Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Raghu_Kumar
Staff
Staff

Created on ‎07-19-2022 09:01 AM Edited on ‎05-01-2025 09:12 AM By Moderator

Article Id 217761

Technical Tip: Unable to ping public servers (for testing) using ping-option source interface

Description This article describes about the issue where users are unable to ping public servers (for testing) using ping-option source from LAN interface.
Scope FortiGate, all Firmware.
Solution

Consider the following network, where the LAN facing interface with IP address 10.254.8.65 is trying to reach public servers.

 

LAN<-->(10.254.8.65) FGT (96.90.29.254)<-->WAN ---> (8.8.8.8)GoogleDNS

 

execute ping-options source 10.254.8.65

execute ping 8.8.8.8

 

PING 8.8.8.8 (8.8.8.8): 56 data bytes

 

--- 8.8.8.8 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

 

# Timeout

Connection lost.

 

ping.PNG

 

  • This is an expected behavior as the pings are local traffic generated from FortiGate and are also from a private IP 10.254.8.65.
  • To confirm if a host in the LAN network can reach the public servers (reach the internet), it is recommended to test it from one of the host itself and not from the firewall.
  • For the traffic going through the firewall, it will hit the firewall policy and get NATed but not for the local traffic generated from the FortiGate.
  • Local traffic does not match an IPv4 firewall policy.
  • Here basically it is being told to the  firewall to generate a ping with a private IP as source out through a wan port hence it'll be dropped as no private IP address will be routed.
  • Testing from the firewall itself is not ideal, at least not from a private IP as a source.
  • Generating traffic form a host should work and the packets can be traced to see the route.
  • When tested from a public IP, that is sourcing the WAN IP and pinging a public IP should work.

 

If one wonders, it works when the source option is not chosen because when one pings 8.8.8.8, automatically public WAN IP is used as the source and hence the pings will be successful.

So this is an expected behavior and not an issue with the FortiGate.

 

To reset the ping-options use below command:

 

exec ping-options reset

 

Technical Tip: Pinging out to Internet from local interface also relates to the same behavior. It explains that the traffic will also be direct (local traffic generated) and no Firewall Policy will hit.

 

Even if the source of the IP address is a VLAN interface IP, this will also have the same behavior, as explained in Technical Tip: Testing internet connectivity from FortiGate interface.

 

The Policy Route will also not be hit since the traffic generated is still local, as explained in Technical Tip: Policy routes will not work for FortiGate initiated traffic.
Labels:
9083
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.