On the firewall policy for 100D
I am currently seeing allow rules for
1) Allow DMZ to Internet
2) Allow DMZ to Local LAN
Implicit deny all is in place.
Endpoint users are currently able to connect to the Internet through the firewall (verified through tracert and the router outside the firewall was found)
If there is no Local LAN to Internet rule, how is it possible for users to connect to Internet?
the diag debug flow is your friend.
e.g
diag debug reset
diag debug enable
diag debug flow filter addr x.x.x.x
diag debug flow show console enable
diag debug flow trace start 100
generate traffic host x.x.x.x and monitor the diag output, alternate you can use the diag system session filter src x.x.x.x and diag system session list to see the session table and policy-id.
e.g
diag sys session filter src 1.1.1.1
diag sys session list | grep policy
Follow up the completion with a diag debug reset and diag debug disable
PCNSE
NSE
StrongSwan
I am reviewing the firewall config remotely and not able to have the client run the debug commands. In my experience, Rules come in pairs, an incoming (e.g. port1-port2) and outgoing (e.g. port2-port1)
In the current rule sets, I am seeing only one side being configured.
1) Allow DMZ to Internet 2) Allow DMZ to Local LAN
There hasn't been any problems so I'm assuming the firewall is working as intended, but wondering how this can be, is there something I should be looking at instead of the firewall policies?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.