Hello,
I am new to Fortinet and setting up a Fortinet firewall VM in EVE-NG. With below setup, I am not able to ping from INSIDE_R1 to OUTSIDE_R2.
Topology:
INSIDE_R1 --- (port 2)-Fortinet Firewall-(port 3) --- OUTSIDE_R2
10.0.0.2/24 10.0.0.1/24 20.0.0.1/24 20.0.0.2/24
Fortinet VM: Version 7.2.0 with eval license
Firewall policy is to allow All source coming into Port2 toward All destination and get out of Port3, for all services, all the time. NAT is also enabled to use the outgoing interface address.
INSIDE_R1 has a default route pointing to firewall inside interface IP, 10.0.0.1.
INSIDE_R1 can ping firewall's inside IP 10.0.0.1 and outside IP 20.0.0.2.
Firewall can ping OUTSIDE_R2's IP of 20.0.0.2.
However, INSIDE_R1 cannot ping OUTSIDE_R2's IP of 20.0.0.2. OUTSIDE_R2 does not get any packets from INSIDE_R1 based on its debug output.
Here is the debug output on Fortinet firewall:
id=65308 trace_id=7 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:16->20.0.0.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16, s"
id=65308 trace_id=7 func=init_ip_session_common line=6076 msg="allocate a new session-00000ca9, tun_id=0.0.0.0"
id=65308 trace_id=7 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-20.0.0.2 via port3"
id=65308 trace_id=8 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:16->20.0.0.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16, seq=1."
id=65308 trace_id=8 func=init_ip_session_common line=6076 msg="allocate a new session-00000cad, tun_id=0.0.0.0"
id=65308 trace_id=8 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-20.0.0.2 via port3"
I am not sure if this is the limitation of the VM version of Fortinet firewall that it only allows you to configure but not allow to pass traffic?
I built the same topology with a physical Fortinet firewall and two computers. With the same security policy and IP configurations, ping from inside to outside works fine.
I'd like to find out if it is do-able to have Fortinet firewall VM working and forwarding traffic in EVE-NG. The virtual lab in EVE-NG will allow me to test more complex network environment..
Thanks,
Fei.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Solved the issue by upgrading the FortiGate VM from version 7.2.0 to 7.2.1.
Solved the issue by upgrading the FortiGate VM from version 7.2.0 to 7.2.1.
To troubleshoot FortiGate you use two things, your understanding of how FortiGate behaves and the log. From the log, you could filter to see if matched traffic is accepted then NAT applied and forwarded. FortiGate first checks the routing and then the policies in sequence. So you first check the routing (which you don't need in this lab) and then the policies. Another thing is related to VM is to confirm that the ports in the same subnet are connected to the same VM network.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.