Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
U_shah
New Contributor

Created on ‎05-09-2024 04:11 AM Edited on ‎05-09-2024 04:15 AM

Fortigate initiating local traffic for blocked forward connection

Fortigate Version : 7.2.8

 

Strange thing we are seeing is that everytime there is a blocked connection to a destination - could be via any of the security profile, Fortigate initiates a local traffic to the same destination. The traffic does get denied eventually but what could be the reason for this behaviour.

 

I have put a screenshot of the example. Line 2 and 3 are the user initiated forward traffic and Line 1 and 4 are local traffic initiated from the fortigate itself. Its a vdom based setup - that is the reason for multiple line of logs.

 

 

Log-Screenshot.png

 

Labels:
339
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎05-09-2024 04:51 AM

Can you double-click on lines 1 & 4 to show more details?

AEK
AEK
320
0 Kudos
U_shah
New Contributor

Created on ‎05-09-2024 05:32 AM

Line 1 - Local.pngLine 4 - Forward.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This is taking a SDWAN outbound rule towards the Hub site and then going out to internet from there. But I dont think that is the concern here. This traffic should never have originated from the local fortigate itself.

304
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎05-09-2024 10:40 AM

When FG originates this traffic, is the sent to the IP of the remote IPsec peer or any public address?

AEK
AEK
242
0 Kudos
U_shah
New Contributor

Created on ‎05-14-2024 03:05 AM

It is sent to the public IP address.

138
0 Kudos
pminarik
Staff
Staff

Created on ‎05-14-2024 03:26 AM Edited on ‎05-14-2024 03:27 AM

Modern FortiOS versions perform so-called "TLS probes". These are separate connections towards the client-requested (web)server, done in order to retrieve the server's certificate for purposes of webfiltering,etc.

This is required primarily for TLS 1.3, where the server-certificate is transported already encrypted, and completely passive inspection would not reveal it. (but note that TLS 1.3 is not a requirement for the function to trigger, this is done with 1.2 as well nowadays)

 

You can stop these probes if you completely remove/disable UTM in your firewall policies, but that is probably not desirable. :)

[ corrections always welcome ]
135
U_shah
New Contributor

Created on ‎05-14-2024 11:00 AM

Does this then require a rule to allow such traffic for webfilter to function correctly? The original traffic (client to internet) was denied by UTM even though the TLS probes (Fortigate to Server) did not go through. Makes me wonder if it needs the TLS probe to return something for UTM to function correctly.

 

In my case these traffic are hitting my SDWAN rule and reaching Hub where the TLS probe traffic is denied.

114
0 Kudos
pminarik
Staff
Staff
In response to U_shah

Created on ‎05-15-2024 12:36 AM

Yes, the probes need to work. If the current routing/SD-WAN setup may cause the TLS probes to egress via an interface where they would be dropped, you can manually select an egress interface for them.

 

 

The configuration commands are listed here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-interface-for-IPS-TLS-protocol-a...

[ corrections always welcome ]
71
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.