Skip to main content
okeozkilic
okeozkilic
New Member
July 21, 2021
Question

WAN to WAN Connection

  • July 21, 2021
  • 2 replies
  • 4407 views

Hello,

 

We share the same public subnet with 2 other entities. All 3 entities use the same gateway. 

For example (please assume that the IPs belong to a public block):

A: 10.1.1.11/24

B: 10.1.1.12/24

C: Has the rest of the subnet IPs except the ISP IP

ISP: 10.1.1.1

 

I created a VIP and a firewall policy and made sure that those are working (did tests from home, made a successful connection). My issue is: I cannot make the same connection when I try to connect from any other entities' private subnets (Let's say, the packet originates from entity B's WAN IP (10.1.1.12) and arrives to my firewall's WAN 10.1.1.11). On my firewall (FortiGate 100F, v7.0.1) I see that the packet arrives but it is not directed anywhere (simply dropped, checked it using cli "diagnose sniffer packet any..."). I tried to add a WAN to WAN any any accept rule for test and that did not work either. The other interesting thing is, I did not see a log for this blocking activity. Though I should say that I might have configured the logging settings wrong. 

 

I am currently replacing our old Palo Alto firewall with the FortiGate. I had the same rules/NATs on that Palo Alto firewall and I never had any issues (I am just trying to say that there is no other entity firewall rule that is blocking this kind of connection). 

 

Can you please help me with this problem of mine? I believe I am missing something simple. Thank you in advance.

 

Regards,

2 replies

nomeursy
nomeursy
New Member
July 23, 2021

Did you apply SNAT on the B Firewall, for this traffic? Also 7.0.1 is the first patch of the new 7.0 stream, my experience, tells me to not run this in production yet. I always wait until the 4th patch.

okeozkilic
okeozkilicAuthor
New Member
July 23, 2021

Did you apply SNAT on the B Firewall, for this traffic?

I have no access to Firewall B configuration but I can tell that they have that in place. I took my laptop and get into their network  (got a private IP in a subnet behind Firewall B) and tried to access my firewall (Firewall A). I was able to see the public IP of Firewall B on Firewall A sniffer. 

 

Also 7.0.1 is the first patch of the new 7.0 stream, my experience, tells me to not run this in production yet. I always wait until the 4th patch.

Well, I agree to that to some extent and I am ready to deal with some minor problems that will show up in these versions but this does not seem to be a minor issue to me (that is why I really think it is my fault or I am missing something along the way). 

 

I also tried this with version 7.0.0 and it did not work either. 

nomeursy
nomeursy
New Member
July 26, 2021

"was able to see the public IP of Firewall B on Firewall A sniffer. "

Ok, that’s checked. You tested it from a different public Source IP and it worked? In that case, VIP and Firewall rule is correct. Only thing different seems to be the Firewall A and B are in the same Public subnet. The ISP is not blocking, because it worked on you Palo. Very change problem then. Logs, don’t show any drop reason? You could test with 6.4.6. Or log a case with Fortinet support.

okeozkilic
okeozkilicAuthor
New Member
July 26, 2021

You tested it from a different public Source IP and it worked?

True

 

Only thing different seems to be the Firewall A and B are in the same Public subnet.

True

 

Very change problem then. Logs, don’t show any drop reason?

I will check this again. I will go through my log settings and double check everything. After that I will update this post.

 

okeozkilic
okeozkilicAuthor
New Member
July 26, 2021

...OK

 

I had a synchronization issue in Firewall A cluster. I got a synchronization error (or some similar message) and that stayed about 30 minutes. I restarted the cluster and then the NAT simply worked. I sometimes get this sync error messages but those only stay for a minute and then disappear. This time it did not. 

 

The other thing is. I tried restarting this firewall cluster before and the NAT problem was still there. There is something going on here that I cannot explain at this very moment and I will be looking into this in more depth. Maybe I should factory reset the firewalls again and start from scratch...

Terms & ConditionsAccessibility statement