The problem was not with the cisco ASA. So I owe the ASA an apology.
What fortinet did ( which is unbelievable from a security company ); was to use a wellknow service port53 for it's queries. They also claims the looks up are rfc compliant btw. Will something is flawed, due to the ASA will drop these queries upon inspection.
To recap the issues;
1: they ( fortinet ) used a well-known port #53 for their antispam rating queries
2: the queries do not match a true dns "query-formatted request"
3: so the ASA inspect inspection, see these as a badly constructed dns lookup , & drop these request,s
4: this is what the cisco ASA should be doing btw ( not honoring the fortimail queries on port 53 if they are not constructed correctly )
Now we have the means to rectify the issue, by doing what I did; " bypassing the inspection for the fortimail appliances" , or "we can change the query port of the fortiguard servers".
The systems engineer @ fortinet that I spoken with, didn't seem overly concern, " that using a well-known port in a fashion and means & different than what it was intended for, was not considered a big deal ".
FWIW, Any device that does inspections for any layer7 DNS data, and happens to be in the path of the appliance , could easily drop these incorrectly constructed packets ( e.g IPS, DDoS-inspection gear, SLB, etc....)
So in conclusion;
If your downwind of a cisco ASA, and that devices happens to "inspect dns" . Disabling the dns inspections, if you suspect it's dropping your fortiguard queries & re-monitor.
Ken Felix
If your downwind of a cisco ASA, and that devices happens to "inspect dns" . Disabling the dns inspections, if you suspect it's dropping your fortiguard queries & re-monitor.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment