Problem with SMTPS Policy

dudarra · ‎03-18-2015

Hey guys,

i have a problem with one policy. this policy works on th wireless interfaces. the policy should accept smtp and smtps. Webfilter options are only email filter and deep inspection.

but i cant send mail! when i check the traffic log, smtps traffic is deny. why? i have the same polices on the wired lan and there the policy works!

First the log and second pic is the policy

can someone help me out? what is wrong?

cheers raffa

thanks in advanced Rafael

Dave_Hall · ‎03-18-2015

What does the full event log message say? You can drill down into the event/packet to see why it was blocked. (see attached example.) Could you can provide a screenshot of the Firewall policy in question?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

dudarra · ‎03-19-2015

Dave Hall wrote:
What does the full event log message say? You can drill down into the event/packet to see why it was blocked. (see attached example.) Could you can provide a screenshot of the Firewall policy in question?

[attachImg]https://forum.fortinet.com/download.axd?file=0;121672&where=message&f=Drill-down-event log.jpg[/attachImg]

hey dave thanks for the answer...

sorry for the wrong infos --> i've done the smtp/smtps policy only with the email-filter! the web-filter is deavtived on this policy!

thanks in advanced Rafael

Dave_Hall · ‎03-19-2015

Event doesn't give an actual message as to why NBD0282 is blocked. I see Threat#131072, Threat Score 30, Tran Display noop, Threat Level high. Googling Threat 131072 brings up TR-Agent.131072.BH.trojan though. So I am guessing NBD0282 is infected.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

dudarra · ‎03-20-2015

Cheers dave,

i've made a scan for this trojan, found nothing...but i find one thin very strange. when i connect this Notebook to the wire LAN with the same policy --> smtp / smtps allow with email filter --> it works! only the same wireless policy doesn't.

puuhh made a sniff from wireless lan


id=20085 trace_id=2658 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49606->173.194.65.108:465) from Stadtschulen. flag , seq 1378097344, ack 0, win 8192"
id=20085 trace_id=2658 func=init_ip_session_common line=4522 msg="allocate a new session-000947e8"
id=20085 trace_id=2658 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2658 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"
id=20085 trace_id=2659 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49607->173.194.65.109:465) from Stadtschulen. flag , seq 2114939017, ack 0, win 8192"
id=20085 trace_id=2659 func=init_ip_session_common line=4522 msg="allocate a new session-000947e9"
id=20085 trace_id=2659 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2659 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"
id=20085 trace_id=2660 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49606->173.194.65.108:465) from Stadtschulen. flag , seq 1378097344, ack 0, win 8192"
id=20085 trace_id=2660 func=init_ip_session_common line=4522 msg="allocate a new session-00094800"
id=20085 trace_id=2660 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2660 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"
id=20085 trace_id=2661 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49607->173.194.65.109:465) from Stadtschulen. flag , seq 2114939017, ack 0, win 8192"
id=20085 trace_id=2661 func=init_ip_session_common line=4522 msg="allocate a new session-00094801"
id=20085 trace_id=2661 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2661 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"
id=20085 trace_id=2662 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49608->173.194.65.109:465) from Stadtschulen. flag , seq 2380883788, ack 0, win 8192"
id=20085 trace_id=2662 func=init_ip_session_common line=4522 msg="allocate a new session-0009482f"
id=20085 trace_id=2662 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2662 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"
id=20085 trace_id=2663 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49608->173.194.65.109:465) from Stadtschulen. flag , seq 2380883788, ack 0, win 8192"
id=20085 trace_id=2663 func=init_ip_session_common line=4522 msg="allocate a new session-00094831"
id=20085 trace_id=2663 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2663 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"
id=20085 trace_id=2664 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.12.62:49608->173.194.65.109:465) from Stadtschulen. flag , seq 2380883788, ack 0, win 8192"
id=20085 trace_id=2664 func=init_ip_session_common line=4522 msg="allocate a new session-00094844"
id=20085 trace_id=2664 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-203.160.224.97 via port8"
id=20085 trace_id=2664 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 17)"

and a sniff, with the same policy in the wired lan



id=20085 trace_id=2670 func=__ip_session_run_tuple line=2520 msg="SNAT 172.16.2.101->203.160.224.97:50138"
id=20085 trace_id=2671 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 74.125.136.108:465->203.160.224.97:50138) from port8. flag [F.], seq 3993269220, ack 1556819526, win 383"
id=20085 trace_id=2671 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-0009536f, reply direction"
id=20085 trace_id=2671 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=2671 func=ip_session_run_all_tuple line=5523 msg="DNAT 203.160.224.97:50138->172.16.2.101:50138"
id=20085 trace_id=2672 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.2.101:50138->74.125.136.108:465) from Server. flag [F.], seq 1556819526, ack 3993269221, win 16521"
id=20085 trace_id=2672 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-0009536f, original direction"
id=20085 trace_id=2672 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=2672 func=ip_session_run_all_tuple line=5511 msg="SNAT 172.16.2.101->203.160.224.97:50138"
id=20085 trace_id=2673 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.2.101:50151->74.125.136.108:465) from Server. flag , seq 707429164, ack 0, win 8192"
id=20085 trace_id=2673 func=init_ip_session_common line=4522 msg="allocate a new session-00095438"
id=20085 trace_id=2673 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-213.221.215.53 via port8"
id=20085 trace_id=2673 func=fw_forward_handler line=670 msg="Allowed by Policy-5: SNAT"
id=20085 trace_id=2673 func=ids_receive line=237 msg="send to ips"
id=20085 trace_id=2673 func=__ip_session_run_tuple line=2520 msg="SNAT 172.16.2.101->203.160.224.97:50151"
id=20085 trace_id=2674 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 74.125.136.108:465->203.160.224.97:50151) from port8. flag [S.], seq 449918178, ack 707429165, win 42540"
id=20085 trace_id=2674 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, reply direction"
id=20085 trace_id=2674 func=__ip_session_run_tuple line=2534 msg="DNAT 203.160.224.97:50151->172.16.2.101:50151"
id=20085 trace_id=2674 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.16.2.101 via Server"
id=20085 trace_id=2675 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.2.101:50151->74.125.136.108:465) from Server. flag [.], seq 707429165, ack 449918179, win 16661"
id=20085 trace_id=2675 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, original direction"
id=20085 trace_id=2675 func=__ip_session_run_tuple line=2520 msg="SNAT 172.16.2.101->203.160.224.97:50151"
id=20085 trace_id=2676 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.2.101:50151->74.125.136.108:465) from Server. flag [.], seq 707429165, ack 449918179, win 16661"
id=20085 trace_id=2676 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, original direction"
id=20085 trace_id=2676 func=__ip_session_run_tuple line=2520 msg="SNAT 172.16.2.101->203.160.224.97:50151"
id=20085 trace_id=2677 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 74.125.136.108:465->203.160.224.97:50151) from port8. flag [.], seq 449918179, ack 707429342, win 341"
id=20085 trace_id=2677 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, reply direction"
id=20085 trace_id=2677 func=__ip_session_run_tuple line=2534 msg="DNAT 203.160.224.97:50151->172.16.2.101:50151"
id=20085 trace_id=2678 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.2.101:50151->74.125.136.108:465) from Server. flag [.], seq 707429342, ack 449921015, win 16661"
id=20085 trace_id=2678 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, original direction"
id=20085 trace_id=2678 func=__ip_session_run_tuple line=2520 msg="SNAT 172.16.2.101->203.160.224.97:50151"
id=20085 trace_id=2679 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 74.125.136.108:465->203.160.224.97:50151) from port8. flag [F.], seq 449922228, ack 707430428, win 358"
id=20085 trace_id=2679 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, reply direction"
id=20085 trace_id=2679 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=2679 func=ip_session_run_all_tuple line=5523 msg="DNAT 203.160.224.97:50151->172.16.2.101:50151"
id=20085 trace_id=2680 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 172.16.2.101:50151->74.125.136.108:465) from Server. flag [F.], seq 707430428, ack 449922229, win 16358"
id=20085 trace_id=2680 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00095438, original direction"
id=20085 trace_id=2680 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=2680 func=ip_session_run_all_tuple line=5511 msg="SNAT 172.16.2.101->203.160.224.97:50151"

maybe we can go futher with this output....damm need to resolve this...

raffa

thanks in advanced Rafael

dudarra · ‎03-24-2015

hey guys,

i opened a ticket! ...will report.

cheers raffa

thanks in advanced Rafael

myrdin · ‎07-27-2015

did you manage to resolve the issue, how? I am having a similar issue, no response from support so far.

thanks

neonbit · ‎07-28-2015

The policy has the device type as 'samsung tablet' while the OS of NBD0282 is Windows. Just wanted to confirm if these tablets are windows, and if the FortiGate is detecting them correctly?

Have you tried the policy without the device specified (only source address) to see if it works?

emnoc · ‎07-28-2015

Can show us the diff between policyid 17 vrs the other policy that works?

Ken

PCNSE

NSE

StrongSwan

dudarra · ‎07-28-2015

hey guys,

sorry for the delay...i resolved the problem with the support!

what we did;

1. we upgrade the firmware to the beta...

2. made some sniffs with the forti technican

3. i send the config to the forti technican to test it in the lab

and the solotions was....i deleted the policy, booted the firewall and created the same policy with the same credentials again...

after that the policy worked! :)

strange but true

cheers rafael

thanks in advanced Rafael