Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oes
New Contributor

Cannot ping to fortigate vlan interface

I created VLAN with IP 10.0.1.1/255.255.255.0 for lan. In the firewall policy, I created a rule that allows access from the lan to the VLAN. When connecting with a laptop to lan, ping 10.0.1.1 is not available. FG-100E, FortiOS v6.4.1 build1637. How to fix?

9 REPLIES 9
boneyard
Valued Contributor

did you allow ping on the VLAN interface?

 

https://docs.fortinet.com...e-access-to-interfaces

 

do you use trusted hosts on the admin accounts? if yes, is the LAN subnet there?

simonorch

I would also highly recommend you patch to 6.4.2 or 6.4.3, likely not related to this specific problem, but you will hopefully avoid others

NSE8 Fortinet Expert partner - Norway

oes
New Contributor

Updated to FortiOS v6.4.3 build1778. Ping is allowed everywhere. "trusted hosts on the admin accounts" - where are they located in the GUI? Or customize only in the CLI?

boneyard
Valued Contributor

possible via GUI, just look if trusted hosts are enabled on the admin accounts.

 

if not that is not your issue.

 

diagnose sniffer packet any 'host 10.0.1.1'

 

and then performing the ping from the workstation would be an interesting next step

 

simonorch

A couple of more thoughts for you.

 

I take it you don't have vdoms enabled and the two interfaces are in different vdoms?

How about source nat on the relevant firewall rule? 

 

Also worth seeing how the firewall is handling those packets 

 

diag debug flow filter addr 10.0.1.1

diag debug flow trace start 50

diag debug en

NSE8 Fortinet Expert partner - Norway

oes
New Contributor

Trusted hosts in administrator accounts are not enabled.

"diagnose sniffer packets any 'host 10.0.1.1'" - command result "Command fail. Return code -61".

 

vdoms not included.

simonorch

he made a little typo it's packet not packets

 

try

diagnose sniffer packet any 'host 10.0.1.1'

NSE8 Fortinet Expert partner - Norway

oes
New Contributor

Execution result:

"interfaces=[any]

filters=[host 10.0.1.1] 0 packets received by filter 0 packets dropped by kernel"

boneyard
Valued Contributor

assuming you performed a ping it seems the firewall doesn't see it.

 

can you share the interface config and firewall policy, screenshots might help else CLI output.