Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Behzadawesome
New Contributor

Fortigate zone based firewall

Hi all,

I am trying to test the firewalling feature of Fortigate.

My question/problem is as follows:

I have 3 zones named, INSIDE, OUTSIDE_A, OUTSIDE_B and they have different interface assigned to them.

I was trying to simulate the asymmetic routing which I would expect to be denied by most firewall by default. However, when I have tried to "send the traffic" from INSIDE to the OUTSIDE_A, and the return packet from OUTSIDE_B to INSIDE, the traffic is allowed.

I have only one permit policy which allows all traffic from INSIDE zone to be go out to the OUTSIDE_A zone and there is NO other policy defined in the policies.

The testing protocol is ICMP ping.

 

any help would be appreciated as it is a fundamental problem which I have.

 

Regards

 Behzad

18 REPLIES 18
emnoc
Esteemed Contributor III

1st  ; Policy does not control traffic. What do you have in your route table and mainly for the source of the datagram that are returned?

 

Also you might want to run a "diag debug flow" to get a trace on the traffic and see what is shown. You can search here to see examples of how to set the filter and execution for that command.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Behzadawesome

Hi emnoc

first off, thanks for your reply.

what do u mean the Policy does not control the traffic? do you mean that the IPv4 policy under the security section does not control the traffic?\

 

 

emnoc
Esteemed Contributor III

Let me correct that. "it does not control routing the traffic". the routes is looked at 1st to determine what policy to match if any. In your case a "diag debug flow" and it's output would be helpful. The 1st few lines after the start of the trace will have "gw" or "next-hop" in it ( can't which ) and then the matched-policy.

 

Can you share that ? Sanitize if you have sensitive ip_address

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

I can assure you, asymmetric routing is always causing denied traffic (except for if you explicitely allow it).

Please post your routing table (CLI: get route info rou all). At the moment we can only speculate how you set up your FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
live89

Check this configuration from CLI:

 

FW1 # config system settings FW1 (settings) # get | grep asym asymroute           : disable asymroute-icmp      : disable asymroute6          : disable asymroute6-icmp     : disable

 

They should be disabled

Thanks

Thanks
emnoc
Esteemed Contributor III

if you use the "diag debug flow" the iprope will show you the route lookedup

 

e.g  ( focus on the lines that contains )

 

   msg="find a route:

 

 

That flow should arrive back on the same interface. If you do not have asymmetrical enable you could doa diag sniffer packet any "host x.x.x.x and port abcd" 4  and that will show you ingress/egress interfaces. 

 

Just remember the function_iprope comes before the policy lookup and match|deny

 

This might help to analyze your issues

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
behzadb23

 

 

hi,as you can see all of them are disable.

behzadb23

 

hi, as you can see in the attached file, all of them are disable.

sw2090
Honored Contributor

Sounds familiar to mee. 

If you have a policy that allows subnet a to access subnet b and you ping a host in subnet b from a host in sbunet a then you will get a ping reply even though you don't have a reverse policy.

I think this is wanted behaviour.  You should be denied if you try to ping a host in subnet a from a host in subnet b for there is no policy that allows that.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors