Hello everybody,
I am new to Fortinet (today is the first day when I try to use it) and i encountered the problem with the basic connectivity.
I use FortiGate-3600C v5.0
I have applied the next config in the CLI:
config system interface edit port1 set ip 1.1.1.1/24 next edit port2 set ip 2.2.2.1/24 next end config firewall policy edit 1 set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
In the Web interface I saw that packet-capture intercepts the incoming traffic from both ports, but no departing traffic.
In the Policy Tab I saw that counters are not running. So Policy sequence didn't take part...
So I mean that I simply have no connectivity through the device.
After googling a long time and trying different combinations, including disabling RPF, but that didn't help.
Could anybody point me where my mistake is?
Thanks ahead!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Make sure you have a default route. If it does not have a default route, it will send an ICMP No Route To Host msg. That will not reach the policy since the packet does not get forwarded due to no route.
You might also want to enable NAT in your policy if you are trying to use PAT for internal to WAN traffic.
First, you should clarify if you tested port1 to port2, or portX to WAN.
For port to port, the FGT already has created the necessary routes (check this in Routing > Monitor).
Second, NEVER, EVER, use the "any" interface if you aren't forced to! I know it's valid but it's a nightmare for debugging. In your case, there is no justification to use it so just don't.
The "any" interface and it's sibling, stacking multiple interfaces in a policy as source or destination, were introduced only recently (v5 IIRC) and they will have their right of existence in certain corner cases. But 99% of all policies can be written with a single interface pair. Just imagine you've got your FGT in production; you want to sniff traffic from portA to portB, see if this policy is hit or not - ALL and every traffic will hit this policy!
So, first day, first advice, forget the "any" interface.
You haven't mentioned the firmware version you're using (v5 has many flavors...). One of these had a bug where the "ALL" service was restricted to TCP only - ping wouldn't be covered by it. Easy to fix, and it only occurred during a config translation from an older release to 5.0.x but it could be happening with your FGT.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.