Skip to main content
polarpanda
polarpanda
Explorer
January 7, 2020
Question

Virtual Server Cannot Connect to Outside

  • January 7, 2020
  • 2 replies
  • 13263 views

Hi there,

         I'm new to fortigate. I am trying to figure out why a virtual server stuck at firewall without denied policy setup. It used to work. When I did traceroute on the server, it stopped at the firewall. I don't see any policy to deny the server. Is there any other troubleshooting I can do? Thank you. 

    2 replies

    _aey_
    _aey_
    New Member
    January 8, 2020

    Hi,

     

    Can you check the logs ? When you write source and destination IP addresses in the logs filter, pls check the policy column and see the matched policy name. If the traffic match with deny policy, you should create a new policy to allow traffic.

    polarpanda
    polarpandaAuthor
    Explorer
    January 8, 2020

    engineer56 wrote:

    Hi,

     

    Can you check the logs ? When you write source and destination IP addresses in the logs filter, pls check the policy column and see the matched policy name. If the traffic match with deny policy, you should create a new policy to allow traffic.

    Thank you for replying my post, aey. Yes, I checked the logs and found the policy. It's the group from inside to outside internet with accepted source ip "all" (0.0.0.0/0) to destination ip "all" (0.0.0.0/0).

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 8, 2020

    hi,

     

    it works the other way around: without any ALLOWING policy there won't be any traffic. There's an implicit DENY ALL policy at the end of the policy table, invisible.

    If you do have an outbound policy, be sure to have NAT checked (to the WAN's interface address) or reply traffic won't make it back to the FGT.

    polarpanda
    polarpandaAuthor
    Explorer
    January 8, 2020

    ede_pfau wrote:

    hi,

     

    it works the other way around: without any ALLOWING policy there won't be any traffic. There's an implicit DENY ALL policy at the end of the policy table, invisible.

    If you do have an outbound policy, be sure to have NAT checked (to the WAN's interface address) or reply traffic won't make it back to the FGT.

    Thank you for replying my post,ede. Yes, I knew that. So i have a question: does each server have to have its own policy in the firewall, even virtual server? If yes, I have two other vm servers in the same location (nutanix). I don't see both two servers have their own ALLOWING policy, but they're able to route outside internet.

     

    Ede, another amazing expert in this post told me to check logs and I did. The policy it's in is source all (0.0.0.0/0) to destination all (0.0.0.0/0)

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    January 8, 2020

    OK, so a 'all-to-all ACCEPT' policy is good for all servers/hosts on your LAN.

    If only this one server does not correctly connect to a host on the internet, you could look into the traffic using the CLI (console window):

    diag debug enable

    diag sniffer packet any 'host 192.168.456.789 and icmp' 4

     

    where you substitute the fake address with the source address of the server on your LAN. Then, start a ping on that server to 8.8.8.8 and record the output. You should see 'ICMP request' and 'ICMP reply' packets.

    Maybe you could copy&paste the output and post it here.

    Terms & ConditionsAccessibility statement