| Description | This article describes the behavior when trying to ping the internet from any of the local interfaces of the FortiGate. |
| Scope | FortiGate. |
| Solution |
Trying to test connectivity via the command 'exec ping-options source <IP>' and then trying to ping the internet will not work (exec ping 8.8.8.8).
Debug flow:
Session output:
By default, FortiGate can ping from only the interface from which the route is present in the FIB table. The reason is that the traffic generated from the firewall will be direct, and no security policies will come into play. Hence, there will be no NATting triggered, and this is by design.
For example, trying to ping from a LAN port to the internet.
LAN port IP: 10.10.10.1 WAN port IP: X.X.X.X <- On the firewall. Flow: Ping initiated from 10.10.10.1 <-----> ISP Gateway Router
Now, the ISP router will not recognize the internal IP, as it is expecting traffic from only X.X.X.X. Because of this, a drop will occur.
This article with the same behavior also mentioned that the traffic will also be direct (local traffic generated) and no Firewall Policy will hit: Technical Tip: Unable to ping public servers (for testing) using ping-option source interface
Even if the source of the IP address is a VLAN interface IP, it is showing that this will have the same behavior as mentioned in this article: Technical Tip: Testing internet connectivity from FortiGate interface
The Policy Route will not be hit since this kind of traffic is local traffic generated as mentioned in this article: Technical Tip: Policy routes will not work for FortiGate initiated traffic |
