Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AndrArt
New Contributor

Created on ‎09-09-2022 12:20 AM

Sniffer theory: incomming packets are seen on Sniffer, but not logged on session view

Good morning,

 

My question is probably more of theory nature:

 

Our customer is using Proxy IP telephony provider. For that we had to configure Custom Service to communicate with the provider. Recently our customer started receiving multiple spam calls directly to their softphones. Together with Fortigate support we found a misconfiguration in the Custom service /firewall policy pair and spam calls have stopped.

  Before that, I could see a lot of connected sessions to the ports used by telephony service providers from the attacking IP's random ports. Now, I don't see those any more. BUT when I start a sniffer, I still see packets from same IP with SIP INVITES hitting my external interface: the output looks like this:

 

AndrArt_0-1662704664019.png

 

I am not good in interpreting the sniffer data yet so I am not sure of what I am I looking at.

 

Since the Forti View session does not show any sessions established from these IP's, and there is nothing on the external ports from the sniffer data, is it correct to say, that those connection attempts are dropped by the firewall policy?

 

 

 

Labels:
1418
0 Kudos
1 Solution
sagha
Staff
Staff

Created on ‎09-09-2022 12:45 AM

Hi AndrArt, 

 

Yes, it could mean that packets are getting dropped by the firewall policy in place.

 

You can have a better understanding of how FGT is dealing with packets by using the following commands: 

 

diag de flow filter addr x.x.x.x

diag de flow trace start 1000

diag de en

 

Replace x.x.x.x with one of the source addresses that you are blocking. 

 

More details on filters here: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing...

 

You will see how FGT is dealing with that traffic. 

 

Hope this helps. 


Regards, 

Shahan Agha

View solution in original post

1412
0 Kudos
2 REPLIES 2
sagha
Staff
Staff

Created on ‎09-09-2022 12:45 AM

Hi AndrArt, 

 

Yes, it could mean that packets are getting dropped by the firewall policy in place.

 

You can have a better understanding of how FGT is dealing with packets by using the following commands: 

 

diag de flow filter addr x.x.x.x

diag de flow trace start 1000

diag de en

 

Replace x.x.x.x with one of the source addresses that you are blocking. 

 

More details on filters here: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing...

 

You will see how FGT is dealing with that traffic. 

 

Hope this helps. 


Regards, 

Shahan Agha

1413
0 Kudos
AndrArt
New Contributor
In response to sagha

Created on ‎09-09-2022 01:48 AM

Hi sagha,

 

Thank you for the explanation and guidance this was really helpful. The debug flow shows that the incoming packets do not hit the SIP communication rule, and are dropped by the implicit deny rule.

 

 

1409
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.