Skip to main content
Problemchild
Problemchild
New Member
July 17, 2025
Question

New to Fortigate, Firewall policy is not allowing any packets into or out of the LAN

  • July 17, 2025
  • 2 replies
  • 880 views

I could use some help. The basic firewall policies of Allowing all, any, any out of the LAN to WAN1 and Denying all , any, any from WAN1 into the LAN  works for about 2 seconds (I can ping 8.8.8.8 with 100% replies), then there's no internet access. The DHCP service is running perfectly issuing correct assigned private IP addressesIMG_8210.jpg, the test environment can ping the other device. Is there a possibility I could get some guidance, a view and critique of a basic firewall policy such as above? 

2 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 17, 2025

First, you don't need to have deny policy for wan1->lan and wan2->lan. If you don't create any allow policy for the direction for the specific source and destination interface pair, there is an implicit deny policy and no packets can come through.

If you ping 8.8.8.8 from a Windows machine in LAN network, the default ping interval is 1 sec. You said it works only 2 sec. That means you got only two replies then the rest failed. Is that correct?

Since you have only default NAT policy (policy ID:1) for the lan->wan1 direction, and others are disabled, there shouldn't be anything to block your internet bound traffic through wan1 as long as a proper default route is there all the time.
Can you show us the default routes in CLI "get router info routing-table all"? It's the first part like below:

fg40f-utm (root) # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via x.x.x.x, a, [1/254]
                    [1/0] via SFOviaCentu tunnel y.y.y.y, [1/253]
                    [1/0] via z.z.z.z, ppp3, [100/255]
S 1.1.1.1/32 [15/0] via z.z.z.z, ppp3, [10/5]
S 2.0.0.0/8 [10/0] via SFOviaCentu tunnel y.y.y.y, [1/0]
S 4.2.2.3/32 [10/0] via z.z.z.z, ppp3, [1/0]
B 10.0.1.0/24 [20/0] via 10.241.128.121 (recursive via SFOcorp tunnel v.v.v.v), 01w5d00h, [1/0]
<snip>
I have SD-WAN setup with three default route on my 40F.


Also what kind of policy do you have under "lan->wan2"?

Toshi

Problemchild
ProblemchildAuthor
New Member
July 18, 2025

Thank you Toshi for your reply! 

I have disabled the deny policy on the Wan1 -> Lan interfaces as I was curious if that was the issue but it did not result in a solution. 

I'm sharing the routing table output here: 

Fife4a # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
C 172.16.0.0/24 is directly connected, mgmt

___________________

I hope that helps. 

In response to your question about the Lan ->Wan2 it's not my question right now as it Wan2 is not connected. Wan2 is for failover and I haven't implemented that yet. 

Thank you again for your reply!

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
July 18, 2025

No. Those deny policies are just useless. Nothing to do with your internet connectivity problem.
The direct reason is, as you just show, you've lost or don't have the default route to wan1 at all.
Is the wan1 interface actually UP? Is/was your default route static? Or pulled over DHCP or PPPoE from ISP side?

Toshi 

Terms & ConditionsAccessibility statement