Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
roleit
New Contributor

Created on ‎11-10-2023 06:15 AM

Troubleshooting allowed traffic - firewall policy should blocked it - how to analyze

I am trying to add some address fqdn so I can permit traffic from server A to external ip.

 

During my tests I have found out that after adding particular fqdn address and then delete it from address group that is a part of firewall policy that is allowing traffic I am still able to connect to particular fqdn.

 

I am sure that fqdn address is no more a member of any Firewall Policy (existing as address object) - I've double check with below commands:

diagnose firewall fqdn list-ip | grep -A3 <fqdn>

show | grep -f <fqdn>

 

Do you have any advice how to perform such tests.

In short: I want to permit access from Server A to fqdn XYZ based on the forward traffic module. I do want to permit only necessary fqdns.

 

Labels:
606
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎11-10-2023 07:36 AM

Hi @roleit,

 

To allow traffic based on FQDN, please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118

 

Even though the FQDN object is not in use. The traffic might hit some other firewall policies. You need to check the logs to see which policy was matched. 

 

Regards, 

588
0 Kudos
syordanov
Staff
Staff

Created on ‎11-10-2023 07:55 AM

Hello roleit,

If you want to check which FW rule allows the traffic from your server to particular fqdn over specific port, you can apply the filter bellow on the session table and then list it :

 

 

 

diag sys session filter src XXXXX.XXXXX.XXXX.XXXX <---- source IP

diag sys session filter dst XXXXX.XXXXX.XXXX.XXXX <---- destination IP

diag sys session filter dport XXX <---- specify the destination port, if it's unknown, then skip this

diag sys session filter proto zzzz <--- 6 for TCP, 17 for UDP

diag sys session list

 

 

Regards,

 

Fortinet

.
583
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎11-11-2023 03:08 PM

well, if you see that traffic is allowed, then you have a valid session. I would either look at the session data in FortiView, or use the policy finder tool in the Policy Table to determine the policy which the traffic follows.

You didn't mention if your FQDN is a wildcard FQDN or not.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
527
0 Kudos
vbandha
Staff
Staff

Created on ‎11-12-2023 11:15 AM

Hi @roleit 

Another suggestion to better manage it would be to create an address group and add the FQDNs you want to permit to that group. 

It will make managing these easier as you can just add or remove FQDNS from it when the requirement changes. 

501
0 Kudos
pmudgal
Staff
Staff

Created on ‎11-12-2023 01:03 PM

Hi roleit,

 

Thanks for posting your query, you can always use FGT CLI to sniff the traffic and understand how fortigate is handling it.

 

Please refer the below link in order to get more details.

REF:https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/680228/performing-a-sniffer-...

KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

 

In order to allow traffic for fqdn, you can refer the below KB.

REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118

REF: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/217973/using-wildcard-fqdn-a...

 

Best Regards,

Piyush

492
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.