What is wrong with my policy?

Question

Hello everybody,

I'm working on a Fortigate 70G v7.2.11

I defined an interface:

Screenshot 2025-05-12 alle 17.41.59.png

and a policy to allow the traffic:

Screenshot 2025-05-12 alle 17.43.18.png

With this policy, I want to say: wherever I call you, you have to allow the traffic.

If I connect to any 70G interface (wifi, wired lan etc.), it works. I can ping 10.0.0.2.

There is only one interface for which this policy does not work:

Screenshot 2025-05-12 alle 17.46.25.png

It's the admin_tunnel (or the ipsec interface), an ipsec interface. I've already tested this ipsec tunnel for other scopes and it works fine. In fact, I already defined one policy:

Screenshot 2025-05-12 alle 17.47.50.png

Screenshot 2025-05-12 alle 17.51.10.png

The problem is that if I'm connected to this tunnel I can't ping 10.0.0.2 anymore.

Why is that?

shouldn't the traffic I send out the tunnel just fall under any -> 70Gto60F (port5) the policy?

raffaeledp · Accepted Answer

Hello,thanks everybody for the answers.The solution was a lot easier than I thought.During the sniffing process, I couldn't see any packet on that interface.The problem was simply that the accesibile network segment defined for the ipsec tunnels didn't contain the 10.0.0.2 address.

AEK · Answer

Hi RafaelIn traffic log, do you see any related traffic that is denied? (you need to enable logs for the implicit deny).You may also try with this command and share the output.diag sniffer packet any "icmp and host 10.0.0.2" 4

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded