Skip to main content
tstrip007
tstrip007
New Member
January 6, 2016
Question

Fortigate 100A Issues

  • January 6, 2016
  • 2 replies
  • 8619 views

I have been given a 3mb link with 4 usable ip's. I have hooked this link into the WAN int 1. I have my local interface plugged in and can access the admin GUI.

 

I have created a static route with a wildcard ip and subnet mask and the gateway of this 3mb link.

 

I have created a virtual IP and assigned one of the 4 usable ip's that maps to an internal ip (webserver) however I cannot get this ip to ping from the outside. I have created a policy and assigned the virtual ip to the policy.

 

Cannot figure out why its only the wan interface and the gateway I can ping for this 3mb link. If I change the wan Ip to one of the other 4 usables it pings.

 

Any advice? this is mainly for inbound traffic. I have several other firewalls in my environment.

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 7, 2016

    hello,

     

    and welcome to the forums.

    You haven't mentioned it but chances are that your VIP is port-forwarding. As such it will not forward (port-less) ICMP. If the VIP is 1:1 then it should relay the ping.

     

    BTW, which OS version?

    rwpatterson
    rwpatterson
    New Member
    January 7, 2016

    tstrip007 wrote:

    I have created a static route with a wildcard ip and subnet mask and the gateway of this 3mb link.

    This is confusing. The default route should be from inside to outside, and if that's the case, the next hop should be the local inside interface IP of the Fortigate (not the gateway of "this 3mb link"). Also you need the correct policies in place to make all this happen.

     

    edit - I was assuming you were referring to traffic from the inside out. After rereading I see you are referring to the FGT itself. Check your PING options from the CLI. Chances are it's set to the incorrect source IP address.

    tstrip007
    tstrip007Author
    New Member
    January 7, 2016

    Yah I am only concerned with outside world being able to get in. I am using fg100a-v4.0,build0328,110718 (MR2 Patch 8).

     

    I dont have any port forwarding on the VIP, only mapped to an external. I have a special policy setup to where inbound can only come in on a specific port.

     

    Ill check ping options....

    tstrip007
    tstrip007Author
    New Member
    January 7, 2016

    Not really sure what Im looking for with the ping options I did the following from CLI with my wan ip

     

    execute ping-option repeat-count 3 execute ping-option source my.wan.ip.0 execute ping-option view-settings    
    Terms & ConditionsAccessibility statement