Hello ya'lll.
I'm having an issue, and I have no doubt I'm missing something simple, but try as I might I can't figure it out.
I'm setting up some Policies for "bypass" to allow servers to get out to the Internet for updates for certain products, and for our RMM tool.
Thing is, I've added bypasses for HTTP (80) and HTTPS (443) for several domains (*.packages.chocolatey.org and *.activeupdate.trendmicro.com) and they STILL show up in the "DENY" log. I can't figure out why it keeps getting "blocked".
I'm sure I'm missing something simple. Any guidance it massively appreciated.
-jb
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
just some hint:
if you use urlfilter rules check the order and mode of your rules. Deny rules have to be the last and allowing rules have to come before it as rules are processed top down. Also if there is a deny rule in urlfilter you have to set allowing rules to "exempt" instead of "allow" to have the urrlfilter stop processing rules once it hit the first one that matched.
Otherwise traffic would be denied even if there is an allowing rule before the deny one.
Policies are processed the same way. So make sure you bypass policies come in front of the deny policy(s). Otherwise the deny policy(s) would match first and policies - so to say - are allways "exempt".
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thanks for the assist!
Indeed, I only have a single "deny" rule for each "zone to zone" policy, and that is at the very bottom.
I don't use URL filtering currently. Essentially, all of the "NGFW" features of this box are effectively "off". It's just acting like an "allow/deny" box.
This method relies on the FG being able to perform passive inspection of unencrypted DNS responses.
I don't use wildcard FQDN myself, however I briefly worked in an environment where it had been configured but wasn't working. As a test, I configured the FG to act as a DNS server and pointed all of the internal clients at it. After this, the wildcard FQDN started working.
Didn't have any more time to spend on it - so unfortunately I can't shed any more light on it than this.
Hope this helps.
PTM
Unfortunately, I can't point all DNS to the firewall. Too much AD/LDAP/misc integration. While it's possible this may work, even if it does, it wouldn't be a tenable solution. Thanks regardless.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.