Hi Guys,
First, excuse my poor English.
We have this weird case where there is an Automation Tool which adds addresses to address-group in the FortiGate Firewall. rather adding it manually.
Now the Tools connects to the Fortigate Firewall using SSH. We have a group called FAKE_group this group contains 35 addresses or members.
The problem is that when we add a new member we get an error. We looked at the system event we see that the Automation Tool user access log in to the firewall and logs out without editing the FAKE group in other words it just login make no changes to the FAKE group and logs out. for the sake of the post let's call this Firewall FW-A.
Our Automation Tool connects to the FW-A via port3 when the tool tries to delete members to the group this happen without any problem it login, edit the group and logs out. but when adding to the FAKE group it shows an error.
In our FW-A we have several VDOMS.
So our topology is like this: We have automation Tool running on Linux server connected to FW-C which connects to OUR FW-A router lets call them RTR-A and RTR-B and then connects to our FW-A.
What I have done so far:
1-Connected the Automation Tool to a different port and ran the script it successfully added to the FAKE group without any problem when u look at the system even u see: login, edited FAKE group and log out successfully.
2-We add the same group to different Firewall and it was adding to the group successfully. we have FW-B we created the same group and added it 35 members to it. when the tool tried to add the 36 members it went without any issue.
3-Created a ticket with FortiGate they simulate the script and same scenario and it's running successfully.
4-We looked at the same event closely and we found out there is a "client-rst" sent from the server.
5-As a workaround we divided the group into two sub-groups called "FAKE1" and "FAKE2" and tool now adding to FAKE2 which adding successfully with no problem.
which could mean either the FW-C which is in the middle sends the clietn-rst or the routers RTR-A and RTR-B. But like I mentioned before we tested the same scenario on different FW and it went successfully which was FW-B. and this same FW-B connects to FW-C the same Firewall that connects to FW-A. This leaves us with the routers but when u check the L3 path it's fine. the interfaces there is no errors also the other firewalls have the same Routers with the same versions with same OS version with the same config.
So any thoughts..??
No comments:
Post a Comment