Technical Tip: Server reachability issue from internal to DMZ
Description
This article describes how to check or basic troubleshoot connectivity from internal/LAN to external.
Scope
FortiGate.
Solution
Below will be the connectivity details of the server through FortiGate.
Go to User servers -> FortiGate connected on Lan Interface -> Destination server connected on DMZ interface.
Below are a few steps to be verified on the connectivity end.
- Physical connectivity check of both source and destination on FortiGate.
- Verify this by checking the MAC address and pinging the gateway.
- Verify routing is added for both the source and destination in case they are not directly connected.
- Command for routing is get router info routing-table details x.x.x.x
-
Verifying that the policies are correctly implemented as per the requirement.
This can be verified by checking the logs on FortiGate forward policy as given by the link below.
-
Verify the configuration with debug logs, which will give accurate information about the traffic flow.
Below are the commands for the debug flow.
diagnose debug reset
diagnose debug flow filter addr x.x.x.x y.y.y.y and <----- x.x.x.x is the server ip on DMZ and y.y.y.y is the source ip.
diagnose debug flow filter proto 1 <----- Proto 1 is for ICMP traffic filter on FortiGate.
diagnose debug flow trace start 10000
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug enable
In addition to the debug flow of the traffic, a sniffer can be checked so it can be analyzed whether it is arriving on the firewall, and if yes, on which interface, also if it is leaving to the right interface. The commands to check the sniffer are given below:
diagnose sniffer packet any "host x.x.x.x and host y.y.y.y and icmp" 4 0 l
All of the troubleshooting steps are given in the hyperlink below:
Troubleshooting Tip: Basic FortiGate Connectivity Diagnostics
Verify the log output or raise a TAC ticket if it is still not possible to connect to the server behind FortiGate.