Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Al_Grant
New Contributor

Created on ‎04-16-2019 10:35 PM

50E Policy Setup Issues

Hello,

I have a new Fortigate FG50E which is on a work group (no servers or AD etc).

The initial policy setup allows LAN-WAN source all, destination any, and this seems to work.

 

The minute I add another policy, still LAN->WAN but source is set to 1 specific IP, other IP's on the LAN are also getting blocked.

 

I don't know where to go beyond this to find out why.

 

Could someone please help.

 

Cheers

 

Al

 

9318
0 Kudos
16 REPLIES 16
Bubu
Contributor

Created on ‎04-16-2019 11:17 PM

Hi,

First, can you show us the two policies, please?

You can also debug to find out why access is blocked:

diagnose debug en
diagnose debug flow filter saddr (source IP)
diagnose debug flow filter daddr (destination IP)
diagnose debug flow trace start 30

Run your query

diagnose debug disable
diagnose debug reset

 

Attach it here the output

Regards,

Bubu

Bubu
3875
0 Kudos
Al_Grant
New Contributor
In response to Bubu

Created on ‎04-16-2019 11:55 PM

POLICIES:

config firewall policy
    edit 1
        set name "No Schedule LAN to WAN"
        set uuid 0a65c1b2-5fea-51e9-f032-1a950c0607d7
        set srcintf "lan"
        set dstintf "Vodafone WAN"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set nat enable
    next
    edit 2
        set name "Scheduled No Social Media"
        set uuid a8668fac-60cd-51e9-b8fc-b0ef676b8932
        set srcintf "lan"
        set dstintf "Vodafone WAN"
        set srcaddr "Beyonce"
        set dstaddr "all"
        set action accept
        set schedule "Kids"
        set service "ALL"
--More--                  set utm-status enable
        set fsso disable
        set application-list "Kids Application Control"
        set ssl-ssh-profile "certificate-inspection"
        set nat enable
    next
end

 

 

 

 

3875
0 Kudos
Bubu
Contributor
In response to Al_Grant

Created on ‎04-17-2019 12:51 AM

Screenshot or in CLI "show firewall policy"

Regards

Bubu

Bubu
3875
0 Kudos
Al_Grant
New Contributor
In response to Bubu

Created on ‎04-17-2019 12:54 AM

The device in question isnt available at this second, but I will post packet logs as soon as I can.

3875
0 Kudos
Bubu
Contributor
In response to Al_Grant

Created on ‎04-17-2019 01:02 AM

Al Grant wrote:

POLICIES:

config firewall policy
 edit 1
 set name "No Schedule LAN to WAN"
 set uuid 0a65c1b2-5fea-51e9-f032-1a950c0607d7
 set srcintf "lan"
 set dstintf "Vodafone WAN"
 set srcaddr "all"
 set dstaddr "all"
 set action accept
 set schedule "always"
 set service "ALL"
 set fsso disable
 set nat enable
 next
 edit 2
 set name "Scheduled No Social Media"
 set uuid a8668fac-60cd-51e9-b8fc-b0ef676b8932
 set srcintf "lan"
 set dstintf "Vodafone WAN"
 set srcaddr "Beyonce"
 set dstaddr "all"
 set action accept
 set schedule "Kids"
 set service "ALL"
--More-- set utm-status enable
 set fsso disable
 set application-list "Kids Application Control"
 set ssl-ssh-profile "certificate-inspection"
 set nat enable
 next
end

 

These policies are those of the FGT50E? If this is the case, everything seems normal, you should perform a debug flow as requested above

Bubu

Bubu
3875
0 Kudos
Al_Grant
New Contributor
In response to Bubu

Created on ‎04-17-2019 01:16 AM

debug output when trying to browse to a website:

 

2019-04-17 20:14:40 id=20085 trace_id=2100 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:14:40 id=20085 trace_id=2100 func=init_ip_session_common line=5657 msg="allocate a new session-00047d78" 2019-04-17 20:14:40 id=20085 trace_id=2100 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:14:41 id=20085 trace_id=2101 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:14:41 id=20085 trace_id=2101 func=init_ip_session_common line=5657 msg="allocate a new session-00047d79" 2019-04-17 20:14:41 id=20085 trace_id=2101 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:14:44 id=20085 trace_id=2102 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:14:44 id=20085 trace_id=2102 func=init_ip_session_common line=5657 msg="allocate a new session-00047d7d" 2019-04-17 20:14:44 id=20085 trace_id=2102 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:14:53 id=20085 trace_id=2103 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:14:53 id=20085 trace_id=2103 func=init_ip_session_common line=5657 msg="allocate a new session-00047d8b" 2019-04-17 20:14:53 id=20085 trace_id=2103 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:15:20 id=20085 trace_id=2104 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:15:20 id=20085 trace_id=2104 func=init_ip_session_common line=5657 msg="allocate a new session-00047dab" 2019-04-17 20:15:20 id=20085 trace_id=2104 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:16:36 id=20085 trace_id=2105 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:16:36 id=20085 trace_id=2105 func=init_ip_session_common line=5657 msg="allocate a new session-00047dfe" 2019-04-17 20:16:36 id=20085 trace_id=2105 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:16:37 id=20085 trace_id=2106 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=2, 192.168.85.190:0->224.0.0.22:0) from lan. " 2019-04-17 20:16:37 id=20085 trace_id=2106 func=init_ip_session_common line=5657 msg="allocate a new session-00047e05" 2019-04-17 20:16:37 id=20085 trace_id=2106 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:16:37 id=20085 trace_id=2107 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:16:37 id=20085 trace_id=2107 func=init_ip_session_common line=5657 msg="allocate a new session-00047e06" 2019-04-17 20:16:37 id=20085 trace_id=2107 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:16:39 id=20085 trace_id=2108 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=2, 192.168.85.190:0->224.0.0.22:0) from lan. " 2019-04-17 20:16:39 id=20085 trace_id=2108 func=init_ip_session_common line=5657 msg="allocate a new session-00047e0c" 2019-04-17 20:16:39 id=20085 trace_id=2108 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:16:40 id=20085 trace_id=2109 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:16:40 id=20085 trace_id=2109 func=init_ip_session_common line=5657 msg="allocate a new session-00047e0f" 2019-04-17 20:16:40 id=20085 trace_id=2109 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:17:30 id=20085 trace_id=2110 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:17:30 id=20085 trace_id=2110 func=init_ip_session_common line=5657 msg="allocate a new session-00047e70" 2019-04-17 20:17:30 id=20085 trace_id=2110 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:17:31 id=20085 trace_id=2111 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:17:31 id=20085 trace_id=2111 func=init_ip_session_common line=5657 msg="allocate a new session-00047e73" 2019-04-17 20:17:31 id=20085 trace_id=2111 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:17:34 id=20085 trace_id=2112 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:17:34 id=20085 trace_id=2112 func=init_ip_session_common line=5657 msg="allocate a new session-00047e79" 2019-04-17 20:17:34 id=20085 trace_id=2112 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:17:43 id=20085 trace_id=2113 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:17:43 id=20085 trace_id=2113 func=init_ip_session_common line=5657 msg="allocate a new session-00047e80" 2019-04-17 20:17:43 id=20085 trace_id=2113 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:18:11 id=20085 trace_id=2114 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. " 2019-04-17 20:18:11 id=20085 trace_id=2114 func=init_ip_session_common line=5657 msg="allocate a new session-00047eb1" 2019-04-17 20:18:11 id=20085 trace_id=2114 func=ip_session_handle_no_dst line=5733 msg="trace" 2019-04-17 20:18:50 id=20085 trace_id=2115 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:50364->192.168.85.1:53) from lan. " 2019-04-17 20:18:50 id=20085 trace_id=2115 func=init_ip_session_common line=5657 msg="allocate a new session-00047f00" 2019-04-17 20:18:50 id=20085 trace_id=2115 func=vf_ip_route_input_common line=2591 msg="find a route: flag=84000000 gw-192.168.85.1 via root" 2019-04-17 20:18:50 id=20085 trace_id=2116 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag , seq 1768917289, ack 0, win 65535" 2019-04-17 20:18:50 id=20085 trace_id=2116 func=init_ip_session_common line=5657 msg="allocate a new session-00047f01" 2019-04-17 20:18:50 id=20085 trace_id=2116 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-121.74.95.254 via Vodafone WAN" 2019-04-17 20:18:50 id=20085 trace_id=2116 func=fw_forward_handler line=751 msg="Allowed by Policy-1: SNAT" 2019-04-17 20:18:50 id=20085 trace_id=2116 func=__ip_session_run_tuple line=3328 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2117 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917290, ack 2726466295, win 2058" 2019-04-17 20:18:50 id=20085 trace_id=2117 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2117 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2117 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2118 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917290, ack 2726466295, win 2058" 2019-04-17 20:18:50 id=20085 trace_id=2118 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2118 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2118 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2119 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917513, ack 2726469191, win 2013" 2019-04-17 20:18:50 id=20085 trace_id=2119 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2119 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2119 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2120 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917513, ack 2726469709, win 2005" 2019-04-17 20:18:50 id=20085 trace_id=2120 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2120 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2120 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2121 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917513, ack 2726469709, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2121 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2121 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2121 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2122 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917588, ack 2726469709, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2122 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2122 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2122 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2123 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917594, ack 2726469709, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2123 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2123 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2123 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2124 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917663, ack 2726469784, win 2046" 2019-04-17 20:18:50 id=20085 trace_id=2124 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2124 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2124 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2125 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917663, ack 2726469784, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2125 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2125 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2125 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2126 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768918740, ack 2726469869, win 2046" 2019-04-17 20:18:50 id=20085 trace_id=2126 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2126 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2126 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2127 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768918740, ack 2726469869, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2127 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2127 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2127 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2128 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768920188, ack 2726469869, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2128 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2128 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2128 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964" 2019-04-17 20:18:50 id=20085 trace_id=2129 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768921636, ack 2726469869, win 2048" 2019-04-17 20:18:50 id=20085 trace_id=2129 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction" 2019-04-17 20:18:50 id=20085 trace_id=2129 func=ipv4_fast_cb line=53 msg="enter fast path" 2019-04-17 20:18:50 id=20085 trace_id=2129 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"

3875
0 Kudos
Al_Grant
New Contributor
In response to Al_Grant

Created on ‎04-17-2019 01:26 AM

I am begining to suspect a DNS issue. When I went into the affected device which is a phone and changed the DNS type from automatic to manual, and used 8.8.8.8 it worked. So I changed back to Automatic, which set the phone back to my Fortigate on 192.168.85.1 and it still worked.

I think at times there is a DNS server resolution issue, but still not quite clear what.

3875
0 Kudos
andrewbailey
Contributor II
In response to Al_Grant

Created on ‎04-17-2019 01:36 AM

How  are you system DNS servers set?

 

Are you still using the default Fortinet servers or have you reconfigured to use your ISP DNS server IPs?

 

It looks like you are in the UK- certainly on my experience the Fortinet servers dont always work so well here. For example Sky HD boxes don't cope well with DNS delays.

 

Also, it doesn't look like you have a DNS filter policy applied- but worth checking if you have and if so is the site you are trying to browse in a DNS filtered category perhaps?

 

Hope that helps.

 

Andy

3875
0 Kudos
Al_Grant
New Contributor
In response to andrewbailey

Created on ‎04-17-2019 01:45 AM

I am using the ISP DNS servers. So my clients get the Fortigate IP and it forwards any DNS requests. 

 

Here is the relevant screens:

 

 

 

3875
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.