I have to different ports on my Fortigate
port 1 ( 10.201.0.0/16)
port 2 ( 192.168.0.0/16)
i need to allow traffic between both ports which will allow me to use all protocols i made a policy routes with a firewall-policy but nothing happen
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Delete the Policy Route. These networks already have (std) routes automatically, check Monitor > Routing Monitor.
You just need one policy per direction. If you have one, right-click and 'clone reverse'.
thanks ede_pfau for your answer.
do you mean firewall police or policy route? i did both with no result, sorry i am not expert with fortigate.
Well exactly, you only need a plain policy.
Policy routing is routing - and that is already handled for you.
Hereunder my firewall configuration:
config firewall policy
edit 9
set name "ALLOW LAN TO CCTV"
set uuid 9df94930-c025-51e9-4feb-d27f2893ce1c
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set nat enable
next
end
Why NAT?
Usually, for LAN to LAN traffic, you don't use NAT.
NAT is mandatory for LAN-to-Internet traffic, as the next router (with your ISP) doesn't know your subnets.
Apart from that, your policy looks OK. A bit sloppy with 'all' instead of proper address object, but that will do as well.
If this doesn't work for you, what exactly do you see if you, for example, ping from one host to the other?
Can each host ping the FGT port belonging to his LAN?
i disabled the NAT.
if i ping from fortigate with execute ping everything is ok. and if i ping with same subnets everything is ok. but when i am trying to ping from example ( 10.201.2.111 ) to ( 192.168.10.10 ) it shows request timed out
Check the hosts:
- the default route needs to be the IP address of the FGT port it's connected to.
i can't change the default route, o i create a new route table with no result again. i know i miss something. please any more help
Not sure if that is a typo: port 1 =10.201.0.0/16 and port 2 = 192.168.0.0/16 but creating a firewall policy that goes from port 2 to port 1 when attempting to ping from port1 to an address on port 2. I think you may also need a firewall policy in the opposite direction.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.