FortiGate SMTP Traffic

OAlmutlq · ‎11-12-2023

Hello everyone,

I have an issue where SMTP over port 587 is not passing through when connected to Office network. When connected to any other network, the traffic passes through with no issues. I have done a lot of analysis, troubleshooting and changes to the FortiGate firewall to try to resolve the issue but no luck.

I would appreciate it if you could give me some insight to pinpoint at the cause of the issue, that would be greatly appreciated.

Command issued on PowerShell:

#> Send-MailMessage -From Richard@domainname.com -To John@domainname.com -Subject "Test Email" -Body "Test SMTP Service from Powershell on Port 587" -SmtpServer smtp.office365.com -Credential $creds -UseSsl -Port 587

Here are the results:

When connected to company network:

When connected to any different network:

It seems that the STARTTLS does not kick off at all for some reason.

Logs from FortiGate are shown as below:

AIGC # diagnose debug flow trace start 100

AIGC # id=20085 trace_id=301 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [S], seq 3979149213, ack 0, win 64240"
id=20085 trace_id=301 func=init_ip_session_common line=6023 msg="allocate a new session-0081aa58, tun_id=0.0.0.0"
id=20085 trace_id=301 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.50.253.21 via ppp2"
id=20085 trace_id=301 func=get_new_addr line=1221 msg="find SNAT: IP-<PublicIP>(from IPPOOL), port-63444"
id=20085 trace_id=301 func=fw_forward_handler line=881 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=301 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=301 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=302 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 52.97.186.146:587-><PublicIP>:63444) tun_id=0.0.0.0 from ppp2. flag [S.], seq 2010993780, ack 3979149214, win 65535"
id=20085 trace_id=302 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, reply direction"
id=20085 trace_id=302 func=__ip_session_run_tuple line=3483 msg="DNAT <PublicIP>:63444->192.168.10.72:3028"
id=20085 trace_id=302 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-192.168.10.72 via internal"
id=20085 trace_id=302 func=npu_handle_session44 line=1182 msg="Trying to offloading session from ppp2 to internal, skb.npu_flag=00000400 ses.state=00042204 ses.npu_state=0x00041108"
id=20085 trace_id=302 func=fw_forward_dirty_handler line=410 msg="state=00042204, state2=00000001, npu_state=00041108"
id=20085 trace_id=302 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=303 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993781, win 513"
id=20085 trace_id=303 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=303 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00042204 ses.npu_state=0x00041108"
id=20085 trace_id=303 func=fw_forward_dirty_handler line=410 msg="state=00042204, state2=00000001, npu_state=00041108"
id=20085 trace_id=303 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=303 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=304 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 52.97.186.146:587-><PublicIP>:63444) tun_id=0.0.0.0 from ppp2. flag [.], seq 2010993781, ack 3979149214, win 16386"
id=20085 trace_id=304 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, reply direction"
id=20085 trace_id=304 func=__ip_session_run_tuple line=3483 msg="DNAT <PublicIP>:63444->192.168.10.72:3028"
id=20085 trace_id=304 func=npu_handle_session44 line=1182 msg="Trying to offloading session from ppp2 to internal, skb.npu_flag=00000400 ses.state=00042204 ses.npu_state=0x00041108"
id=20085 trace_id=304 func=fw_forward_dirty_handler line=410 msg="state=00042204, state2=00000001, npu_state=00041108"
id=20085 trace_id=304 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=305 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=305 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=305 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00042204 ses.npu_state=0x00041108"
id=20085 trace_id=305 func=fw_forward_dirty_handler line=410 msg="state=00042204, state2=00000001, npu_state=00041108"
id=20085 trace_id=305 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=305 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=306 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=306 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=306 func=get_new_addr line=1221 msg="find SNAT: IP-<PublicIP>(from IPPOOL), port-59246"
id=20085 trace_id=306 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=306 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=307 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=307 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=307 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00002204 ses.npu_state=0x00041008"
id=20085 trace_id=307 func=fw_forward_dirty_handler line=410 msg="state=00002204, state2=00004001, npu_state=00041008"
id=20085 trace_id=307 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=307 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=308 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=308 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=308 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00002204 ses.npu_state=0x00041008"
id=20085 trace_id=308 func=fw_forward_dirty_handler line=410 msg="state=00002204, state2=00004001, npu_state=00041008"
id=20085 trace_id=308 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=308 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=309 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=309 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=309 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00002204 ses.npu_state=0x00041008"
id=20085 trace_id=309 func=fw_forward_dirty_handler line=410 msg="state=00002204, state2=00004001, npu_state=00041008"
id=20085 trace_id=309 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=309 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=310 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=310 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=310 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00002204 ses.npu_state=0x00041008"
id=20085 trace_id=310 func=fw_forward_dirty_handler line=410 msg="state=00002204, state2=00004001, npu_state=00041008"
id=20085 trace_id=310 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=310 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=311 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [.], seq 3979149214, ack 2010993892, win 512"
id=20085 trace_id=311 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=311 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000400 ses.state=00002204 ses.npu_state=0x00041008"
id=20085 trace_id=311 func=fw_forward_dirty_handler line=410 msg="state=00002204, state2=00004001, npu_state=00041008"
id=20085 trace_id=311 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=311 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"
id=20085 trace_id=312 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=6, 192.168.10.72:3028->52.97.186.146:587) tun_id=0.0.0.0 from internal. flag [R.], seq 3979149232, ack 2010993892, win 0"
id=20085 trace_id=312 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-0081aa58, original direction"
id=20085 trace_id=312 func=npu_handle_session44 line=1182 msg="Trying to offloading session from internal to ppp2, skb.npu_flag=00000000 ses.state=00002204 ses.npu_state=0x00041008"
id=20085 trace_id=312 func=fw_forward_dirty_handler line=410 msg="state=00002204, state2=00004001, npu_state=00041008"
id=20085 trace_id=312 func=ids_receive line=417 msg="send to ips"
id=20085 trace_id=312 func=__ip_session_run_tuple line=3470 msg="SNAT 192.168.10.72-><PublicIP>:63444"

AIGC #

Omar Almutlq

abarushka · ‎11-13-2023

Hello,

It is unlikely to be connectivity / MTU related issue.

Most likely either packet 5 or 6 is dropped.

You may consider to sniff traffic on FortiGate side (all interface "diag sniffer packet any <filters> 6 0 a") and check whether packets 5 and 6 are visible on all interfaces.

Moreover, I would recommend to check whether traffic is UTM inspected.

FortiGate