Dear people can somebody explain me the marked bold places:
2021-12-22 11:44:37.472461 VPN-TU -- 10.99.19.12 -> 10.15.12.1: icmp: echo request
2021-12-22 11:44:37.504576 VPN-TU -- 10.15.12.1 -> 10.99.19.12: icmp: echo reply
2021-12-22 11:44:37.508988 VPN-TU -- 10.15.12.83.40820 -> 192.168.40.53: udp 29
2021-12-22 08:53:50.466435 VPN-TU -- 10.15.12.83.52751 -> 10.15.12.109.9100: syn 638097597
I will analyze the traffic over the Tunnel to reduce the traffic to the necessary ports on policys.
So I am not sure, what does it mean exactly, and wich policy are necessary to get a hit on the right policy.
Thanx a lot!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Kaplan,
regarding your questions on diag sniffer:
10.99.19.12 -> 10.15.12.1: icmp: echo request
This means that IP 10.99.19.12 sent an ICMP packet to 10.15.12.1; echo request clarifies that this is a ping query (the echo response in the next line is the ping reply)
10.15.12.83.40820 -> 192.168.40.53: udp 29
this means that IP 10.15.12.83 with source port 40820 contacted IP 192.168.40 on port 53 using protocol UDP, and the packet contained 29 bytes. UDP port 53 is DNS traffic usually.
10.15.12.83.52751 -> 10.15.12.109.9100: syn 638097597
This means that IP 10.15.12.83 with source port 52751 contacted IP 10.15.12.109 on destination port 9100; this is a TCP SYN packet, the first packet in establishing a TCP connection; 638097597 is the sequence number (to keep track of what packets belong to what TCP session). TCP 9100 is not a standard port so we can't say what kind of communication beyond basic TCP is happening, but to my knowledge several printer companies (like HP) use that port for various purposes
I hope this helps!
Hey Kaplan,
regarding your questions on diag sniffer:
10.99.19.12 -> 10.15.12.1: icmp: echo request
This means that IP 10.99.19.12 sent an ICMP packet to 10.15.12.1; echo request clarifies that this is a ping query (the echo response in the next line is the ping reply)
10.15.12.83.40820 -> 192.168.40.53: udp 29
this means that IP 10.15.12.83 with source port 40820 contacted IP 192.168.40 on port 53 using protocol UDP, and the packet contained 29 bytes. UDP port 53 is DNS traffic usually.
10.15.12.83.52751 -> 10.15.12.109.9100: syn 638097597
This means that IP 10.15.12.83 with source port 52751 contacted IP 10.15.12.109 on destination port 9100; this is a TCP SYN packet, the first packet in establishing a TCP connection; 638097597 is the sequence number (to keep track of what packets belong to what TCP session). TCP 9100 is not a standard port so we can't say what kind of communication beyond basic TCP is happening, but to my knowledge several printer companies (like HP) use that port for various purposes
I hope this helps!
Created on 12-22-2021 05:22 AM Edited on 12-22-2021 05:27 AM
Dear Debbie_FTNT
you explained very good. I had a problem with the extension
192.168.40.53: "udp 29".
I thought its belong UDP Port 29. Thats enough to build policys.
Thanx again
I have more quest about sniffer:
How I must handle packets like ack, syn, fin.
Does this packets need a policy?
Whats the meaning of "rst"
192.168.5.40.48796: rst 2967809621 ack 1780979467
Hey Kaplan,
ack, syn and fin are specific TCP packets, acknowledging connections, initiating connections and finishing connections, essentially. A rough overview to TCP: https://www.fortinet.com/resources/cyberglossary/tcp-ip
Theose packets do not need a separate policy. A policy looks at source and destination IP and port, essentially, and doesn't care about the specific packet type (SYN, ACK or FIN).
A RST packet is a Reset packet, meaning either side of the connection sent a reset to drop the connection. This is not something the FortiGate caused, this is something going through the FortiGate from either side to the other, and reasons for the RST packet are usually found on either side of the connection, not FortiGate in the middle.
A policy allows a creation of a "session" when the first packet arrived in the direction, in case TCP "syn". Then the session covers all subsequent packets on both directions related the session.
Toshi
Thanx for all answers.
I understand:
if there a "syn" packet for example with port 5555, there must be a policy. Elsewhere this session can not be created in FG or?
Look, you have many users browsing the internet with TCP 443 or 80 through the same FW. Because the sessions include other information like source/destination IP, etc. not only the destination port.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.