Hot!Firewall just WON'T LET THIS TRAFFIC OUT!

Author
jason@datatenant.com
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/04/21 05:53:44
  • Status: offline
2021/05/21 14:42:38 (permalink)
0

Firewall just WON'T LET THIS TRAFFIC OUT!

Hello ya'lll.
I'm having an issue, and I have no doubt I'm missing something simple, but try as I might I can't figure it out.
 
I'm setting up some Policies for "bypass" to allow servers to get out to the Internet for updates for certain products, and for our RMM tool.
 
Thing is, I've added bypasses for HTTP (80) and HTTPS (443) for several domains (*.packages.chocolatey.org and *.activeupdate.trendmicro.com) and they STILL show up in the "DENY" log. I can't figure out why it keeps getting "blocked".
 
I'm sure I'm missing something simple. Any guidance it massively appreciated.
-jb
#1

13 Replies Related Threads

    40james_FTNT
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/05/15 05:54:39
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/23 08:16:52 (permalink)
    0
    Run a debug flow and see what it says.

    https://docs.fortinet.com...ugging-the-packet-flow
    #2
    trixsta
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/20 13:23:31
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/23 13:45:11 (permalink)
    0
    Is your firewall in  NGFW Mode with Central NAT?
    #3
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/23 18:29:10 (permalink)
    0
    No to Central SNAT. It is Multi-VDOM Profile Based (not policy based).
    #4
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/23 19:32:09 (permalink)
    0
    Thanks for the reply.
    I followed the instructions, using the IP of the site that the Fortinet Logs are showing hitting the "deny" policy, and the debug screen shows...nothing.
    Undoubtedly I'm doing something wrong, because the FW is showing the traffic as being dropped in the Logs, but the debug screen shows Jack and Shiza....
    Thanks again for the help. This profiel is multi-vdom and is Profile Mode, if that makes a dfference.
    #5
    Yurisk
    Platinum Member
    • Total Posts : 241
    • Scores: 37
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Location: Israel
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/24 02:36:41 (permalink)
    0
    I'd start by looking attentively at the drop log - it says the reason for a drop, what is it?
     

    Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.
    #6
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/24 11:22:12 (permalink)
    0
    ActionDeny: policy violationThreat131072PolicyBlock (1)Policy UUIDfaf9f460-16b8-51ea-7f86-f61019f89d9dPolicy TypeIPv4
    #7
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/24 11:24:08 (permalink)
    0
    nothing helpful. "Policy violation"
    Again, the frustrating thing is that both the SRC and DST ips/FQND's have a policy to ALLOW the very traffic that's being blocked
    . I don't understand how they're slipping through the respective "allow" policies.
     -jb
    #8
    PTM
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/03 07:39:23
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/26 14:43:43 (permalink)
    0
    Quick question.
    How are you matching a site such as *.packages.chocolatey.org ?
    #9
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/26 14:57:36 (permalink)
    0
    Thanks for the reply! I'm using FQDN and wildcard specification for this.
    Specific to "chocolately.org", the FG is saying "unresolved FQDN". However, we have this same problem on many, many other domains, that do resolve the wildcard addresses.
    Example attached:
     

    Attached Image(s)

    #10
    sw2090
    Expert Member
    • Total Posts : 969
    • Scores: 82
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/27 01:24:18 (permalink)
    0
    just some hint:
     
    if you use urlfilter rules check the order and mode of your rules. Deny rules have to be the last and allowing rules have to come before it as rules are processed top down. Also if there is a deny rule in urlfilter you have to set allowing rules to "exempt" instead of "allow" to have the urrlfilter stop processing rules once it hit the first one that matched.
    Otherwise traffic would be denied even if there is an allowing rule before the deny one.
     
    Policies are processed the same way. So make sure you bypass policies come in front of the deny policy(s). Otherwise the deny policy(s) would match first and policies - so to say - are allways "exempt".

    -- 
    "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
    #11
    PTM
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/08/03 07:39:23
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/27 03:31:56 (permalink)
    0
    This method relies on the FG being able to perform passive inspection of unencrypted DNS responses. 
    I don't use wildcard FQDN myself, however I briefly worked in an environment where it had been configured but wasn't working. As a test, I configured the FG to act as a DNS server and pointed all of the internal clients at it. After this, the wildcard FQDN started working.
    Didn't have any more time to spend on it - so unfortunately I can't shed any more light on it than this.
     
    Hope this helps.
     
    PTM
    #12
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/27 10:03:26 (permalink)
    0
    Thanks for the assist!
    Indeed, I only have a single "deny" rule for each "zone to zone" policy, and that is at the very bottom.
    I don't use URL filtering currently. Essentially, all of the "NGFW" features of this box are effectively "off". It's just acting like an "allow/deny" box.
     
    #13
    jason@datatenant.com
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/04/21 05:53:44
    • Status: offline
    Re: Firewall just WON'T LET THIS TRAFFIC OUT! 2021/05/27 10:05:16 (permalink)
    0
    Unfortunately, I can't point all DNS to the firewall. Too much AD/LDAP/misc integration. While it's possible this may work, even if it does, it wouldn't be a tenable solution. Thanks regardless.
    #14
    Jump to:
    © 2021 APG vNext Commercial Version 5.5