- Make sure that the traffic from outside is reaching the FortiGate through the use of sniffer.
diag sniffer packet any 'host <public IP address of source> and port <port number>
Example:
If the source IP address is w.x.y.z (in this example, it is the source public IP address) and the port is 80:
diag sniffer packet any 'host w.x.y.z and port 80' 4
The output should show if the packet reached FortiGate. In this case, there should be an inbound SYN packet(s) from the source IP address.
- Run a debug flow if there is an inbound SYN packet but the 3-way handshake was unable to complete.
diagnose debug reset
diagnose debug disable
diagnose debug flow filter clear
diagnose debug console timestamp enable
diagnose debug flow show function-name enable
diagnose debug flow filter addr <source public IP address>
diagnose debug flow filter port <port number>
diagnose debug flow trace start 99
diagnose debug enable
To disable the flow once it is no longer needed:
diagnose debug disable
diagnose debug reset
The output of debug flow should provide more details. For instance, a denied traffic due to implicit policy 0 means that either there is no corresponding firewall policy or misconfigured firewall policy (wrong interface(s), service(s)). In some cases, it was due to overlapping subnet. For instance, if LAN IP address is 192.168.200.200 and SSL VPN IP address range includes 192.168.200.200. In this scenario, then packets are going to be sent towards the ssl.<vdom> name instead of the LAN.
Create a new ticket at support.fortinet.com and attach the collected sniffer and debug flow output if further assistance is needed to examine the output of debug flow.
|
