Troubleshooting Tip: Unable to Ping interface IP / FortiGate IP from local subnets

Description

This article explains how to resolve the fact that is it not possible to Ping interface IP / FortiGate IP from local subnets.

Scope

FortiGate.

Solution

Step 1: Make sure if the host machine in the local subnet has received the ARP entry of FortiGate’s interface in its mac address table, and vice-versa check on FortiGate as well if the ARP entry (MAC address) of the host machine is populated under ARP table. 
 
Windows: arp -a 
 
Fortigate: get system arp 

Step 2: Check if the PING option is enabled in the Administrative Access of Network -> Interface section on the GUI.

Configuration CLI:

config system interface
    edit "port2"
        set vdom "root"
        set ip 172.168.2.1 255.255.255.0
        set allowaccess ping https <----- 'ping' allowed.
        set type physical
        set alias "FAZ"
        set device-identification enable
        set snmp-index 2
    next
end

Configuration GUI:

Step 3: Check if 'Trusted Hosts' is configured for the admin user. Check this via GUI by navigating to System -> Admin / Administrators -> 'Restrict login to Trusted hosts'.

Here if the option is enabled, a set of IP or IP Ranges or Subnets will be added.

If enabled, check if the IP used to ping is added to the list or not. If it is not added, add it either as a single IP (/32) or allow a complete range (/24).

Configure the same for IPv4 as well as IPv6.

Configuration CLI:

config system admin
    edit "xxxxx"   <----- Desired Admin Name.
        set remote-auth disable
        set peer-auth disable
        set trusthost1 0.0.0.0 0.0.0.0
        set trusthost2 0.0.0.0 0.0.0.0
        set trusthost3 0.0.0.0 0.0.0.0
        set trusthost4 0.0.0.0 0.0.0.0
        set trusthost5 0.0.0.0 0.0.0.0
        set trusthost6 0.0.0.0 0.0.0.0
        set trusthost7 0.0.0.0 0.0.0.0
        set trusthost8 0.0.0.0 0.0.0.0
        set trusthost9 0.0.0.0 0.0.0.0
        set trusthost10 0.0.0.0 0.0.0.0
        set ip6-trusthost1 ::/0
        set ip6-trusthost2 ::/0
        set ip6-trusthost3 ::/0
        set ip6-trusthost4 ::/0
        set ip6-trusthost5 ::/0
        set ip6-trusthost6 ::/0
        set ip6-trusthost7 ::/0
        set ip6-trusthost8 ::/0
        set ip6-trusthost9 ::/0
        set ip6-trusthost10 ::/0
        set accprofile "super_admin"
        set comments ''
        set vdom "root"
        unset ssh-public-key1
        unset ssh-public-key2
        unset ssh-public-key3
        set ssh-certificate ''
        set schedule ''
        set two-factor disable
        set email-to ''
        set sms-server fortiguard
        set sms-phone ''
        set guest-auth disable
        set password ENC SH27OrKehKne+v+QY/N7np1BXbm/o4llqeqZagoIS3YUDj11Boj0NttcQNHaZg=
        set allow-remove-admin-session enable
    next
end

Configuration GUI: