I am trying to add some address fqdn so I can permit traffic from server A to external ip.
During my tests I have found out that after adding particular fqdn address and then delete it from address group that is a part of firewall policy that is allowing traffic I am still able to connect to particular fqdn.
I am sure that fqdn address is no more a member of any Firewall Policy (existing as address object) - I've double check with below commands:
diagnose firewall fqdn list-ip | grep -A3 <fqdn>
show | grep -f <fqdn>
Do you have any advice how to perform such tests.
In short: I want to permit access from Server A to fqdn XYZ based on the forward traffic module. I do want to permit only necessary fqdns.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @roleit,
To allow traffic based on FQDN, please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118
Even though the FQDN object is not in use. The traffic might hit some other firewall policies. You need to check the logs to see which policy was matched.
Regards,
Hello roleit,
If you want to check which FW rule allows the traffic from your server to particular fqdn over specific port, you can apply the filter bellow on the session table and then list it :
diag sys session filter src XXXXX.XXXXX.XXXX.XXXX <---- source IP
diag sys session filter dst XXXXX.XXXXX.XXXX.XXXX <---- destination IP
diag sys session filter dport XXX <---- specify the destination port, if it's unknown, then skip this
diag sys session filter proto zzzz <--- 6 for TCP, 17 for UDP
diag sys session list
Regards,
Fortinet
well, if you see that traffic is allowed, then you have a valid session. I would either look at the session data in FortiView, or use the policy finder tool in the Policy Table to determine the policy which the traffic follows.
You didn't mention if your FQDN is a wildcard FQDN or not.
Hi @roleit
Another suggestion to better manage it would be to create an address group and add the FQDNs you want to permit to that group.
It will make managing these easier as you can just add or remove FQDNS from it when the requirement changes.
Hi roleit,
Thanks for posting your query, you can always use FGT CLI to sniff the traffic and understand how fortigate is handling it.
Please refer the below link in order to get more details.
KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
In order to allow traffic for fqdn, you can refer the below KB.
REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118
Best Regards,
Piyush
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.