Device is FG-60f running the latest 7.4 firmware.
I have 2 vlan switches set up. One routs traffic to wan1 and the other to wan2. I set up policies and routing policies for them and both are working fine.
Vlan switch 1 services subnet 192.168.2.0/24 and vlan switch 2 services subnet 192.168.3.0/24.
What I need to do is allow traffic between the two subnets.
When I set up firewall policies to allow traffic between source vlan switch 2 destination vlan switch 1, I can ping and access 192.168.2.1 from the 192.168.3.0/24 subnet, but I can't see any of the other devices/ips on the 192.168.2.0/24 subnet. Same thing with firewall policy source vlan switch 1 destination vlan switch 2.
Firewall policies:
Fortinet_Gateway (14) # show
config firewall policy
edit 14
set name "Vlan1"
set uuid 3961879a-900e-51ee-e003-307188be460d
set srcintf "internal"
set dstintf "Internal wan2"
set action accept
set srcaddr "internal"
set dstaddr "Internal wan2 address"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set nat enable
next
end
Fortinet_Gateway # config firewall policy
Fortinet_Gateway (policy) # edit 15
Fortinet_Gateway (15) # show
config firewall policy
edit 15
set name "Vlan2"
set uuid 6964594a-900e-51ee-fb76-e2b129d79f1e
set srcintf "Internal wan2"
set dstintf "internal"
set action accept
set srcaddr "Internal wan2 address"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set comments " (Copy of InterVlan)"
next
end
Ok, so what am I doing wrong here?
TIA
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Fortinet_Gateway (internal) # show
config system interface
edit "internal"
set vdom "root"
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type hard-switch
set stp enable
set role lan
set snmp-index 15
next
end
The only configured route is from internal1 to wan1 with a corresponding policy route.
Devices connected to internal can properly access the internet.
Then you should run a sniffer and traffic flow to see if the traffic is matching the policy and is leaving FGT interface internal wan2.
Please check this articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Enable-Policy-Trace-in-Debug-Flow/ta...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Useful-filters-for-sniffer-packet-capture/...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiGate-sniffer-on-VLAN/...
diag debug reset
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow filter addr <IP> <----- Filter for source IP
diag debug flow trace start 20000
diag debug flow filter port 80 443
diag debug enable
diag sniffer packet any "host <IP>" 6 0 l
-BR-
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.