Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anru
New Contributor

Enable traceroute between interfaces

I configured several interfaces on my FG-600 with different subnets. From hosts of all subnets I can ping all hosts of other subnets and also other type of traffic is ok, but when I try with traceroute command it doesn' t work (* * * *). Where' s the problem? Thanks.
8 REPLIES 8
RH2
New Contributor

add a policy allowing any icmp service or just the traceroute service from each interface to the next interface you want to trace the traffic through. For example we use internal, dmz, and wan interfaces with different subnets. We have a policy allowing the traceroute service from specific source addresses to destination addresses on the following interface pairs: internal to dmz internal to wan dmz to internal dmz to wan wan to internal wan to dmz we limit all src addresses for the traffic coming into the wan interface so only our external subnets can traceroute or even ping but we allow traceroute and ping from our internal interface to " all" destination addresses so we can trouble shoot.
anru
New Contributor

I added following policy to troubleshoot: Interface A (any) -> Interface B (any) ALL protocols Interface B (any) -> Interface A (any) ALL protocols From hosts of subnet A to hosts of subnet B ping is OK, but traceroute is KO! Why??
AtiT
Valued Contributor

Hi, enable logging on the default DENY policy. After that try the traceroute. You should see some logs allowed or denied in the logs. Another step can be to sniffer the packets. Let' s say you have your machine with IP A.A.A.A from which you are trying the traceroute. try the command: diagnose sniffer packet any ' host A.A.A.A' 4 than try the traceroute. CTRL+C will stop the sniffer. If you have a lot of sessions on your A.A.A.A machine you can also include the remote machine what you are trying to find with traceroute - let' s say the remote machine IP is B.B.B.B than the command: diagnose sniffer packet any ' host A.A.A.A and host B.B.B.B' 4 What are the results?

AtiT
--------------------
NSE 8, CCNP R+S

JohnAgora

Is there a command similar to "execute ping-options" for traceroute?

ahmadhusain

dear

i can't traceroute from the router and switch to fortigate it showing me *****

but i can traceroute from the the fortigate to other devices and i also can do traceroute from the computer to fortigate 

only problem is coming on the cisco router and switch when i trace to fortigate 

 

plz help  

selassi

my problem is making my head spin. Host and FTG on a different geo location can ping each other well and the traffic is through MPLS. but when host tries to connect to specific port on FTG host can only see default gateway and the rest is **************

why is the host failing to see the other interface of the FTG

 

 

Hoping to find Help

Muhammad_Haiqal

Hi,  This reference might help:

https://forum.fortinet.com/tm.aspx?m=115674

haiqal
evan_wang

Router&Switch use udp high port(start with udp 33434) for traceroute , Windows use icmp request to do this, Fortigate will deny udp traffic tarwards to interface. I think it's will be working if you use windows PC or use linux and use tracerotue -I