Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davidinark
New Contributor

Policies not kicking in?

I wasn' t sure how to phrase the title, so here goes my scenario: We are using Google Apps for Education. We should not have any SMTP traffic going out of our network except from two servers. My current config looks like this (in relation to smtp traffic): (Inside -> Outside) Policy ID 20, Source (server2 ip), (with mask/range of 255.255.255.255/255.255.255.255) Destination 173.194.77.[108-109], schedule always, service SMTP, SMTPS action Accept Log YES Policy ID 17, Source (server1 ip) (with mask/range of 255.255.255.255/255.255.255.255) Destination 173.194.77.[108-109], schedule always, service SMTP, SMTPS action Accept Log YES Policy ID 15 source all destination all schedule always, service SMTP action DENY Log YES I also ran the CLI command on Policy 15 for " set match-vip enable" at one point. Frankly, I don' t remember why now - something about VIP' s different than firewall. Who knows at this point. Traffic from server1 IP *does* pass email to Gmail. The log shows Allowed through rule 17. And email is delivered. Traffic from server2 IP *does NOT* pass email. The log shows Denied because of rule 15. Email is not delivered. Why is my Rule 20 not taking precedence here? Shouldn' t Rule 20 override 15? I tried adding server2 ip to Rule 17, but server2 smtp still gets blocked by rule 15. It is almost as if the settings are taking effect or something. Any ideas/thoughts/etc?
13 REPLIES 13
davidinark
New Contributor

I don' t have a " Details" option anywhere on my Top Sessions widget. But, I forced my server to get on the active session list and none of the sessions were 15. They were all Rule 3, which is my default " let everything go out from inside" rule. It' s a mystery.
rwpatterson
Valued Contributor III

For grins and giggles, check the IP setup of the non functional server. Look for default gateway and/or IP subnet mismatches. This doesn' t appear to be a firewall issue if changing to a working policy did not allow traffic to pass.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
davidinark
New Contributor

Well, I appreciate your trying to help! I finally " made" it work by sending the traffic through another port. Of course, it is allowed because my " let everything else go through" rule as it sees it as 587/tcp traffic and it still ignores the actual RULE that I set up. Whatever. I am going to reboot the thing at the end of the work day, and wait for Fortigate tech support to call/reply/something. Thanks for trying everyone! I really appreciate your experience, since I have zero!
rwpatterson
Valued Contributor III

Did you create your own service? If yes, make sure the source ports are TCP 1024-65535, not TCP 587-587.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors