ken Felix

Here it is:

config system interface
    edit "VLAN777"
        set vdom "root"
        set vrf 0
        set mode static
        set dhcp-relay-service disable
        set ip 10.9.8.1 255.255.254.0
        set allowaccess ping
        set fail-detect disable
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-send-redirect enable
        set icmp-accept-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type vlan
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set egress-shaping-profile ''
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias "UniFi Guest"
        set security-mode none
        set device-identification enable
        set device-user-identification enable
        set device-identification-active-scan enable
        set device-access-list ''
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set vrrp-virtual-mac disable
        set role lan
        set snmp-index 27
        set secondary-IP disable
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        set color 0
        config ipv6
            set ip6-mode static
            set nd-mode basic
            set ip6-address ::/0
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set vrrp-virtual-mac6 disable
            set vrip6_link_local ::
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set mtu-override disable
        set wccp disable
        set drop-overlapped-fragment disable
        set drop-fragment disable
        set interface "port1"
        set vlanid 777
    next
end

 


config system interface
    edit "VLAN10"
        set vdom "root"
        set vrf 0
        set mode static
        set dhcp-relay-service disable
        set ip 172.22.64.254 255.255.224.0
        set allowaccess ping https
        set fail-detect disable
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-send-redirect enable
        set icmp-accept-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type vlan
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set egress-shaping-profile ''
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias "LAN Sigma"
        set security-mode none
        set device-identification enable
        set device-user-identification enable
        set device-identification-active-scan enable
        set device-access-list ''
        set fortiheartbeat enable
        set broadcast-forticlient-discovery disable
        set endpoint-compliance disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set vrrp-virtual-mac disable
        set role lan
        set snmp-index 25
        set secondary-IP disable
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        set color 0
        config ipv6
            set ip6-mode static
            set nd-mode basic
            set ip6-address ::/0
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set vrrp-virtual-mac6 disable
            set vrip6_link_local ::
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set mtu-override disable
        set wccp disable
        set drop-overlapped-fragment disable
        set drop-fragment disable
        set interface "port1"
        set vlanid 10
    next
end

 

config system dhcp server
    edit 3
        set status enable
        set lease-time 7200
        set mac-acl-default-action assign
        set forticlient-on-net-status enable
        set dns-service specify
        set wifi-ac1 0.0.0.0
        set wifi-ac2 0.0.0.0
        set wifi-ac3 0.0.0.0
        set ntp-service specify
        set domain ''
        set wins-server1 0.0.0.0
        set wins-server2 0.0.0.0
        set default-gateway 10.9.8.1
        set next-server 0.0.0.0
        set netmask 255.255.254.0
        set interface "VLAN777"
        config ip-range
            edit 1
                set start-ip 10.9.8.2
                set end-ip 10.9.9.254
            next
        end
        set timezone-option default
        set filename ''
        set server-type regular
        set conflicted-ip-timeout 1800
        set auto-configuration enable
        set ddns-update disable
        set vci-match disable
        set dns-server1 8.8.8.8
        set dns-server2 8.8.4.4
        set dns-server3 0.0.0.0
        set ntp-server1 0.0.0.0
        set ntp-server2 0.0.0.0
        set ntp-server3 0.0.0.0
    next
end

emnoc
Esteemed Contributor III

So look at these lines for the interface level configurations  ?

 

       set device-identification enable
        set device-user-identification enable
        set device-identification-active-scan enable

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jirka1
Contributor III

emnoc wrote:

So look at these lines for the interface level configurations  ?

 

  set device-identification enable
        set device-user-identification enable
        set device-identification-active-scan enable

Yes I know. We have it allowed. But that does not mean that the device must be entered in the Policy. If I create a Policy where Source is only IP subnet and I do not specify a user or device - then must work it- regardless of whether or not I have identify device enable at the interface. Or am i wrong? This way we have all devices configured and no problem...

Jirka1
Contributor III

I tried to turn off Device Detection and Active Scaning on interfaces and reboot the box. The situation is still the same. I tried to delete all the policies and create again - no change.

Tomorrow I will try factory reset and setup from the beginning.

tanr
Valued Contributor II

You said you only have a single WAN IP, correct?  Then what is the IP Pool being used for?  Am I missing something?

Jirka1
Contributor III

tanr wrote:

You said you only have a single WAN IP, correct?  Then what is the IP Pool being used for?  Am I missing something?

 

Hey tanr, yes, there is only one IP address on the WAN interface - 62.209.xxx.128/26. The rest of this range /26 is used for that pool - each C of the local range is NATated to one public IP address.

 

Jirka

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors