Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Stelios_FTNT
Staff
Staff

Created on ‎12-28-2018 02:27 AM

Article Id 196184

Troubleshooting Tip : Ping not responding if source not in trusted hosts

Description
When configuring trusted hosts for all firewall administrators ping does not reply if the source IP of the ICMP request is not included in the trusted hosts.

This article describes how to troubleshoot this issue.

Solution
Configuring trusted hosts for ALL administrators in a FortiGate, the PING feature on the interfaces will only repond if the source address of the PING is included in the configured Trusted Hosts.

For example: If a Load-Balancer has an IP of 10.253.200.4 - 10.253.200.5, the PING from the Load-Balancer will not be replied to if these IPs are not included in the Trusted hosts configured in the administrator settings.

In FortiOS, "ping" is one of the admin accesses subject to the "trusthost[1-10]" settings (up to FOS 5.6, see below). So if we add trusted hosts on all administrators then the FortiGate's IP can be pingable only from those trusted hosts. Trying to ping the FortiGate's IP from any other IP address will fail.

There are two workarounds if you need to configure Trusted hosts under all existing Administrators of the firewall.

Scenario 1:
- Create an Admin Access Profile with no rights (none) on the firewall:
# config system accprofile
    edit "none"
    next
end
- Create an administrator using the above accprofile:
# config system admin
    edit "bulk_admin"
        set accprofile "none"
        set vdom "root"
        set password ****
    next
end
- If all other administrators have Trusted Hosts configured, having a "Bulk Administrator" with no rights on the firewall, but also with no Trusted Hosts as well, will allow to have the PING working on the FortiGate's interface.

Scenario 2:

Configure the subnets of the equipment pinging the FortiGate's IP into the Trusted Hosts of one admin:

For example:
# config system admin
    edit "admin"
        set trusthost1 192.168.0.0 255.255.0.0
        set trusthost2 10.253.200.0 255.255.255.248 <== subnet of the unit pinging the FortiGate's IP address
        set accprofile "super_admin"
        set vdom "root"
    next
end
This will allow the Load-Balancer to PING the system interfaces, since the IP addresses of the Load-balancer is now included in the trusted hosts of one administrator.

Starting from FortiOS 6.0, Ping works from any source IP address if the service is enabled on the interface, regardless if any trusted hosts are set in the administrator settings. Other services will still be limited by the trusted host settings.

14225
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.