Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kellermeister
New Contributor II

Admin Access on WAN but no Ping

I unboxed a new Fortigate 200F. I uplifted the firmware from 6.x to 7.2 b1157

I configured a WAN-interface as a VLAN-switch, and made setup: route, rule+nat, DNS and IPs.

Internet-access is fine.

I have allowed admin-access via icmp and https (custom port), I have defined trusted hosts.

I can access the admin-center from the trusted host ok, from an untrusted host its blocked.

So far everything looks as usual.

In doing some tests I realised that I can't ping the WAN-interface from the outside.

Its not working neither from trusted nor untrusted hosts.

To my mind it should be pingable for both hostgroups if its enabled on the interface-definition.

I checked on a fortigate 100F, same firmware and pretty same config, there the WAN-interface is pingable.

Just wondering: is there an obscure option I'm not aware of? The forti was preregistered by the vendor, maybe he introduced an oddity....

Any recommendation how to debug this?

 

 

 

 

1 Solution
Kellermeister
New Contributor II

OK, i solved it:

I checked the routing table. There were 2 routes for 0.0.0.0, one for the external and one on the internal interface. internal interface had distance 5 and was declared the winner.

 

the second 0.0.0.0-route came from the lan interface where i set up a dhcp-client and the option "Retrieve default gateway from server" was enabled. I had to disable it, crosschecked the routing table in the CLI and it was fine. The static route table in the gui does not show the second route, you can solve this riddle only by using the cli "get router info routing-table details"

View solution in original post

6 REPLIES 6
Muhammad_Haiqal

Hi @Kellermeister ,

From my understanding, you have enabled ICMP and https on WAN interface.

Access the Fortigate GUI - working

Ping the fortigate IP - not working

 

Here is the possibilities:
1. VIP(port forwarding).

2. Upper device did not allow ping.

You can debug the fortigate to make sure traffic is received on the Fortigate.
Here is the command:

diag sniffer packet any 'host x.x.x.x and icmp' 4 0

Replace x.x.x.x with your source IP.

Verify if you can see icmp request coming to the Fortigate.

haiqal
Kellermeister

Hi haiqal,

your understanding is correct.

 

I tested your command and it clearly shows that the icmp-packages are arriving at the interface. The ISP is therefore not blocking the ICMPs.

 

I investigated VIP: its a fresh installation, there are exactly two firewall rules (and one is the implicity deny all), no virtual ips, no virtual servers. 

 

In local in Policy I can see the allow-rule for icmp on the wan-switch-interface. it looks the same as the allow-rule for icmp on the lan-interface (which works btw).

 

Where else could I investigate? (of course I tried a reboot) 

br

Gerhard

 

Muhammad_Haiqal

Hi @Kellermeister ,

Do you mind to share the output of sniffer command?

If you need immediate assistance, you may call Fortinet support too: https://www.fortinet.com/support/contact

haiqal
Kellermeister

Kellermeister_0-1657786641944.png

This is a trusted host pinging the external primary ip on the wan interface. Result on the trusted host is timeout

Kellermeister
New Contributor II

OK, i solved it:

I checked the routing table. There were 2 routes for 0.0.0.0, one for the external and one on the internal interface. internal interface had distance 5 and was declared the winner.

 

the second 0.0.0.0-route came from the lan interface where i set up a dhcp-client and the option "Retrieve default gateway from server" was enabled. I had to disable it, crosschecked the routing table in the CLI and it was fine. The static route table in the gui does not show the second route, you can solve this riddle only by using the cli "get router info routing-table details"

Muhammad_Haiqal

Hi @Kellermeister ,

That was a nice finding! :)

I did not expect "Retrieve default gateway from server" enabled on the LAN.

 

On GUI, Static route only showing what you configured. 

To verify active routing on GUI,  you may navigate to Fortiview > Network . This will show all routing table coming from DHCP, OSPF,  BGP.

haiqal
Labels
Top Kudoed Authors