Hot!50E Policy Setup Issues

Author
Al Grant
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/04/16 22:32:05
  • Status: offline
2019/04/16 22:35:28 (permalink)
0

50E Policy Setup Issues

Hello,
I have a new Fortigate FG50E which is on a work group (no servers or AD etc).
The initial policy setup allows LAN-WAN source all, destination any, and this seems to work.
 
The minute I add another policy, still LAN->WAN but source is set to 1 specific IP, other IP's on the LAN are also getting blocked.
 
I don't know where to go beyond this to find out why.
 
Could someone please help.
 
Cheers
 
Al
 
#1

15 Replies Related Threads

    Bubu
    Bronze Member
    • Total Posts : 54
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/02/08 02:16:36
    • Location: Switzerland
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/16 23:17:05 (permalink)
    0
    Hi,
    First, can you show us the two policies, please?
    You can also debug to find out why access is blocked:
    diagnose debug en
    diagnose debug flow filter saddr (source IP)
    diagnose debug flow filter daddr (destination IP)
    diagnose debug flow trace start 30

    Run your query
    diagnose debug disable
    diagnose debug reset

     
    Attach it here the output
    Regards,

    Bubu
    #2
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/16 23:55:39 (permalink)
    0
    POLICIES:
    config firewall policy
        edit 1
            set name "No Schedule LAN to WAN"
            set uuid 0a65c1b2-5fea-51e9-f032-1a950c0607d7
            set srcintf "lan"
            set dstintf "Vodafone WAN"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set fsso disable
            set nat enable
        next
        edit 2
            set name "Scheduled No Social Media"
            set uuid a8668fac-60cd-51e9-b8fc-b0ef676b8932
            set srcintf "lan"
            set dstintf "Vodafone WAN"
            set srcaddr "Beyonce"
            set dstaddr "all"
            set action accept
            set schedule "Kids"
            set service "ALL"
    --More--                  set utm-status enable
            set fsso disable
            set application-list "Kids Application Control"
            set ssl-ssh-profile "certificate-inspection"
            set nat enable
        next
    end
     
     
     
     
    post edited by Al Grant - 2019/04/17 00:51:29
    #3
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 00:54:13 (permalink)
    0
    The device in question isnt available at this second, but I will post packet logs as soon as I can.
    #4
    Bubu
    Bronze Member
    • Total Posts : 54
    • Scores: 5
    • Reward points: 0
    • Joined: 2018/02/08 02:16:36
    • Location: Switzerland
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 01:02:18 (permalink)
    0
    Al Grant
    POLICIES:
    config firewall policy
     edit 1
     set name "No Schedule LAN to WAN"
     set uuid 0a65c1b2-5fea-51e9-f032-1a950c0607d7
     set srcintf "lan"
     set dstintf "Vodafone WAN"
     set srcaddr "all"
     set dstaddr "all"
     set action accept
     set schedule "always"
     set service "ALL"
     set fsso disable
     set nat enable
     next
     edit 2
     set name "Scheduled No Social Media"
     set uuid a8668fac-60cd-51e9-b8fc-b0ef676b8932
     set srcintf "lan"
     set dstintf "Vodafone WAN"
     set srcaddr "Beyonce"
     set dstaddr "all"
     set action accept
     set schedule "Kids"
     set service "ALL"
    --More-- set utm-status enable
     set fsso disable
     set application-list "Kids Application Control"
     set ssl-ssh-profile "certificate-inspection"
     set nat enable
     next
    end

     


    These policies are those of the FGT50E? If this is the case, everything seems normal, you should perform a debug flow as requested above

    Bubu
    #5
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 01:16:00 (permalink)
    0
    debug output when trying to browse to a website:
     
    2019-04-17 20:14:40 id=20085 trace_id=2100 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:14:40 id=20085 trace_id=2100 func=init_ip_session_common line=5657 msg="allocate a new session-00047d78"
    2019-04-17 20:14:40 id=20085 trace_id=2100 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:14:41 id=20085 trace_id=2101 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:14:41 id=20085 trace_id=2101 func=init_ip_session_common line=5657 msg="allocate a new session-00047d79"
    2019-04-17 20:14:41 id=20085 trace_id=2101 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:14:44 id=20085 trace_id=2102 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:14:44 id=20085 trace_id=2102 func=init_ip_session_common line=5657 msg="allocate a new session-00047d7d"
    2019-04-17 20:14:44 id=20085 trace_id=2102 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:14:53 id=20085 trace_id=2103 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:14:53 id=20085 trace_id=2103 func=init_ip_session_common line=5657 msg="allocate a new session-00047d8b"
    2019-04-17 20:14:53 id=20085 trace_id=2103 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:15:20 id=20085 trace_id=2104 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:15:20 id=20085 trace_id=2104 func=init_ip_session_common line=5657 msg="allocate a new session-00047dab"
    2019-04-17 20:15:20 id=20085 trace_id=2104 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:16:36 id=20085 trace_id=2105 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:16:36 id=20085 trace_id=2105 func=init_ip_session_common line=5657 msg="allocate a new session-00047dfe"
    2019-04-17 20:16:36 id=20085 trace_id=2105 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:16:37 id=20085 trace_id=2106 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=2, 192.168.85.190:0->224.0.0.22:0) from lan. "
    2019-04-17 20:16:37 id=20085 trace_id=2106 func=init_ip_session_common line=5657 msg="allocate a new session-00047e05"
    2019-04-17 20:16:37 id=20085 trace_id=2106 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:16:37 id=20085 trace_id=2107 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:16:37 id=20085 trace_id=2107 func=init_ip_session_common line=5657 msg="allocate a new session-00047e06"
    2019-04-17 20:16:37 id=20085 trace_id=2107 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:16:39 id=20085 trace_id=2108 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=2, 192.168.85.190:0->224.0.0.22:0) from lan. "
    2019-04-17 20:16:39 id=20085 trace_id=2108 func=init_ip_session_common line=5657 msg="allocate a new session-00047e0c"
    2019-04-17 20:16:39 id=20085 trace_id=2108 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:16:40 id=20085 trace_id=2109 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:16:40 id=20085 trace_id=2109 func=init_ip_session_common line=5657 msg="allocate a new session-00047e0f"
    2019-04-17 20:16:40 id=20085 trace_id=2109 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:17:30 id=20085 trace_id=2110 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:17:30 id=20085 trace_id=2110 func=init_ip_session_common line=5657 msg="allocate a new session-00047e70"
    2019-04-17 20:17:30 id=20085 trace_id=2110 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:17:31 id=20085 trace_id=2111 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:17:31 id=20085 trace_id=2111 func=init_ip_session_common line=5657 msg="allocate a new session-00047e73"
    2019-04-17 20:17:31 id=20085 trace_id=2111 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:17:34 id=20085 trace_id=2112 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:17:34 id=20085 trace_id=2112 func=init_ip_session_common line=5657 msg="allocate a new session-00047e79"
    2019-04-17 20:17:34 id=20085 trace_id=2112 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:17:43 id=20085 trace_id=2113 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:17:43 id=20085 trace_id=2113 func=init_ip_session_common line=5657 msg="allocate a new session-00047e80"
    2019-04-17 20:17:43 id=20085 trace_id=2113 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:18:11 id=20085 trace_id=2114 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:5353->224.0.0.251:5353) from lan. "
    2019-04-17 20:18:11 id=20085 trace_id=2114 func=init_ip_session_common line=5657 msg="allocate a new session-00047eb1"
    2019-04-17 20:18:11 id=20085 trace_id=2114 func=ip_session_handle_no_dst line=5733 msg="trace"
    2019-04-17 20:18:50 id=20085 trace_id=2115 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=17, 192.168.85.190:50364->192.168.85.1:53) from lan. "
    2019-04-17 20:18:50 id=20085 trace_id=2115 func=init_ip_session_common line=5657 msg="allocate a new session-00047f00"
    2019-04-17 20:18:50 id=20085 trace_id=2115 func=vf_ip_route_input_common line=2591 msg="find a route: flag=84000000 gw-192.168.85.1 via root"
    2019-04-17 20:18:50 id=20085 trace_id=2116 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag , seq 1768917289, ack 0, win 65535"
    2019-04-17 20:18:50 id=20085 trace_id=2116 func=init_ip_session_common line=5657 msg="allocate a new session-00047f01"
    2019-04-17 20:18:50 id=20085 trace_id=2116 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-121.74.95.254 via Vodafone WAN"
    2019-04-17 20:18:50 id=20085 trace_id=2116 func=fw_forward_handler line=751 msg="Allowed by Policy-1: SNAT"
    2019-04-17 20:18:50 id=20085 trace_id=2116 func=__ip_session_run_tuple line=3328 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2117 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917290, ack 2726466295, win 2058"
    2019-04-17 20:18:50 id=20085 trace_id=2117 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2117 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2117 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2118 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917290, ack 2726466295, win 2058"
    2019-04-17 20:18:50 id=20085 trace_id=2118 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2118 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2118 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2119 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917513, ack 2726469191, win 2013"
    2019-04-17 20:18:50 id=20085 trace_id=2119 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2119 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2119 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2120 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917513, ack 2726469709, win 2005"
    2019-04-17 20:18:50 id=20085 trace_id=2120 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2120 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2120 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2121 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917513, ack 2726469709, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2121 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2121 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2121 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2122 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917588, ack 2726469709, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2122 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2122 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2122 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2123 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917594, ack 2726469709, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2123 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2123 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2123 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2124 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917663, ack 2726469784, win 2046"
    2019-04-17 20:18:50 id=20085 trace_id=2124 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2124 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2124 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2125 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768917663, ack 2726469784, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2125 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2125 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2125 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2126 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768918740, ack 2726469869, win 2046"
    2019-04-17 20:18:50 id=20085 trace_id=2126 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2126 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2126 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2127 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768918740, ack 2726469869, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2127 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2127 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2127 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2128 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768920188, ack 2726469869, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2128 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2128 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2128 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    2019-04-17 20:18:50 id=20085 trace_id=2129 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=6, 192.168.85.190:49964->17.252.252.79:443) from lan. flag [.], seq 1768921636, ack 2726469869, win 2048"
    2019-04-17 20:18:50 id=20085 trace_id=2129 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-00047f01, original direction"
    2019-04-17 20:18:50 id=20085 trace_id=2129 func=ipv4_fast_cb line=53 msg="enter fast path"
    2019-04-17 20:18:50 id=20085 trace_id=2129 func=ip_session_run_all_tuple line=6738 msg="SNAT 192.168.85.190->121.74.93.211:49964"
    post edited by Al Grant - 2019/04/17 01:21:37
    #6
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 01:26:46 (permalink)
    0
    I am begining to suspect a DNS issue. When I went into the affected device which is a phone and changed the DNS type from automatic to manual, and used 8.8.8.8 it worked. So I changed back to Automatic, which set the phone back to my Fortigate on 192.168.85.1 and it still worked.
    I think at times there is a DNS server resolution issue, but still not quite clear what.
    #7
    Andy Bailey
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 01:36:39 (permalink)
    0
    How  are you system DNS servers set?
     
    Are you still using the default Fortinet servers or have you reconfigured to use your ISP DNS server IPs?
     
    It looks like you are in the UK- certainly on my experience the Fortinet servers dont always work so well here. For example Sky HD boxes don't cope well with DNS delays.
     
    Also, it doesn't look like you have a DNS filter policy applied- but worth checking if you have and if so is the site you are trying to browse in a DNS filtered category perhaps?
     
    Hope that helps.
     
    Andy
    #8
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 01:45:20 (permalink)
    0
    I am using the ISP DNS servers. So my clients get the Fortigate IP and it forwards any DNS requests. 
     
    Here is the relevant screens:
     
     
     

    #9
    Andy Bailey
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 02:26:45 (permalink)
    0
    I see you have the same Vodafone DNS server specified twice- probably no value in that and I see some suggestions that Vodaone's DNS servers can be a little flaky. Vodafone's ISP network is quite new and think they have been building up capacity and servers as they go.
     
    Why dont you try adding Google's DNS server in as your secondary DNS (either 8.8.8.8 or 8.8.4.4). If there are any issues with Vodafone's DNS at that point then the Fortigate would fall back to Google (which you know worked for this device- I think you said that DNS server worked well previously).
     
    Also (an unrelated observation) it looks like you have all the LAN interfaces still in the "Local LAN" switch. Up to you, but once you start building policies to that LAN Switch it becomes hard to split the LAN switch into separate interfaces.
     
    If for example (and highly recommended) you wanted to segregate your IOT devices (Hue lighting, Amazon devices, Ring doorbells those sorts of things) you may want to use separate LANs or VLANs to isolate those devices. If you plan for that now it's much easier later.
     
    Just my thoughts- hope it helps you.
     
    Kind Regards,
     
    Andy.
    #10
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 02:42:22 (permalink)
    0
    Thanks Andrew. When you said Vodafone's DNS are flakey, are you talking about Vodafone UK or Vodafone NZ?
    Its not the same server twice (note one is 203.109 and the other 203.118), but nevertheless I will put 8.8.8.8 as a secondary.
     
    Yes I would like to do as you suggest re all the home devices we have, but would like just to get this pesky issue which is stopping some phones from getting internet and also the smart TV.
     
    I also note I have changed the DNS servers in the fortigate, but even after a release renew, the clients are not picking up the new servers?
     
     
     
     
    post edited by Al Grant - 2019/04/17 03:18:00
    #11
    Andy Bailey
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 02:59:28 (permalink)
    0
    Yes, I was referring to Vodafone UK- not sure how Vodafone NZ's servers are working but be worth a bit of Googling perhaps. Sorry for the mistake there- quick look they seemed to be identical addresses!
     
    Andriod devices (and in fact anything Google related) tend to prefer Google DNS- so as a general plan you can't go too far wrong with using one of their addresses. Also provides a little resiliency if Vodafone's DNS servers do fail for any reason.
     
    If you are in NZ- hello! I'm a fellow Kiwi- been living in the UK for over 20 years. I was back over Xmas and will likely return again one day.
     
    But good luck with the Fortigate- they are great devices. The Cookbooks online and documentation generally is pretty good too. I started off buying one myself as a complete novice and learning along the way. I would never go back to a "consumer" router now. If you are from an IT or Telco background you will get the hang of them pretty quickly.
     
    Good luck,
     
     
    Andy.
     
    #12
    ede_pfau
    Expert Member
    • Total Posts : 5927
    • Scores: 466
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/17 05:26:21 (permalink)
    0
    if I may chirp in...
    Your list of the policies in CLI does not reflect their sequence. "edit 1" only denotes ID 1, not that this is the first policy in sequence.
    Policies are matched top-down. The most detailed, or the one which specifies the most criteria, is followed. Matching fields are source interface, destination interface, source address, destination address, service, schedule. Particularily, fields for UTM (AV, IPS, ...), status and NAT are NOT matched.
    As soon as traffic matches a policy it's processing stops. Only if traffic does not match the first policy it is handed down to the second, and on.
    So make sure that your policies' sequence is what you intend to achieve. Please check as well that your single address object has got a /32 netmask.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #13
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/18 02:25:47 (permalink)
    0
    Yes I have changed the order and tried disabling everything but the policy which allows internet access- no avail.
     
    I note a chromecast works fine - just this pesky TV wont detect internet.
    #14
    Andy Bailey
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/06/27 11:21:22
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/18 03:19:45 (permalink)
    0
    I guess you have logging enabled on all the policies? If you have can you see if anything is being blocked in the log files (check for result= Deny (All) or Action = Blocked)?
     
    At this point to you have any security policies applied to the policies? If you have logging enabled the the logs will also indicate which Fortigate security policy has been triggered (eg Web Filter, App Filter, AV etc).
     
    Also have you checked your MTU sizes on both the lan and wan interfaces? You may see "ip-conn" (IP connection) errors in the logs if you have issues there. I'm not sure what Vodafone NZ use- but it looks as though it's pretty standard at 1500 bytes for the WAN side for Fibre connections.
     
    Lastly, I know that the TV software often causes issues- have you checked the TV software is up to date as well? Is there a setting for MTU size on the TV too perhaps? Checked that maybe?
     
    Good luck.
     
     
    Andy.
     
     
     
     
     
     
     
    #15
    Al Grant
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/04/16 22:32:05
    • Status: offline
    Re: 50E Policy Setup Issues 2019/04/18 22:16:11 (permalink)
    0
    As if things weren't bad enough an Apple iPhone behind the router also has intermittent issues where for a few minutes all the trace shows is this:
     
    2683.685404 192.168.85.190.5353 -> 224.0.0.251.5353: udp 139
    2692.702805 192.168.85.190.5353 -> 224.0.0.251.5353: udp 139
    2719.760759 192.168.85.190.5353 -> 224.0.0.251.5353: udp 139
     
    No reply from the router. Eventually after a few minutes it springs into life, or if I do a renew on the iphone it goes. I am ready to return this if this is the sort buggy stuff they put out.
    post edited by Al Grant - 2019/04/18 23:48:03
    #16
    Jump to:
    © 2019 APG vNext Commercial Version 5.5