Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
roleit
New Contributor

Troubleshooting allowed traffic - firewall policy should blocked it - how to analyze

I am trying to add some address fqdn so I can permit traffic from server A to external ip.

 

During my tests I have found out that after adding particular fqdn address and then delete it from address group that is a part of firewall policy that is allowing traffic I am still able to connect to particular fqdn.

 

I am sure that fqdn address is no more a member of any Firewall Policy (existing as address object) - I've double check with below commands:

diagnose firewall fqdn list-ip | grep -A3 <fqdn>

show | grep -f <fqdn>

 

Do you have any advice how to perform such tests.

In short: I want to permit access from Server A to fqdn XYZ based on the forward traffic module. I do want to permit only necessary fqdns.

 

5 REPLIES 5
hbac
Staff
Staff

Hi @roleit,

 

To allow traffic based on FQDN, please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118

 

Even though the FQDN object is not in use. The traffic might hit some other firewall policies. You need to check the logs to see which policy was matched. 

 

Regards, 

syordanov
Staff
Staff

Hello roleit,

If you want to check which FW rule allows the traffic from your server to particular fqdn over specific port, you can apply the filter bellow on the session table and then list it :

 

 

 

diag sys session filter src XXXXX.XXXXX.XXXX.XXXX <---- source IP

diag sys session filter dst XXXXX.XXXXX.XXXX.XXXX <---- destination IP

diag sys session filter dport XXX <---- specify the destination port, if it's unknown, then skip this

diag sys session filter proto zzzz <--- 6 for TCP, 17 for UDP

diag sys session list

 

 

Regards,

 

Fortinet

.
ede_pfau
SuperUser
SuperUser

well, if you see that traffic is allowed, then you have a valid session. I would either look at the session data in FortiView, or use the policy finder tool in the Policy Table to determine the policy which the traffic follows.

You didn't mention if your FQDN is a wildcard FQDN or not.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
vbandha
Staff
Staff

Hi @roleit 

Another suggestion to better manage it would be to create an address group and add the FQDNs you want to permit to that group. 

It will make managing these easier as you can just add or remove FQDNS from it when the requirement changes. 

pmudgal
Staff
Staff

Hi roleit,

 

Thanks for posting your query, you can always use FGT CLI to sniff the traffic and understand how fortigate is handling it.

 

Please refer the below link in order to get more details.

REF:https://docs.fortinet.com/document/fortigate/6.4.2/administration-guide/680228/performing-a-sniffer-...

KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

 

In order to allow traffic for fqdn, you can refer the below KB.

REF: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-a-wildcard-FQDN/ta-p/196118

REF: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/217973/using-wildcard-fqdn-a...

 

Best Regards,

Piyush

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors