Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gerristg
New Contributor

Outbound traffic blocked?

Hi All,

 

1. I'm very new to Fortigate

2. It's a Fortigate 60D

3. I did not configure the router myself and there is no document on how it was done :(

4. Some program wants to reach an external website on port 8008. Somehow I have the feeling that the Fortigate is not allowing that. 

5. Can anyone point me in the right direction to check this 'blocking' behaviour and make sure this traffic is allowed?

 

All help appreciated,

Regards,

Gerard

1 Solution
emnoc
Esteemed Contributor III

Hi

 

1st welcome to the fortigate. The #1 dignostic command is the diag debug flow. It's a cli cmd so I 'm not aware of any means of running diagnostic from the WebGUI.

 

if you believe the  fortigate is blocking this execute the command and review the output;

 

1st login into the cli ( ssh, or connectedconsole  via the WEbGUI )

 

2nd reset the diagnostic and enable it

 

diag debug reset

diag debug enable

 

3rd in your case it's probably best to use the flow diagnostic with a filter

 

diag dbeug flow filter port 8080

 

Lastly you enable the diagnostic flow

 

 

diag debug flow show console enable

diag debug flow trace start 100

 

 

this will enable and capture the 1st 100 trace. if you need more trace run it with a hgher number. Now direct your client to trying to access port 8080 and monitor the diagnostic flow output on you screen.

 

When your done, you disable & reset the diagnostics;

 

diag debug reset

diag debug disable

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
3 REPLIES 3
emnoc
Esteemed Contributor III

Hi

 

1st welcome to the fortigate. The #1 dignostic command is the diag debug flow. It's a cli cmd so I 'm not aware of any means of running diagnostic from the WebGUI.

 

if you believe the  fortigate is blocking this execute the command and review the output;

 

1st login into the cli ( ssh, or connectedconsole  via the WEbGUI )

 

2nd reset the diagnostic and enable it

 

diag debug reset

diag debug enable

 

3rd in your case it's probably best to use the flow diagnostic with a filter

 

diag dbeug flow filter port 8080

 

Lastly you enable the diagnostic flow

 

 

diag debug flow show console enable

diag debug flow trace start 100

 

 

this will enable and capture the 1st 100 trace. if you need more trace run it with a hgher number. Now direct your client to trying to access port 8080 and monitor the diagnostic flow output on you screen.

 

When your done, you disable & reset the diagnostics;

 

diag debug reset

diag debug disable

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gerristg
New Contributor

Thank you so much for this answer.

 

I think the output proves the port we are using is not blocked but somehow gets scr*wed at the application server. Do I read that correctly?

 

FGT-MultiMetaal # diag debug flow trace start 100

FGT-MultiMetaal # id=13 trace_id=26 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=26 msg="allocate a new session-03392447" id=13 trace_id=26 msg="find a route: gw-139.156.151.64 via ppp1" id=13 trace_id=26 msg="use addr/intf hash, len=8" id=13 trace_id=26 msg="find SNAT: IP-92.68.113.25, port-61106" id=13 trace_id=26 msg="Allowed by Policy-11: AV SNAT" id=13 trace_id=26 msg="send to application layer" id=13 trace_id=27 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=27 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=28 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=28 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=28 msg="send to application layer" id=13 trace_id=29 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=29 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=29 msg="send to application layer" id=13 trace_id=30 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=30 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=31 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=31 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=32 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=32 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=33 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=33 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=33 msg="send to application layer" id=13 trace_id=34 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=34 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=34 msg="send to application layer" id=13 trace_id=35 msg="vd-root received a packet(proto=6, 192.168.1.6:61106->93.92.98.119:8008) from internal." id=13 trace_id=35 msg="Find an existing session, id-03392447, original direction" id=13 trace_id=35 msg="send to application layer" id=13 trace_id=36 msg="vd-root received a packet(proto=6, 93.92.98.119:8008->192.168.1.6:61106) from local." id=13 trace_id=36 msg="Find an existing session, id-03392447, reply direction" id=13 trace_id=37 msg="vd-root received a packet(proto=6, 149.210.170.14:8008->192.168.1.6:61103) from local." id=13 trace_id=37 msg="Find an existing session, id-0339242c, reply direction" id=13 trace_id=38 msg="vd-root received a packet(proto=6, 192.168.1.6:61103->149.210.170.14:8008) from internal." id=13 trace_id=38 msg="Find an existing session, id-0339242c, original direction" id=13 trace_id=38 msg="send to application layer" id=13 trace_id=39 msg="vd-root received a packet(proto=6, 192.168.1.6:61103->149.210.170.14:8008) from internal." id=13 trace_id=39 msg="Find an existing session, id-0339242c, original direction" id=13 trace_id=39 msg="send to application layer" id=13 trace_id=40 msg="vd-root received a packet(proto=6, 149.210.170.14:8008->192.168.1.6:61103) from local." id=13 trace_id=40 msg="Find an existing session, id-0339242c, reply direction"

 

Gerard

rwpatterson
Valued Contributor III

Not an answer to your question, but I would strongly urge you to change IP addresses and possibly names when posted in a public forum. That small bit of information together may give an undesirable enough information to do malicious deeds...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors