Hi all,
I am trying to test the firewalling feature of Fortigate.
My question/problem is as follows:
I have 3 zones named, INSIDE, OUTSIDE_A, OUTSIDE_B and they have different interface assigned to them.
I was trying to simulate the asymmetic routing which I would expect to be denied by most firewall by default. However, when I have tried to "send the traffic" from INSIDE to the OUTSIDE_A, and the return packet from OUTSIDE_B to INSIDE, the traffic is allowed.
I have only one permit policy which allows all traffic from INSIDE zone to be go out to the OUTSIDE_A zone and there is NO other policy defined in the policies.
The testing protocol is ICMP ping.
any help would be appreciated as it is a fundamental problem which I have.
Regards
Behzad
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1st ; Policy does not control traffic. What do you have in your route table and mainly for the source of the datagram that are returned?
Also you might want to run a "diag debug flow" to get a trace on the traffic and see what is shown. You can search here to see examples of how to set the filter and execution for that command.
Ken Felix
PCNSE
NSE
StrongSwan
Hi emnoc
first off, thanks for your reply.
what do u mean the Policy does not control the traffic? do you mean that the IPv4 policy under the security section does not control the traffic?\
Let me correct that. "it does not control routing the traffic". the routes is looked at 1st to determine what policy to match if any. In your case a "diag debug flow" and it's output would be helpful. The 1st few lines after the start of the trace will have "gw" or "next-hop" in it ( can't which ) and then the matched-policy.
Can you share that ? Sanitize if you have sensitive ip_address
Ken Felix
PCNSE
NSE
StrongSwan
I can assure you, asymmetric routing is always causing denied traffic (except for if you explicitely allow it).
Please post your routing table (CLI: get route info rou all). At the moment we can only speculate how you set up your FGT.
Check this configuration from CLI:
FW1 # config system settings FW1 (settings) # get | grep asym asymroute : disable asymroute-icmp : disable asymroute6 : disable asymroute6-icmp : disable
They should be disabled
Thanks
if you use the "diag debug flow" the iprope will show you the route lookedup
e.g ( focus on the lines that contains )
msg="find a route:
That flow should arrive back on the same interface. If you do not have asymmetrical enable you could doa diag sniffer packet any "host x.x.x.x and port abcd" 4 and that will show you ingress/egress interfaces.
Just remember the function_iprope comes before the policy lookup and match|deny
This might help to analyze your issues
Ken Felix
PCNSE
NSE
StrongSwan
hi,as you can see all of them are disable.
Sounds familiar to mee.
If you have a policy that allows subnet a to access subnet b and you ping a host in subnet b from a host in sbunet a then you will get a ping reply even though you don't have a reverse policy.
I think this is wanted behaviour. You should be denied if you try to ping a host in subnet a from a host in subnet b for there is no policy that allows that.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1666 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.