- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Allowing traffic between 2 Vlan switches
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allowing traffic between 2 Vlan switches
Device is FG-60f running the latest 7.4 firmware.
I have 2 vlan switches set up. One routs traffic to wan1 and the other to wan2. I set up policies and routing policies for them and both are working fine.
Vlan switch 1 services subnet 192.168.2.0/24 and vlan switch 2 services subnet 192.168.3.0/24.
What I need to do is allow traffic between the two subnets.
When I set up firewall policies to allow traffic between source vlan switch 2 destination vlan switch 1, I can ping and access 192.168.2.1 from the 192.168.3.0/24 subnet, but I can't see any of the other devices/ips on the 192.168.2.0/24 subnet. Same thing with firewall policy source vlan switch 1 destination vlan switch 2.
Firewall policies:
Fortinet_Gateway (14) # show
config firewall policy
edit 14
set name "Vlan1"
set uuid 3961879a-900e-51ee-e003-307188be460d
set srcintf "internal"
set dstintf "Internal wan2"
set action accept
set srcaddr "internal"
set dstaddr "Internal wan2 address"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set nat enable
next
end
Fortinet_Gateway # config firewall policy
Fortinet_Gateway (policy) # edit 15
Fortinet_Gateway (15) # show
config firewall policy
edit 15
set name "Vlan2"
set uuid 6964594a-900e-51ee-fb76-e2b129d79f1e
set srcintf "Internal wan2"
set dstintf "internal"
set action accept
set srcaddr "Internal wan2 address"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set profile-protocol-options "test"
set comments " (Copy of InterVlan)"
next
end
Ok, so what am I doing wrong here?
TIA
Labels:
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet_Gateway (internal) # show
config system interface
edit "internal"
set vdom "root"
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https ssh fgfm fabric
set type hard-switch
set stp enable
set role lan
set snmp-index 15
next
end
The only configured route is from internal1 to wan1 with a corresponding policy route.
Devices connected to internal can properly access the internet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then you should run a sniffer and traffic flow to see if the traffic is matching the policy and is leaving FGT interface internal wan2.
Please check this articles:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Enable-Policy-Trace-in-Debug-Flow/ta...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Useful-filters-for-sniffer-packet-capture/...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiGate-sniffer-on-VLAN/...
diag debug reset
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow filter addr <IP> <----- Filter for source IP
diag debug flow trace start 20000
diag debug flow filter port 80 443
diag debug enable
diag sniffer packet any "host <IP>" 6 0 l
-BR-
- Happy to help, hit like and accept the solution -
- « Previous
-
- 1
- 2
- Next »
Related Posts
Labels
-
FortiGate
6,906 -
FortiClient
1,364 -
5.2
801 -
5.4
639 -
FortiManager
597 -
FortiAnalyzer
435 -
6.0
416 -
5.6
362 -
FortiAP
361 -
FortiSwitch
357 -
FortiClient EMS
278 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
120 -
FortiGuard
110 -
IPsec
96 -
FortiGateCloud
91 -
FortiSIEM
91 -
FortiCloud Products
85 -
SSL-VPN
82 -
FortiToken
75 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
42 -
SD-WAN
41 -
Fortivoice
41 -
FortiDNS
36 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
VLAN
27 -
High Availability
27 -
FortiAuthenticator
26 -
FortiConnect
24 -
FortiWAN
23 -
FortiConverter
21 -
ZTNA
20 -
DNS
18 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
FortiGate v5.2
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
FortiLink
13 -
Routing
13 -
FortiCASB
13 -
FortiDDoS
13 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Fortigate Cloud
9 -
4.0MR2
9 -
SSID
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
WAN optimization
7 -
SNMP
7 -
Web profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
FortiBridge
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 983 | |
| 819 | |
| 446 | |
| 440 | |
| 130 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.