PA- Security Policy Destination as FQDN issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA- Security Policy Destination as FQDN issue

L0 Member

Dear Community,

 

I am facing an issue were the i have post security rule allowing the access to some FortiGuard URLs, on the other hand i am have a default deny rule with reset-both action right above to the interzone & intrazone policies. What actually happening is  the traffic will hit the allow policy and right after will hit the default deny rule. It worth mentioning that, FQDNs are resolving the correct Fortinet IPs. I have already resolved the issue by creating URL category object and pass it to the same policy post removing the FQDNs. Now the most confusing part is there's some other policies are working fine as FQDNs. Would appreciate your insights, expert feedback on this issue. 

 

Sidenote, will not be able to provide any sort of attachments considering that it's a critical environment.

2 REPLIES 2

Cyber Elite
Cyber Elite

@k.siddig.hassan,

If I followed everything properly it just sounds like your firewall and clients aren't consistently in agreement about where those FQDN objects actually resolve. This isn't an uncommon scenario with FQDN objects trying to be used for some services (as an example, the pool.ntp.org FQDNs will encounter the same thing). If you're capturing all of the URL logs from clients (IE: have all categories set to at least alert) you should be able to validate this easily in your logs. Since removing the FQDN objects and just using the custom URL category resolves the issue however, this is the most likely scenario that you're running into.

Thank you so much for your response.

I agree with the points you have raised sometimes the customer requested domain might be something else. However, there’s some concerns. The domains are resolving just fine. The deny logs are for the same resolved destinations, the policy is actually matching and the hit counts are increasing. As per my understanding once it’s mach it should stop at that point. Why it was keep matching. I had similar case but i found the one who implemented the rule cloned a police with URL category and he forgot to remove it while he added destination IPs to the policy. It was also matching and getting denied by the same default deny policy.

  • 377 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!