Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nweckel
Staff
Staff

Created on ‎01-21-2025 07:58 AM Edited on ‎02-12-2025 06:07 AM By Moderator

Article Id 371487

Technical Tip: FortiGate interface does not respond to Ping after upgrade to version 7.2.6+

Description This article describes a change of behavior in version 7.2.6 and more recent version where the FortiGate interface does not respond to Ping even if Ping is allowed in interface configuration.
Scope

FortiGate version 7.2.6 and more recent with asymmetric routing enabled.

 

Asymmetric routing enabled in VDOM system settings:

 

config system settings

    set asymroute enable

end

 

Two or more interfaces configured with Ping access allowed:

 

config system interface

    edit "port1"

        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh telnet

    next

    edit "port2"

        set vdom "root"
        set ip 10.10.20.1 255.255.255.0
        set allowaccess ping https ssh telnet

    next

end

 

The default route is configured via port1:

 

config router static

    edit 1

        set dst 0.0.0.0 0.0.0.0

        set distance 10
        set gateway 10.10.10.254
        set device port1

    next

end

 

After the upgrade to version 7.2.6, port1 responds to Ping but port2 does not. However, SSH access is possible on both interfaces.
Solution

This behavior is due to a change included in version 7.2.6. Engineering ID 896891. See the FortiOS 7.2.6 release notes for an explanation.

 

Before this change, when asymmetric routing was enabled, the interface could respond to ping even if there was no active route to the destination (destination = IP address of ping request) via the queried interface.
In v7.2.6 and more recent versions, it is no longer working and the active route is required. Other protocols like SSH or HTTPS are not impacted.

 

As a solution, to the above example create a new static route via the port2 interface to allow traffic received on that interface.

 

config router static

    edit 1

        set dst 0.0.0.0 0.0.0.0

        set distance 10

        set priority 10
        set gateway 10.10.20.254
        set device port2

    next

end

 

Note: If the ICMP request comes from a host in the defined subnet, for example, 192.168.0.0/16 instead of the default route (0.0.0.0/0), the new route for port2 must include the same subnet defined for the first interface.

 

Related article:

Technical Note: Routing behavior depending on distance and priority for static routes, and Policy Ba... 
381
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.