I'm hoping for some guidance on a strange situation. We run an FG60E (7.0.7), trunking a few VLANs via unifi switches. (192.168.1.x/24, 10.15.x.x.)
A third party has a Sonicwall inside this network, the WAN on the sonicwall is 192.168.1.x and attaches to our VLAN1 network. The LAN side on the sonicwall is 10.120.x. There's no subnet conflicts.
A computer on our 10.15.x address can, reportedly, connect to LogMeIn Connect and establish a connection fine. I don't have visibility to their LMI platform to validate this but I do have control and access to the computer
A computer on the vendor's 10.120.x network can connect to LMI, but cannot actually establish remote control. I've got control and access to the computer and temporarily have created a LMI trial just so I can observe from my end.
What the third party is seeing on the vendor computer(and I can confirm) is that Bomgar, TacticalRMM and LMI are all establishing back-channels, but whenever someone tries to connect for screen sharing, it just times out or generates an error. I also have ScreenConnect and Splashtop on this computer and they connect fine.
The vendor is annoyed because "all our networks are the same across 30+ clients, and our upstream partner has the same deployment across hundreds, so what are you doing wrong" (For the record, we work with another similar client and they have the same vendor and it's NOT the same at all)
I've turned off all my IDS, Application control and everything else. The firewall rule for outbound traffic is now:
config firewall policy
set name "Default Outbound"
set uuid 80740d4e-0192-51ed-5497-xxxxx
set srcintf "internal" "aaa" "yyyy"
set dstintf "WAN"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set tcp-session-without-syn all
set logtraffic all
set nat enable
the "TCP-session-without-syn" I just added today but it makes no difference.
I need to double check I'm not doing anything incorrectly on the FG at all. I've got another device to take and test a few alternate configurations tomorrow, but I can't see what i'm doing wrong, if anything here.
I got a pcap file from the fortigate and while I haven't done substantial pcap reading in a long time, I did notice lots of dupes, and SYN-ECN-CWR flags. (which is why I tried the session without syn above)
I haven't reached out to TAC yet, but that's on my roadmap to do otherwise.
I have also, incidently, tried to disable ECN on the endpoint in question (Server 2019)