| When a Sky-Q box is in an internal network and a FortiGate is acting as its Gateway, sometimes there are issues with connectivity, and the Sky-Q box will not connect.
The first step to troubleshooting this issue is running a debug flow.
Debug flow commands: diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x
diagnose debug flow show iprope enable
diagnose debug flow show function enable
diagnose debug console timestamp enable
diagnose debug flow trace start 500
execute time
diagnose debug enable Where x.x.x.x is the source IP, in this case, the IP of the Sky-Q box. To disable the debug: diagnose debug disable diagnose debug reset If from the debug flow, it is noticed that the Sky-Q box is trying to ping its Gateway IP, in this case, the FortiGate, then it matches with this article.
The Sky-Q box tries to ping its Gateway IP before trying to establish a connection with its servers.
If, for any reason, that interface does not have PING enabled as a service, the Sky-Q box will not connect.
After enabling PING on the interface level, either via CLI or GUI, the Sky-Q box will connect right away.
Example of enabling ping on port1 when no other services are enabled on the port: config system interface
edit port1
set allowaccess ping
end Note:
If the issue persists even after allowing ping on the interface, a fresh debug flow would need to be gathered. Depending on the servers, the Sky-Q box is trying to connect to a multicast policy that might be needed to allow the traffic.
To configure the multicast policy:
config firewall multicast-policy
edit 1
set name "Multicast"
set srcintf <portXX>
set dstintf "portXX"
set srcaddr "all"
set dstaddr "all"
next
end Depending on the case, the srcintf, dstintf, srcaddr, and dstaddr can be modified to specific ports and/or addresses.
For more information regarding multicast settings on the FortiGate, refer to the article below:
Configuring multicast forwarding
| 
