Helpful ReplyHot!subnet don't much with any policy

Author
issame
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/12 03:26:10
  • Status: offline
2020/06/12 03:56:38 (permalink)
0

subnet don't much with any policy

hello
i have a only one subnet that don't much with any ipv4 policy, when i check the router loockup i find the route to this subnet but when i use loockup policy to this subnet they much with poiciy id=0 
knowing that i have policy from my vlan to wan with source set to any and destination set to any and all service are accepted

Attached Image(s)

#1
ede_pfau
Expert Member
  • Total Posts : 6383
  • Scores: 547
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: subnet don't much with any policy 2020/06/12 12:42:13 (permalink)
0
Re-check and double check the network address and netmask on the interfaces involved. Even with a matching route (again: check address and mask) and a plain open policy a connection might fail.
You can debug that by using "diag debug flow" but my experience is that if you already know it's hitting policy 0 it will not give you any additional info.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
emnoc
Expert Member
  • Total Posts : 5860
  • Scores: 387
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: subnet don't much with any policy 2020/06/12 13:02:28 (permalink)
0
Ede nalied it but yoru answer is in your screenhot. It sounds like the wrong interface pairs are not being matched.
 
Here's a trick I've been doing now for 14+ years. If you believe the src-dst-address and service is correct, change the policy src/dst-interfaces to "all" and test. If the traffic matches that changed policy, you know the interfaces are wrong.
 
e.g
 
 
config firewall policy
edit 2
set name "school out"
set uuid ba78edf0-79ec-51ea-75d7-3e1d831dc294
set srcintf "lan"
set dstintf "wan1"
set srcaddr "LAN"
set dstaddr "all"
set action accept
set schedule "always"
set service "DNS" "FTP" "HTTP" "HTTPS" "IMAPS" "NTP" "PING" "POP3S" "SMTP" "SMTPS" "FTP_GET" "FTP_PUT" "SSH" "SYSLOG" "TRACEROUTE" "VNC"
set nat enable
next
 
now I made it simpler by eliminating  the interface from the policy
 
 
config firewall policy
edit 2
 
set srcintf "any"
set dstintf "any"
set srcaddr "LAN"
set dstaddr "all"
set action accept
set schedule "always"
set service "DNS" "FTP" "HTTP" "HTTPS" "IMAPS" "NTP" "PING" "POP3S" "SMTP" "SMTPS" "FTP_GET" "FTP_PUT" "SSH" "SYSLOG" "TRACEROUTE" "VNC"
set nat enable
next
end

 
Ken Felix
 
 

PCNSE 
NSE 
StrongSwan  
#3
issame
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/12 03:26:10
  • Status: offline
Re: subnet don't much with any policy 2020/06/12 13:30:35 (permalink)
0
thank you for all but i try  to use any interface in destination , all services but they don't work, and i already execute the diag debug flow but without any solution, i think that i need to restart the policy but i don't know how!!
i thnik this a bug inside fortigate.
#4
emnoc
Expert Member
  • Total Posts : 5860
  • Scores: 387
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: subnet don't much with any policy 2020/06/12 14:16:14 (permalink) ☄ Helpfulby lobstercreed 2020/06/13 11:28:31
5 (1)
comon,It's not a bug in the fortigate it not fortios or hardware issue.,
 
If you'e hitting policy 0 and you think you have a policy that should have match and  it DID not, than your policy creation is flawed , or incorrect, typeo, wrong interface(s), wrong  address, wrong service ...pick one but your policy is NOT being matched and a reason exist as to why.
 
The diag debug flow  output kinda of tells you where your next step(s) are. Your screenshot attachment clearly tells you you have no match also.
 
You need to do some more work and correct the reason as to why the "the policy that you  'wrote' " is not working. It's really that simple. 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#5
fcb
Bronze Member
  • Total Posts : 49
  • Scores: 2
  • Reward points: 0
  • Joined: 2007/06/20 21:01:59
  • Status: offline
Re: subnet don't much with any policy 2020/08/31 10:07:23 (permalink)
0
I've got some policies that are hitting 0 or are hitting a policy lower in the ACL. I don't get this so I'm searching for possible reasons why ANY ANY is not matching - Seen this before, simply moving the policy down the ACL will fix it, but why? This i believe could be a bug of sorts OR I'm not understanding how interface "any" interacts with security policies.
 
I should add that some traffic matches policy id 132 but not everything... not by a long shot

EDIT: PS: Just accidentally hijacked this post. Apologies. Will re-post elsewhere as new thread
post edited by fcb - 2020/08/31 10:35:16

Attached Image(s)

#6
Jump to:
© 2020 APG vNext Commercial Version 5.5