Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SassiVeeran
Staff
Staff

Created on ‎12-29-2023 05:33 AM

Article Id 291470

Troubleshooting Tip: Ping fails to the WAN IP of FortiGate

Description This article describes how to ensure ping is reachable to a FortiGate WAN IP in the Dashboard with VIP configured.
Scope FortiGate 6.4.8 and below.
Solution
  • A test ping failure to the FortiGate WAN IP shows in the dashboard from the internal network.
  • A sniffer packet shows the packet enters FortiGate but no ping reply is received from the WAN IP.
  • Debugging shows the packet was dropped with the error 'iprope_in_check() check failed on policy 0, drop'.

 

In this example, the WAN IP is 161.142.148.52.

 

wanIP.PNG

 

Sniffer:

 

sniffer packet ping.PNG

 

Debug:

 

debug deny policy.PNG

 

  • No IPpool is configured. It was discovered that FortiGate has a VIP configured mapping the WAN IP to an internal IP address. However, it was not used in any firewall policy.
  • This is due to how VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled.
  • The solution is to disable ARP replies in the VIP.
config firewall vip
    edit <name>
        set arp-reply disable (default: enable)
    next
end
 
Related document:
655
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.