I configured several interfaces on my FG-600 with different subnets.
From hosts of all subnets I can ping all hosts of other subnets and also other type of traffic is ok, but when I try with traceroute command it doesn' t work (* * * *).
Where' s the problem?
add a policy allowing any icmp service or just the traceroute service from each interface to the next interface you want to trace the traffic through.
For example we use internal, dmz, and wan interfaces with different subnets.
We have a policy allowing the traceroute service from specific source addresses to destination addresses on the following interface pairs:
internal to dmz
internal to wan
dmz to internal
dmz to wan
wan to internal
wan to dmz
we limit all src addresses for the traffic coming into the wan interface so only our external subnets can traceroute or even ping but we allow traceroute and ping from our internal interface to " all" destination addresses so we can trouble shoot.
I added following policy to troubleshoot:
Interface A (any) -> Interface B (any) ALL protocols
Interface B (any) -> Interface A (any) ALL protocols
From hosts of subnet A to hosts of subnet B ping is OK, but traceroute is KO!
enable logging on the default DENY policy. After that try the traceroute. You should see some logs allowed or denied in the logs.
Another step can be to sniffer the packets. Let' s say you have your machine with IP A.A.A.A from which you are trying the traceroute.
try the command:
diagnose sniffer packet any ' host A.A.A.A' 4
than try the traceroute.
CTRL+C will stop the sniffer.
If you have a lot of sessions on your A.A.A.A machine you can also include the remote machine what you are trying to find with traceroute - let' s say the remote machine IP is B.B.B.B than the command:
diagnose sniffer packet any ' host A.A.A.A and host B.B.B.B' 4
What are the results?
my problem is making my head spin. Host and FTG on a different geo location can ping each other well and the traffic is through MPLS. but when host tries to connect to specific port on FTG host can only see default gateway and the rest is **************
why is the host failing to see the other interface of the FTG
Router&Switch use udp high port(start with udp 33434) for traceroute , Windows use icmp request to do this, Fortigate will deny udp traffic tarwards to interface. I think it's will be working if you use windows PC or use linux and use tracerotue -I