Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jason1
New Contributor

Created on ‎05-21-2021 02:42 PM

Firewall just WON'T LET THIS TRAFFIC OUT!

Hello ya'lll.

I'm having an issue, and I have no doubt I'm missing something simple, but try as I might I can't figure it out.

 

I'm setting up some Policies for "bypass" to allow servers to get out to the Internet for updates for certain products, and for our RMM tool.

 

Thing is, I've added bypasses for HTTP (80) and HTTPS (443) for several domains (*.packages.chocolatey.org and *.activeupdate.trendmicro.com) and they STILL show up in the "DENY" log. I can't figure out why it keeps getting "blocked".

 

I'm sure I'm missing something simple. Any guidance it massively appreciated.

-jb

9737
0 Kudos
13 REPLIES 13
40james_FTNT
Staff
Staff

Created on ‎05-23-2021 08:16 AM

Run a debug flow and see what it says. https://docs.fortinet.com...ugging-the-packet-flow

James (Jim) Hilving
Consulting Systems Engineer - CSE Team
5536
0 Kudos
jason1
New Contributor
In response to 40james_FTNT

Created on ‎05-23-2021 07:32 PM

Thanks for the reply.

I followed the instructions, using the IP of the site that the Fortinet Logs are showing hitting the "deny" policy, and the debug screen shows...nothing.

Undoubtedly I'm doing something wrong, because the FW is showing the traffic as being dropped in the Logs, but the debug screen shows Jack and Shiza....

Thanks again for the help. This profiel is multi-vdom and is Profile Mode, if that makes a dfference.

5527
0 Kudos
Yurisk
SuperUser
SuperUser
In response to jason1

Created on ‎05-24-2021 02:36 AM

I'd start by looking attentively at the drop log - it says the reason for a drop, what is it?

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
5537
0 Kudos
jason1
New Contributor
In response to Yurisk

Created on ‎05-24-2021 11:22 AM

ActionDeny: policy violationThreat131072PolicyBlock (1)Policy UUIDfaf9f460-16b8-51ea-7f86-f61019f89d9dPolicy TypeIPv4

5537
0 Kudos
jason1
New Contributor
In response to Yurisk

Created on ‎05-24-2021 11:24 AM

nothing helpful. "Policy violation"

Again, the frustrating thing is that both the SRC and DST ips/FQND's have a policy to ALLOW the very traffic that's being blocked

. I don't understand how they're slipping through the respective "allow" policies.

 -jb

5537
0 Kudos
trixsta
New Contributor

Created on ‎05-23-2021 01:45 PM

Is your firewall in  NGFW Mode with Central NAT?

5537
0 Kudos
jason1
New Contributor
In response to trixsta

Created on ‎05-23-2021 06:29 PM

No to Central SNAT. It is Multi-VDOM Profile Based (not policy based).

5537
0 Kudos
PTM
New Contributor II

Created on ‎05-26-2021 02:43 PM

Quick question.

How are you matching a site such as *.packages.chocolatey.org ?

5527
0 Kudos
jason1
New Contributor
In response to PTM

Created on ‎05-26-2021 02:57 PM

Thanks for the reply! I'm using FQDN and wildcard specification for this.

Specific to "chocolately.org", the FG is saying "unresolved FQDN". However, we have this same problem on many, many other domains, that do resolve the wildcard addresses.

Example attached:

 

Preview file
29 KB
5527
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.