Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aksingh
Staff
Staff

Created on ‎07-25-2010 09:00 PM

Article Id 194951

Troubleshooting Tip : Connectivity to FDS servers is impossible when specific firewall policy set to Encrypt

Purpose
A FortiGate unit is unable to connect to FDS servers if a firewall policy is specified with destination address set to "All" being destination address 0.0.0.0/0 AND action set to IPSec.

This is because traffic self originated by the FortiGate would be intercepted by the VPN daemon,when leaving the outgoing interface with a valid action to ENCRYPT traffic.
  • Position of the firewall policy in the list is not relevant.
  • It also applies if an explicit policy is also set with action set to ACCEPT.
  • It does not apply if the VPN P1 is configured in Interface mode.  In this case a Firewall policy between any source interface and VPN Tunnel destination interface, with source and destination address set to ANY will not capture FortiGate self-originated traffic.
  • It applies for whatever Phase2 selector is effectively configured associated with this Phase1.

The following protocol attempts will fail in this case:

  • Ping
  • DNS resolution
  • FDS server query for Registration, Updates or FortiGuard services
  • Logging to external Syslog or FortiAnalyzer

Expectations, Requirements
The destination address should be specified when defining firewall policy with action set to IPSec.
Configuration
config firewall policy
    edit 11
        set srcintf "port2"
        set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set inbound enable
        set outbound enable
        set vpntunnel "201"
    next
end
Troubleshooting
The FortiGate is able to ping/connect to the FDS server before creating the firewall policy with destination address set to "All" and Action IPSEC.

FGT # exec ping service.fortiguard.net
PING guard.fortinet.net (ip_address:( 56 data bytes
64 bytes from <ip_address>: icmp_seq=0 ttl=42 time=597.3 ms
64 bytes from <ip_address>: icmp_seq=1 ttl=42 time=576.7 ms
The FortiGate is unable to ping or make DNS resolution when a firewall policy is created with destination set to "All" and Action set to ENCRYPT
FGT # exec ping service.fortiguard.net
PING guard.fortinet.net (ip_address): 56 data bytes
Timeout ...
Timeout ...

FGT # exec ping <dns_ip_address>
PING <dns_ip_address> (<dns_ip_address>:( 56 data bytes
Timeout ...
Timeout ...

Labels:
4749
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.