Problem w with FW policy

tedew · ‎01-18-2023

Hello,

I have strength issue with FW policy, maybe someone guide me what is wrong.

Firmware is 7.0.5

I started with FW and i set rule allow any any to observe traffic.

Now i'm creating more specyfic rules, and a i have problem with traffic, I mean even if They are more specyfics the traffic is catched by any any rules.

example :

----any any policy
 edit 1
        set name "Allow_any_any"
        set uuid 22033e12-9df4-51ec-5956-5a5a3b69598d
        set srcintf "any"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
    next

-more specyfic rule
    edit 30
        set name "AppSrv_to_AD"
        set uuid ba2ecc88-970e-51ed-545e-ac24179a2a1f
        set srcintf "v212"
        set dstintf "v216"
        set action accept
        set srcaddr "v212"
        set dstaddr "AD1" "AD2" "AD3"
        set schedule "always"
        set service "Windows AD" "Port_AD_RCP"
        set logtraffic all
        set comments ""
    next	

vlan def
 	edit "v212"
        set vdom "root"
        set ip 10.4.74.1 255.255.255.192
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 47
        set interface "LAN"
        set vlanid 212
 edit "v216"
        set vdom "root"
        set ip 10.4.75.1 255.255.255.224
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 51
        set interface "LAN"
        set vlanid 216
    next


traffic is from app server (10.4.74.5) to Ad2 server (10.4.75.3) on dst port 49674

Result:
Time: 		41 seconds ago
Source:		10.44.174.5
Destination:	10.4.75.3 
Application Name: Port_AD_RCP
PolicyID: 	Allow_any_any (1)


Details:
Source
IP	10.4.74.5
Source Port	55870
Country/Region	Reserved
Primary MAC	00:50:56:bd:03:03
Source Interface	 v212
Source Host Name	XXXXXXXXX
Device ID	FG200xxxxxxx
OS Name	Windows 
Unauthenticated User	xxxxx
Unauthenticated User Source	kerberos
User	xxxxxx

Destination
IP	10.4.75.3
Port	49674
Destination MAC	00:50:56:bd:dd:39
Country/Region	Reserved
Destination Interface	 v216

Application Control
Application Name	Port_AD_RCP
Category	unscanned
Risk	undefined
Protocol	6
Service	Port_AD_RCP

Action
Action	Accept: session close
Policy ID	Allow_any_any (1)

Do You know what this is happening ??

Thank You.

abarushka · ‎01-18-2023

Hello,

Traffic will hit firewall policy 1 "Allow_any_any" in case it is placed above specific firewall policies.

https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/497952/policy-views-and-policy-lookup

FortiGate

tedew · ‎01-18-2023

hello,

yes, policy Allow_any_any is at the bottom.

And strength thing is that traffic for port 53 is catched by this rule for this server( 10.4.74.5), but for port 49668 (Port_AD_RCP) not.

And other strength thing, another server in the same vlan (10.4.74.7) was catched on this port by this more specyfic rule...

Magic... ? :)

Thank You,

abarushka · ‎01-18-2023

Hello,

You may consider to collect debug flow (diag debug flow show iprope enable) in order to check firewall policy lookup:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Enable-Policy-Trace-in-Debug-Flow/ta...

FortiGate

Problem w with FW policy

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website