Telnet,Netbios,RDP is blocked by a transparent mode fortigate

s_banton · ‎09-13-2010

Hello, I am trying to use the FG110C unit as an AntiVirusGateway & IPSGateway. And I have set the mode as transparent mode. Before I have put FG110C into my network, there were no problem using telnet, netbios, RDP for use of mentaining the PCs from the internal servers. But somehow, when I put the FG110C into my network, all the telnet, netbios, RDP connections between the PCs and the internal servers would be blocked. Though, there is no problem in pinging between them. For example I attached the network image to this post. All the routings between the PCs and internal servers are done by the SSG5. If anyone have an idea what is causing this problem, i would appreciate your kind help. Regards,

ede_pfau · ‎09-13-2010

Fortigates sniff the MAC addresses of traffic passing, and block on SSG devices. Actually, on all other UTM companies' MAC addresses. [sorry, couldn' t resist. This was meant to be a joke.] If you' d tell us a little bit more about your config maybe you' d get some more helpful hints. OS version? policies?

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Jan_Scholten · ‎09-13-2010

How is the fortigate placed between external/internal servers an the Rest of the world? You are using VLANs? for ingress/egress ? The Colors distract, as it seems that L2 the inside of the " right 50B" is in the same net as the internal server. A picture with some more information (IPs/VLANs would be helpful)

rwpatterson · ‎09-13-2010

Does your Internet traffic go all the way through the switch and the FGT 110c to get to the the firewall and then back through the 110c and the switch again to get to the PCs? That' s how the diagram appears to me. Also what firmware version are we working with?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

s_banton · ‎09-13-2010

Hi I wrote down the information that was lacking. The OS version is as below. config-version=FG110C-4.00-FW-build279-100519 The segment that the PC belong is VLAN10, the segment that the internal server belong is VLAN100, the segment that the external server belong is DMZ. Internet traffic from the PC goes like below. PC>fg50b>ipsec>fg50b>L2>SSG5>L2>internet Internal traffic from the PC goes like below. PC>fg50b>ipsec>fg50b>L2>SSG5>L2>internal server Vice versa for the replying traffic. Would this be some help? Anyway, before putting FG110C into the network, no problems of telnet, RDP, netbios, SSH had occured.

ede_pfau · ‎09-13-2010

and again, which policies do you have configured on the FG? Second thought: if you use VLANs, did you create VLAN ports on the FG? Otherwise, I' d guess it drops VLAN traffic.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

s_banton · ‎09-13-2010

HI, The VLANs are properately assigned to each device. I have picked up some configurations related to IPS. Let me know if there is any other part of configuration needed. config ips global set algorithm engine-pick set anomaly-mode continuous set engine-count 0 set fail-open enable set ignore-session-bytes 204800 set ips-opt enable set session-limit-mode heuristic set socket-size 8 set traffic-submit enable config ips sensor edit " all_default" set comment " all predefined signatures with default setting" config filter edit " 1" next config ips DoS edit " all_default" config anomaly edit " tcp_syn_flood" set status enable set log enable set threshold 2000 next edit " tcp_port_scan" set status enable set log enable set threshold 1000 next edit " tcp_src_session" set status enable set log enable set threshold 5000 next edit " tcp_dst_session" set status enable set log enable set threshold 5000 next edit " udp_flood" set status enable set log enable set threshold 2000 next edit " udp_scan" set status enable set log enable set threshold 2000 next edit " udp_src_session" set status enable set log enable set threshold 5000 next edit " udp_dst_session" set status enable set log enable set threshold 5000 next edit " icmp_flood" set status enable set log enable set threshold 250 next edit " icmp_sweep" set status enable set log enable set threshold 100 next edit " icmp_src_session" set status enable set log enable set threshold 300 next edit " icmp_dst_session" set status enable set log enable set threshold 1000 next end next edit " block_flood" config anomaly edit " tcp_syn_flood" set status enable set log enable set action block set threshold 2000 next edit " tcp_port_scan" set log enable set threshold 1000 next edit " tcp_src_session" set log enable set threshold 5000 next edit " tcp_dst_session" set log enable set threshold 5000 next edit " udp_flood" set status enable set log enable set action block set threshold 2000 next edit " udp_scan" set log enable set threshold 2000 next edit " udp_src_session" set log enable set threshold 5000 next edit " udp_dst_session" set log enable set threshold 5000 next edit " icmp_flood" set status enable set log enable set action block set threshold 250 next edit " icmp_sweep" set log enable set threshold 100 next edit " icmp_src_session" set log enable set threshold 300 next edit " icmp_dst_session" set log enable set threshold 1000 next end

ede_pfau · ‎09-13-2010

IPS?? Please, before posting more information like this, post the output of these cmds:

show firewall policy
 show sys interface

Either the traffic is blocked or directed toward the FG, or dropped because of VLAN mismatch.

Ede

"Kernel panic: Aiee, killing interrupt handler!"