Stumbled across a bug? New interface on 800D not responding to ping, dhcp, policy matching

Question

So today I began setting up a new Guest WiFi vlan, and I want an interface on my Fortigate 800D to be the default gateway. This will allow us to restrict traffic to our internal network but allow it out to the internet. Should be simple?!

I've been racking my brains and cannot get this new interface to work.

So its configured as follows:

config system interface

edit "port9"

set vdom "root"

set ip 10.0.0.254 255.255.255.0

set allowaccess ping

set type physical

set alias "Guest Wifi"

set role lan

set snmp-index 13

DHCP is configured:

edit 4

set default-gateway 10.0.0.254

set netmask 255.255.255.0

set interface "port9"

config ip-range

edit 1

set start-ip 10.0.0.1

set end-ip 10.0.0.253

set timezone-option default

set dns-server1 212.23.6.100

And I've created a policy rule to allow the traffic out to the internet. For testing purposes its source interface port9, destination interface wan2, any.

Port9 physically connects to a Cisco switch configured as:

switchport mode access

switchport access vlan 6

I connect a laptop to another port on the same switch, configured identically. With this config alone I believe I should be able to get a dhcp address in 10.0.0.1-10.0.0.253, ping the fortigate at 10.0.0.254, and browse the internet. I can't do any of those things.

diag sniffer packet 'port9' shows the broadcasts, so I believe they are arriving at the fortigate, but I never see any other than the initial broadcast. Same with a ping, I see ICMP arriving but nothing else.

I've configured a static ip address on the laptop and tried to ping, no dice.

I've got a DMZ network set up similarly to this, and the only difference I can see is under "Local-in Policy" (after enabling in Feature Select), I can see that ICMP and UDP 67 both exist in here against the DMZ network interface, but nothing for my new interface that I've set up. So I am guessing that the fortinet is just dropping the packets. I'll add that these local-in policies have not been added manually via CLI, this is the read only automatically created versions.

I'm running 2x FG800D in a A/P cluster, v5.4.2,build1100 (GA). I've set up new interfaces before and not seen this issue. Any ideas?

localhost · Answer

Have you limited the ip ranges from which admin users can connect?

If 10.0.0.0/24 is not in this range, pings will be blocked.

Does not explain why you won't get a DHCP lease. Have you tried connecting your laptop directly to the Fortigate:Port9?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded