Skip to main content
Kaplan
Kaplan
Explorer II
March 18, 2022
Question

Policy Lookup

  • March 18, 2022
  • 2 replies
  • 3415 views

Dear Poeple,

i have the following configuration

Kaplan_0-1647624254725.png

Kaplan_1-1647624285532.png

There are no wire on the LACP Ports LAN (VLAN10) and VOICE (port a) (VLAN40)
If I try the policy lookup I get the following error:

Kaplan_2-1647624449895.png

What is my problem?

Thanx in Advantage

 

2 replies

Markus_M
Staff & Editor
Markus_M
Staff & Editor
March 18, 2022

Hey Kaplan,

 

if you run a CLI lookup on the route, it might be helpful:

get router info routing details 10.40.137.50

The used route is shown by a *.

Example:

get router info routing details 10.40.137.50

Routing table for VRF=0
Routing entry for 10.40.0.0/16
Known via "static", distance 10, metric 0, best
 * 192.168.40.8, via wan1

It seems to have a route for that IP, better than the connected port. Or the policys dst-address object does not include the network.

 

Best regards,

 

Markus

Kaplan
KaplanAuthor
Explorer II
March 18, 2022

I do not think, thats a routing problem.
The LACP will not go up. If a VLAN Interface do not go up, so you can not use Policy Lookup whith this interface.
I must solve my Netgear TP728 Problem with LACP.

Have somebody create LACP with Netgear tp728 and Fortigate 60F?

 

ede_pfau
SuperUser
ede_pfau
SuperUser
March 19, 2022

You would expect that for a port without link up, the corresponding route would be removed, wouldn't you? So, this is not a routing problem. And besides, there is NO route better than a connected one, except for corner cases.

    Kaplan
    KaplanAuthor
    Explorer II
    March 19, 2022

    Dear Ede,

    I am not a specialist for Fortigates. I learn every day more and more about them.

    I would say, it is not a static route Problem. May be it s a problem of automatically connected Routes.
    I don't know, that the "policy lookup" depends of connected Routes too. So thats what I learned with this lesson.
    Is it possible to make the link up of ports without wire, so I can check the policys to completely or is it possible to check the matching policy undepended of any Routes?
    I have there some LACP Ports but I have a problem with my netgear switch. So the LACP Ports with their VLAN will not go up.

    I tried some hours to get up the LACP ports but without success.
    I have no other Switches in my lab.

    Thanx for you post and sorry for my bad english

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 19, 2022

    Not a problem at all. We all are learning, every day, for years and years.

     

    Just to clarify, this is not a Fortigate problem, and not a 'problem' at all. Any router would remove a route if the link status is 'down'. Or else traffic would be lost on link failure. It is not uncommon to have 2 routes to a target, one being 'standby' or 'backup', and configured such that the other 'main' route is preferred. Until the link to it's next hop is lost, it's route is removed and the 'backup' route is activated and used. So, this behavior is completely correct.

    I do not know of any workaround to mimick a link status.

    IMHO you should not complicate this - you can look up which policy is matched, without any (convenience) tool. Policy matching is as follows:

    1- source interface and destination interface must match

    2- source address and destination address must match

    3- service must match

    4- policy status must be 'enabled', schedule must be valid

     

    so, for regular policies, the first 5 values must match. Policies are checked from top down. A FGT has 2 views on the policy table: one which is sorted by source+dest interface pairs ('segmented view'), and one in which all policies are listed top-down. You can switch between these clicking into the upper right corner.

    At least in the 'complete' view, you can follow the policies and see which one matches FIRST - after a match is found, the search is terminated.

    If no policy matches, the traffic is dropped silently.

     

    Regarding LACP, the FGT is adhering to the standards. Hopefully, Netgear does as well. You can see more LACP options in the CLI ('config system interface'). The defaults should do, really. Sorry, I've got no experience with Netgear switches.

    The default LACP mode is 'negotiating' or 'active', that is, both sides negotiate a trunk. If one side is 'passive', the other needs to be 'active'.

     

    Maybe a look into the FortOS Handbook will help. There are KB articles about debugging LACP links but if you are unfamiliar with FortiOS I would not start with that.

    HTH.

    Terms & ConditionsAccessibility statement