Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davidinark
New Contributor

Created on ‎04-26-2012 09:01 AM

Policies not kicking in?

I wasn' t sure how to phrase the title, so here goes my scenario: We are using Google Apps for Education. We should not have any SMTP traffic going out of our network except from two servers. My current config looks like this (in relation to smtp traffic): (Inside -> Outside) Policy ID 20, Source (server2 ip), (with mask/range of 255.255.255.255/255.255.255.255) Destination 173.194.77.[108-109], schedule always, service SMTP, SMTPS action Accept Log YES Policy ID 17, Source (server1 ip) (with mask/range of 255.255.255.255/255.255.255.255) Destination 173.194.77.[108-109], schedule always, service SMTP, SMTPS action Accept Log YES Policy ID 15 source all destination all schedule always, service SMTP action DENY Log YES I also ran the CLI command on Policy 15 for " set match-vip enable" at one point. Frankly, I don' t remember why now - something about VIP' s different than firewall. Who knows at this point. Traffic from server1 IP *does* pass email to Gmail. The log shows Allowed through rule 17. And email is delivered. Traffic from server2 IP *does NOT* pass email. The log shows Denied because of rule 15. Email is not delivered. Why is my Rule 20 not taking precedence here? Shouldn' t Rule 20 override 15? I tried adding server2 ip to Rule 17, but server2 smtp still gets blocked by rule 15. It is almost as if the settings are taking effect or something. Any ideas/thoughts/etc?
6424
0 Kudos
13 REPLIES 13
davidinark
New Contributor

Created on ‎04-26-2012 12:12 PM

I don' t have a " Details" option anywhere on my Top Sessions widget. But, I forced my server to get on the active session list and none of the sessions were 15. They were all Rule 3, which is my default " let everything go out from inside" rule. It' s a mystery.
1391
0 Kudos
rwpatterson
Valued Contributor III
In response to davidinark

Created on ‎04-26-2012 01:10 PM

For grins and giggles, check the IP setup of the non functional server. Look for default gateway and/or IP subnet mismatches. This doesn' t appear to be a firewall issue if changing to a working policy did not allow traffic to pass.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1411
0 Kudos
davidinark
New Contributor

Created on ‎04-26-2012 01:22 PM

Well, I appreciate your trying to help! I finally " made" it work by sending the traffic through another port. Of course, it is allowed because my " let everything else go through" rule as it sees it as 587/tcp traffic and it still ignores the actual RULE that I set up. Whatever. I am going to reboot the thing at the end of the work day, and wait for Fortigate tech support to call/reply/something. Thanks for trying everyone! I really appreciate your experience, since I have zero!
1406
0 Kudos
rwpatterson
Valued Contributor III
In response to davidinark

Created on ‎04-26-2012 02:35 PM

Did you create your own service? If yes, make sure the source ports are TCP 1024-65535, not TCP 587-587.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1406
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.