Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jason1
New Contributor

Firewall just WON'T LET THIS TRAFFIC OUT!

Hello ya'lll.

I'm having an issue, and I have no doubt I'm missing something simple, but try as I might I can't figure it out.

 

I'm setting up some Policies for "bypass" to allow servers to get out to the Internet for updates for certain products, and for our RMM tool.

 

Thing is, I've added bypasses for HTTP (80) and HTTPS (443) for several domains (*.packages.chocolatey.org and *.activeupdate.trendmicro.com) and they STILL show up in the "DENY" log. I can't figure out why it keeps getting "blocked".

 

I'm sure I'm missing something simple. Any guidance it massively appreciated.

-jb

13 REPLIES 13
40james_FTNT
Staff
Staff

Run a debug flow and see what it says. https://docs.fortinet.com...ugging-the-packet-flow

James (Jim) Hilving
Consulting Systems Engineer - CSE Team
jason1

Thanks for the reply.

I followed the instructions, using the IP of the site that the Fortinet Logs are showing hitting the "deny" policy, and the debug screen shows...nothing.

Undoubtedly I'm doing something wrong, because the FW is showing the traffic as being dropped in the Logs, but the debug screen shows Jack and Shiza....

Thanks again for the help. This profiel is multi-vdom and is Profile Mode, if that makes a dfference.

Yurisk
Valued Contributor

I'd start by looking attentively at the drop log - it says the reason for a drop, what is it?

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
jason1
New Contributor

ActionDeny: policy violationThreat131072PolicyBlock (1)Policy UUIDfaf9f460-16b8-51ea-7f86-f61019f89d9dPolicy TypeIPv4

jason1
New Contributor

nothing helpful. "Policy violation"

Again, the frustrating thing is that both the SRC and DST ips/FQND's have a policy to ALLOW the very traffic that's being blocked

. I don't understand how they're slipping through the respective "allow" policies.

 -jb

trixsta
New Contributor

Is your firewall in  NGFW Mode with Central NAT?

jason1
New Contributor

No to Central SNAT. It is Multi-VDOM Profile Based (not policy based).

PTM
New Contributor II

Quick question.

How are you matching a site such as *.packages.chocolatey.org ?

jason1
New Contributor

Thanks for the reply! I'm using FQDN and wildcard specification for this.

Specific to "chocolately.org", the FG is saying "unresolved FQDN". However, we have this same problem on many, many other domains, that do resolve the wildcard addresses.

Example attached:

 

Labels
Top Kudoed Authors