Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AndrArt
New Contributor

Sniffer theory: incomming packets are seen on Sniffer, but not logged on session view

Good morning,

 

My question is probably more of theory nature:

 

Our customer is using Proxy IP telephony provider. For that we had to configure Custom Service to communicate with the provider. Recently our customer started receiving multiple spam calls directly to their softphones. Together with Fortigate support we found a misconfiguration in the Custom service /firewall policy pair and spam calls have stopped.

  Before that, I could see a lot of connected sessions to the ports used by telephony service providers from the attacking IP's random ports. Now, I don't see those any more. BUT when I start a sniffer, I still see packets from same IP with SIP INVITES hitting my external interface: the output looks like this:

 

AndrArt_0-1662704664019.png

 

I am not good in interpreting the sniffer data yet so I am not sure of what I am I looking at.

 

Since the Forti View session does not show any sessions established from these IP's, and there is nothing on the external ports from the sniffer data, is it correct to say, that those connection attempts are dropped by the firewall policy?

 

 

 

1 Solution
sagha
Staff
Staff

Hi AndrArt, 

 

Yes, it could mean that packets are getting dropped by the firewall policy in place.

 

You can have a better understanding of how FGT is dealing with packets by using the following commands: 

 

diag de flow filter addr x.x.x.x

diag de flow trace start 1000

diag de en

 

Replace x.x.x.x with one of the source addresses that you are blocking. 

 

More details on filters here: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing...

 

You will see how FGT is dealing with that traffic. 

 

Hope this helps. 


Regards, 

Shahan Agha

View solution in original post

2 REPLIES 2
sagha
Staff
Staff

Hi AndrArt, 

 

Yes, it could mean that packets are getting dropped by the firewall policy in place.

 

You can have a better understanding of how FGT is dealing with packets by using the following commands: 

 

diag de flow filter addr x.x.x.x

diag de flow trace start 1000

diag de en

 

Replace x.x.x.x with one of the source addresses that you are blocking. 

 

More details on filters here: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing...

 

You will see how FGT is dealing with that traffic. 

 

Hope this helps. 


Regards, 

Shahan Agha

AndrArt
New Contributor

Hi sagha,

 

Thank you for the explanation and guidance this was really helpful. The debug flow shows that the incoming packets do not hit the SIP communication rule, and are dropped by the implicit deny rule.

 

 

Labels
Top Kudoed Authors