Hello!
After upgrade our 100D, in Forward traffic we can see messages:
IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan1ApplicationNameUnknownCategoryunscannedProtocoludpActionActionDeny: DNS error
AND
IP77.88.8.1Host Namesecondary.dns.yandex.ruPort53Interfacewan2ApplicationNameUnknownCategoryunscannedProtocoludpActionActionDeny: IP connection error
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi!
This problem only for me?
Nope, I've also the same 100D on 5.4.1 and the DNS error.
Loading webpage takes a minutes (do you also have this behaviour?)
Did you find a solution ?
Do you have any layer 7 applied to the policy that is letting DNS out?
Mike Pruett
luk.scheepers wrote:
No security features are activatie on the separate dns rule.
Did you ever find a solution to the problem? I have the same problem on a 100D model. Even when al IPS/APP are deactivated.
We're seeing the same messages, also show up as threats in the FortiView area as 'Failed Connection Attempts'. I have an active ticket opened with support, been going back and forth with some testing.
Edit: Also a Fortigate 100D with 5.4.1.
I am now officially in the same boat. Have a client running a 60D w/ 5.4.1 and it is seeing a lot of these. Weird stuff.
Nothing looks out of the ordinary on debugs so far.
Mike Pruett
Other things to note, not sure if any of you have similar setups that may be causing this:
-We're running dual WAN with load balancing. I see the issue with both WAN interfaces though in the logs so that doesn't seem to be it.
-We're also using OpenDNS as our DNS provider.
-I also see the source interface is sometimes LAN which would be correct and also sometimes 'unknown-0'. Not sure what that means at all.
I got this response from support, though we're hesitant to delete any session helpers:
By design FortiGate looks for invalid/failed DNS traffic and will mark it as action=dns or in the GUI as "Action Deny: DNS error". This happens if the DNS query is not successful returns any other status than NOERROR. This is an expected behavior in version 5.4 where the firewall logs any invalid DNS traffic. The firewall action itself is allow/pass, but the bad reply from the server is not forwarded back to the requesting client thus showing the "Deny: DNS Error" message. Invalid DNS traffic would be i.e. UDP packets on port 53 that are not DNS traffic, packets are over sized, bad checksum etc. ** Can you try to delete the dns session helper from session-helper configuration: How session helper works: The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to. Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. It can happen that the information expected by the security policy is not contained in the header/payload of the packet and that is when the packet is denied or dropped; session helper for DNS is not mandatory for which reason you can delete it and it should work properly after. DELETE: #config system session-helper #show find the one for DNS and than edit it by giving the number) #edit 14 <---- I checked on the remote session it is "14" #set name dns-udp set protocol 17 set port 53 next #delete 14 <------ end Explanation on Deny: IP connection error: This is already known issue in 5.4.X and developers is still working on this issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.