This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA- Security Policy Destination as FQDN issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA- Security Policy Destination as FQDN issue

k.siddig.hassan
L0 Member

‎10-18-2024 03:30 AM

Dear Community,

 

I am facing an issue were the i have post security rule allowing the access to some FortiGuard URLs, on the other hand i am have a default deny rule with reset-both action right above to the interzone & intrazone policies. What actually happening is  the traffic will hit the allow policy and right after will hit the default deny rule. It worth mentioning that, FQDNs are resolving the correct Fortinet IPs. I have already resolved the issue by creating URL category object and pass it to the same policy post removing the FQDNs. Now the most confusing part is there's some other policies are working fine as FQDNs. Would appreciate your insights, expert feedback on this issue. 

 

Sidenote, will not be able to provide any sort of attachments considering that it's a critical environment.

0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎10-18-2024 10:07 PM

@k.siddig.hassan,

If I followed everything properly it just sounds like your firewall and clients aren't consistently in agreement about where those FQDN objects actually resolve. This isn't an uncommon scenario with FQDN objects trying to be used for some services (as an example, the pool.ntp.org FQDNs will encounter the same thing). If you're capturing all of the URL logs from clients (IE: have all categories set to at least alert) you should be able to validate this easily in your logs. Since removing the FQDN objects and just using the custom URL category resolves the issue however, this is the most likely scenario that you're running into.

0 Likes Likes

k.siddig.hassan
L0 Member
In response to BPry

‎10-19-2024 08:35 AM

Thank you so much for your response.

I agree with the points you have raised sometimes the customer requested domain might be something else. However, there’s some concerns. The domains are resolving just fine. The deny logs are for the same resolved destinations, the policy is actually matching and the hit counts are increasing. As per my understanding once it’s mach it should stop at that point. Why it was keep matching. I had similar case but i found the one who implemented the rule cloned a police with URL category and he forgot to remove it while he added destination IPs to the policy. It was also matching and getting denied by the same default deny policy.

0 Likes Likes
  • 136 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks