Hello all! Long time reader, first time poster. I apologize if this is already discussed or should possibly be in the Routing area. My googling has let me down. Thanks in advance!
An unusual setup: Essentially what I need to do is give a FGFW 30E to an employee for home use to limit and control access on a single host computer. We want to keep the home network untouched, so we plan to have the person plug the FGFW's WAN into an available port on their existing WiFi router (which is then plugged into a standard cable modem). Computer is plugged into LAN1. I've created a LAN zone that includes LAN1 interface. (I deleted the default Hardware Switch that comes preconfigured.)
I'm testing this at my home and here's what I've run into.
If I create a policy allowing all traffic from LAN to WAN, the host computer operates just fine, can browse all the interwebs.
However, if I modify that same policy to only allow traffic from that single Host IP to specified FQDNs (and the DNS IPs the host is using (8.8.8.8,8.8.4.4)), I get an unwanted experience on the host. The FQDNs take 5+ minutes to load, Chrome browser takes 5+ minutes to load...
No other policies are in place. No static routes.
Obviously I must be missing some simple setting or additional policy on my FGFW if it works fine when I do not limit the Destination addresses of the policy.
Do I need another policy of some sort? Some kind of static route?
Let me know what configs or settings you might need to see.
WAN Interface is set to DHCP (which picks up a private IP from the WiFi router); and the FGFW sees the real public IP as the "WAN IP" in the Dashboard>Status>System Info
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Could you please provide some more details?
What does you policy look like? How do you filter that?
Does the PC do DHCP from the FGT?
Maybe do a flow debug on cli to see what happens?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Welcome to the forums.
I would:
1) Switch the DNS to use the Fortigate's DNS
2) Have the Fortigate get it's DNS from the user's ISP, not Google
3) Make sure to change the internal network from the default which is more than likely 192.168.1.x/24. Double NATting may be an issue if both networks are the same.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Here are some more details while I work on running the flow debug.
Lone policy in the IPv4: From: LAN (Zone created with single interface included)
To: WAN
Source: all
Destination: (Address group including specific IPs and FQDNs I want to limit traffic to.)
Schedule: always
Service: ALL
Action: Accept
Inspection Mode: Flow-based
Firewall/Network Options
NAT: On
IP Pool Configuration: Use Outgoing Interface Address
Preserve Source Port: Off
Protocol Options: Default
Security Profiles: All Off Except SSL Inspection is set to SSL no-inspection
Here's the flow debug output. Guessing it has something to do with the "Denied by forward policy check."
For reference: 10.10.10.2 is the host CPU on the LAN Zone
192.168.168.1 is the WiFi router's Gateway IP
trace_id=1060 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59183->17.167.194.230:443) from lan1. flag, seq 226791540, ack 0, win 65535"
id=20085 trace_id=1060 func=init_ip_session_common line=5788 msg="allocate a new session-001b0685"
id=20085 trace_id=1060 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
id=20085 trace_id=1060 func=fw_forward_handler line=624 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=1061 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59182->17.167.194.230:443) from lan1. flag, seq 550501757, ack 0, win 65535"
id=20085 trace_id=1061 func=init_ip_session_common line=5788 msg="allocate a new session-001b0686"
id=20085 trace_id=1061 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
id=20085 trace_id=1061 func=fw_forward_handler line=624 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=1062 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59168->17.167.194.224:443) from lan1. flag, seq 2484871658, ack 0, win 65535"
id=20085 trace_id=1062 func=init_ip_session_common line=5788 msg="allocate a new session-001b0687"
id=20085 trace_id=1062 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
id=20085 trace_id=1062 func=fw_forward_handler line=624 msg="Denied by forward policy check (policy 0)"
It's saying whatever 17.167.194.230 and 17.167.194.224 is isn't matching the policy. I guess the obvious question is are those IPs part of the destination for the policy?
Try on the ipv4 page to do a policy lookup
Those 17.167.x.x are not IPs that I'd want the computer going to. (These specifically look to be Apple IPs so most likely software updates/Apple Diagnostic reporting or general Apple OS chatter).
I'll try to run a flow debug where the output will have one of the destination IPs that I want to be allowed.
trace_id=1060 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:59183->17.167.194.230:443) from lan1. flag, seq 226791540, ack 0, win 65535"
This says the FGt received a packet from 10.10.10.2 on the lan1 interface that would go to 17.167.194.230.
id=20085 trace_id=1061 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
This says it did find a route for that packet. It is to go to 192.168.168.1 via interface or zone "wan"
And then it says "denied by forward policy check (policy 0)". That means it did get the packet and it did find a route to the destination BUT it did not matc any of your policies execept policy 0 which is implicit deny.
Policy 0 will always match anything that don't match any other policy. Policies are top down and Policy 0 is the tar pit where all that lands that didn't go anywhwere :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks for the explanations! I noticed the Destination IPs in my flow debug are ones that I do not want the host going to, so this is desired behavior in that regard. I'm going to try to capture a flow when the host is connecting to a desired IP and see what the report says.
Here is a flow debug output of the host CPU hitting a specific URL. However, this is when I set the policy's Destination to "all." In the next reply, I will send the flow debug output when the policy's Destination is set to the specific Address Group (which includes this URL).
2020-07-17 16:46:26 id=20085 trace_id=8345 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag, seq 4187103751, ack 0, win 65535"
2020-07-17 16:46:26 id=20085 trace_id=8345 func=init_ip_session_common line=5788 msg="allocate a new session-00271567"
2020-07-17 16:46:26 id=20085 trace_id=8345 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
2020-07-17 16:46:26 id=20085 trace_id=8345 func=fw_forward_handler line=771 msg="Allowed by Policy-5: SNAT"
2020-07-17 16:46:26 id=20085 trace_id=8345 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8346 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag, seq 1521335061, ack 0, win 65535"
2020-07-17 16:46:26 id=20085 trace_id=8346 func=init_ip_session_common line=5788 msg="allocate a new session-00271568"
2020-07-17 16:46:26 id=20085 trace_id=8346 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-192.168.168.1 via wan"
2020-07-17 16:46:26 id=20085 trace_id=8346 func=fw_forward_handler line=771 msg="Allowed by Policy-5: SNAT"
2020-07-17 16:46:26 id=20085 trace_id=8346 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8347 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [S.], seq 3640816309, ack 4187103752, win 28960"
2020-07-17 16:46:26 id=20085 trace_id=8347 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8347 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:26 id=20085 trace_id=8347 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-10.10.10.2 via lan1"
2020-07-17 16:46:26 id=20085 trace_id=8348 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187103752, ack 3640816310, win 2058"
2020-07-17 16:46:26 id=20085 trace_id=8348 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8348 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8349 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187103752, ack 3640816310, win 2058"
2020-07-17 16:46:26 id=20085 trace_id=8349 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8349 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8350 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [S.], seq 717328328, ack 1521335062, win 28960"
2020-07-17 16:46:26 id=20085 trace_id=8350 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8350 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
2020-07-17 16:46:26 id=20085 trace_id=8350 func=vf_ip_route_input_common line=2595 msg="find a route: flag=00000000 gw-10.10.10.2 via lan1"
2020-07-17 16:46:26 id=20085 trace_id=8351 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335062, ack 717328329, win 2058"
2020-07-17 16:46:26 id=20085 trace_id=8351 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8351 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8352 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335062, ack 717328329, win 2058"
2020-07-17 16:46:26 id=20085 trace_id=8352 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8352 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8353 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640816310, ack 4187104269, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8353 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8353 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:26 id=20085 trace_id=8354 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640817758, ack 4187104269, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8354 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8354 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:26 id=20085 trace_id=8355 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819206, ack 4187104269, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8355 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8355 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:26 id=20085 trace_id=8356 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104269, ack 3640819206, win 2025"
2020-07-17 16:46:26 id=20085 trace_id=8356 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8356 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8357 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104269, ack 3640819352, win 2023"
2020-07-17 16:46:26 id=20085 trace_id=8357 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8357 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8358 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104269, ack 3640819352, win 2048"
2020-07-17 16:46:26 id=20085 trace_id=8358 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8358 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8359 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717328329, ack 1521335579, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8359 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8359 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
2020-07-17 16:46:26 id=20085 trace_id=8360 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717329777, ack 1521335579, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8360 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8360 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
2020-07-17 16:46:26 id=20085 trace_id=8361 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717331225, ack 1521335579, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8361 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8361 func=__ip_session_run_tuple line=3410 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
2020-07-17 16:46:26 id=20085 trace_id=8362 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335579, ack 717331225, win 2025"
2020-07-17 16:46:26 id=20085 trace_id=8362 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8362 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8363 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335579, ack 717331371, win 2023"
2020-07-17 16:46:26 id=20085 trace_id=8363 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8363 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8364 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335579, ack 717331371, win 2048"
2020-07-17 16:46:26 id=20085 trace_id=8364 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8364 func=__ip_session_run_tuple line=3396 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8365 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819352, ack 4187104395, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8365 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8365 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8365 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:26 id=20085 trace_id=8366 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104395, ack 3640819594, win 2044"
2020-07-17 16:46:26 id=20085 trace_id=8366 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8366 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8366 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8367 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187104395, ack 3640819594, win 2048"
2020-07-17 16:46:26 id=20085 trace_id=8367 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8367 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8367 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8368 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63926) from wan. flag [.], seq 717331371, ack 1521335705, win 235"
2020-07-17 16:46:26 id=20085 trace_id=8368 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8368 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8368 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63926->10.10.10.2:63926"
2020-07-17 16:46:26 id=20085 trace_id=8369 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63926->193.203.82.154:443) from lan1. flag [.], seq 1521335705, ack 717331613, win 2044"
2020-07-17 16:46:26 id=20085 trace_id=8369 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271568, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8369 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8369 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63926"
2020-07-17 16:46:26 id=20085 trace_id=8370 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819594, ack 4187105216, win 248"
2020-07-17 16:46:26 id=20085 trace_id=8370 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:26 id=20085 trace_id=8370 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8370 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:26 id=20085 trace_id=8371 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187105216, ack 3640819980, win 2041"
2020-07-17 16:46:26 id=20085 trace_id=8371 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8371 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8371 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:26 id=20085 trace_id=8372 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187105216, ack 3640819980, win 2048"
2020-07-17 16:46:26 id=20085 trace_id=8372 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:26 id=20085 trace_id=8372 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:26 id=20085 trace_id=8372 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:27 id=20085 trace_id=8373 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819980, ack 4187106058, win 261"
2020-07-17 16:46:27 id=20085 trace_id=8373 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:27 id=20085 trace_id=8373 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8373 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:27 id=20085 trace_id=8374 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640819980, ack 4187106058, win 261"
2020-07-17 16:46:27 id=20085 trace_id=8374 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:27 id=20085 trace_id=8374 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8374 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:27 id=20085 trace_id=8375 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640820553, ack 4187106058, win 261"
2020-07-17 16:46:27 id=20085 trace_id=8375 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:27 id=20085 trace_id=8375 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8375 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:27 id=20085 trace_id=8376 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640820553, win 2039"
2020-07-17 16:46:27 id=20085 trace_id=8376 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:27 id=20085 trace_id=8376 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8376 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:27 id=20085 trace_id=8377 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640822001, ack 4187106058, win 261"
2020-07-17 16:46:27 id=20085 trace_id=8377 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:27 id=20085 trace_id=8377 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8377 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:27 id=20085 trace_id=8378 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 193.203.82.154:443->192.168.168.104:63925) from wan. flag [.], seq 3640823449, ack 4187106058, win 261"
2020-07-17 16:46:27 id=20085 trace_id=8378 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, reply direction"
2020-07-17 16:46:27 id=20085 trace_id=8378 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8378 func=ip_session_run_all_tuple line=6905 msg="DNAT 192.168.168.104:63925->10.10.10.2:63925"
2020-07-17 16:46:27 id=20085 trace_id=8379 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640823449, win 2002"
2020-07-17 16:46:27 id=20085 trace_id=8379 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:27 id=20085 trace_id=8379 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8379 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:27 id=20085 trace_id=8380 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640824196, win 1991"
2020-07-17 16:46:27 id=20085 trace_id=8380 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:27 id=20085 trace_id=8380 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8380 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
2020-07-17 16:46:27 id=20085 trace_id=8381 func=print_pkt_detail line=5618 msg="vd-root:0 received a packet(proto=6, 10.10.10.2:63925->193.203.82.154:443) from lan1. flag [.], seq 4187106058, ack 3640824196, win 2048"
2020-07-17 16:46:27 id=20085 trace_id=8381 func=resolve_ip_tuple_fast line=5698 msg="Find an existing session, id-00271567, original direction"
2020-07-17 16:46:27 id=20085 trace_id=8381 func=ipv4_fast_cb line=53 msg="enter fast path"
2020-07-17 16:46:27 id=20085 trace_id=8381 func=ip_session_run_all_tuple line=6893 msg="SNAT 10.10.10.2->192.168.168.104:63925"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.