Skip to main content
lidartech
lidartech
New Member
September 7, 2022
Solved

Basic traffic forwarding not working with Fortigate VM

  • September 7, 2022
  • 2 replies
  • 4182 views

Hello,

 

I am new to Fortinet and setting up a Fortinet firewall VM in EVE-NG. With below setup, I am not able to ping from INSIDE_R1 to OUTSIDE_R2.

 

Topology:

INSIDE_R1 --- (port 2)-Fortinet Firewall-(port 3) --- OUTSIDE_R2

10.0.0.2/24     10.0.0.1/24                    20.0.0.1/24        20.0.0.2/24

 

Fortinet VM: Version 7.2.0 with eval license

 

Firewall policy is to allow All source coming into Port2 toward All destination and get out of Port3, for all services, all the time. NAT is also enabled to use the outgoing interface address.

 

INSIDE_R1 has a default route pointing to firewall inside interface IP, 10.0.0.1.

 

INSIDE_R1 can ping firewall's inside IP 10.0.0.1 and outside IP 20.0.0.2.

 

Firewall can ping OUTSIDE_R2's IP of 20.0.0.2.

 

However, INSIDE_R1 cannot ping OUTSIDE_R2's IP of 20.0.0.2. OUTSIDE_R2 does not get any packets from INSIDE_R1 based on its debug output.

 

Here is the debug output on Fortinet firewall:

 

id=65308 trace_id=7 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:16->20.0.0.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16, s"

id=65308 trace_id=7 func=init_ip_session_common line=6076 msg="allocate a new session-00000ca9, tun_id=0.0.0.0"

id=65308 trace_id=7 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-20.0.0.2 via port3"

 

id=65308 trace_id=8 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:16->20.0.0.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16, seq=1."

id=65308 trace_id=8 func=init_ip_session_common line=6076 msg="allocate a new session-00000cad, tun_id=0.0.0.0"

id=65308 trace_id=8 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-20.0.0.2 via port3"

 

I am not sure if this is the limitation of the VM version of Fortinet firewall that it only allows you to configure but not allow to pass traffic?

 

I built the same topology with a physical Fortinet firewall and two computers. With the same security policy and IP configurations, ping from inside to outside works fine.

 

I'd like to find out if it is do-able to have Fortinet firewall VM working and forwarding traffic in EVE-NG. The virtual lab in EVE-NG will allow me to test more complex network environment..

 

Thanks,

Fei. 

 

Best answer by lidartech

Solved the issue by upgrading the FortiGate VM from version 7.2.0 to 7.2.1. 

2 replies

lidartech
lidartechAuthorAnswer
New Member
September 8, 2022

Solved the issue by upgrading the FortiGate VM from version 7.2.0 to 7.2.1. 

EEHC
EEHC
Explorer III
September 8, 2022

To troubleshoot FortiGate you use two things, your understanding of how FortiGate behaves and the log. From the log, you could filter to see if matched traffic is accepted then NAT applied and forwarded. FortiGate first checks the routing and then the policies in sequence. So you first check the routing (which you don't need in this lab) and then the policies. Another thing is related to VM is to confirm that the ports in the same subnet are connected to the same VM network.

Terms & ConditionsAccessibility statement