Fortinet black logo

Agentless ZTNA with FortiSIEM UEBA and FortiGate

Home FortiSIEM 7.1.1 Agentless ZTNA with FortiSIEM UEBA and FortiGate
7.1.1
7.1.6
7.1.5
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.3
7.0.2
7.0.1
7.0.0
6.7.9
6.7.8
6.7.7
6.7.6
6.7.5
6.7.4
6.7.3
6.7.2

Verify Access to the FortiGates are blocked by the local-in Policy

Verify Access to the FortiGates are blocked by the local-in Policy

From the client computer, try accessing the 1st Floor FortiGate (10.100.88.101) on the browser. The page cannot be loaded.

Sniff for packets from the client:

# diag sniffer packet any 'host 10.100.91.100 and port 443' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.100.91.100 and port 443]
2023-05-25 22:24:57.463149 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119 
2023-05-25 22:24:57.714817 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329 
2023-05-25 22:25:00.464681 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119 
2023-05-25 22:25:00.718445 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329

View the Local Traffic log from Log & Report, or retrieve the logs from the CLI.

# exec log filter category 0
# exec log filter field srcip 10.100.91.100
# exec log filter field subtype local
# exec log display
1: date=2023-05-25 time=22:37:09 eventtime=1685054229545948615 tz="+0000" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.100.91.100 srcname="TAMIGERBER" srcport=5248 srcintf="port3" srcintfrole="lan" dstip=10.100.88.101 dstport=443 dstintf="root" dstintfrole="undefined" srcuuid="3fce57a6-fa91-51ed-87dc-0bf9d8ae8bdb" dstuuid="c935b9d6-f94b-51ed-e21f-70dcd8bb79b3" srcthreatfeed="g-FSM_Threat_Feed" srccountry="Reserved" dstcountry="Reserved" sessionid=1006928 proto=6 action="deny" policyid=1 policytype="local-in-policy" poluuid="8411e586-fb4a-51ed-28e4-27b1e150b98a" service="HTTPS" trandisp="noop" app="Web Management(HTTPS)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" osname="Windows" srcswversion="8.1" mastersrcmac="02:09:0f:00:09:01" srcmac="02:09:0f:00:09:01" srcserver=0

Previous
Next

Verify Access to the FortiGates are blocked by the local-in Policy

From the client computer, try accessing the 1st Floor FortiGate (10.100.88.101) on the browser. The page cannot be loaded.

Sniff for packets from the client:

# diag sniffer packet any 'host 10.100.91.100 and port 443' 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.100.91.100 and port 443]
2023-05-25 22:24:57.463149 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119 
2023-05-25 22:24:57.714817 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329 
2023-05-25 22:25:00.464681 port3 in 10.100.91.100.5013 -> 10.100.88.101.443: syn 1024673119 
2023-05-25 22:25:00.718445 port3 in 10.100.91.100.5014 -> 10.100.88.101.443: syn 674054329

View the Local Traffic log from Log & Report, or retrieve the logs from the CLI.

# exec log filter category 0
# exec log filter field srcip 10.100.91.100
# exec log filter field subtype local
# exec log display
1: date=2023-05-25 time=22:37:09 eventtime=1685054229545948615 tz="+0000" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.100.91.100 srcname="TAMIGERBER" srcport=5248 srcintf="port3" srcintfrole="lan" dstip=10.100.88.101 dstport=443 dstintf="root" dstintfrole="undefined" srcuuid="3fce57a6-fa91-51ed-87dc-0bf9d8ae8bdb" dstuuid="c935b9d6-f94b-51ed-e21f-70dcd8bb79b3" srcthreatfeed="g-FSM_Threat_Feed" srccountry="Reserved" dstcountry="Reserved" sessionid=1006928 proto=6 action="deny" policyid=1 policytype="local-in-policy" poluuid="8411e586-fb4a-51ed-28e4-27b1e150b98a" service="HTTPS" trandisp="noop" app="Web Management(HTTPS)" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" osname="Windows" srcswversion="8.1" mastersrcmac="02:09:0f:00:09:01" srcmac="02:09:0f:00:09:01" srcserver=0

Previous
Next