Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lidartech
New Contributor

Basic traffic forwarding not working with Fortigate VM

Hello,

 

I am new to Fortinet and setting up a Fortinet firewall VM in EVE-NG. With below setup, I am not able to ping from INSIDE_R1 to OUTSIDE_R2.

 

Topology:

INSIDE_R1 --- (port 2)-Fortinet Firewall-(port 3) --- OUTSIDE_R2

10.0.0.2/24     10.0.0.1/24                    20.0.0.1/24        20.0.0.2/24

 

Fortinet VM: Version 7.2.0 with eval license

 

Firewall policy is to allow All source coming into Port2 toward All destination and get out of Port3, for all services, all the time. NAT is also enabled to use the outgoing interface address.

 

INSIDE_R1 has a default route pointing to firewall inside interface IP, 10.0.0.1.

 

INSIDE_R1 can ping firewall's inside IP 10.0.0.1 and outside IP 20.0.0.2.

 

Firewall can ping OUTSIDE_R2's IP of 20.0.0.2.

 

However, INSIDE_R1 cannot ping OUTSIDE_R2's IP of 20.0.0.2. OUTSIDE_R2 does not get any packets from INSIDE_R1 based on its debug output.

 

Here is the debug output on Fortinet firewall:

 

id=65308 trace_id=7 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:16->20.0.0.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16, s"

id=65308 trace_id=7 func=init_ip_session_common line=6076 msg="allocate a new session-00000ca9, tun_id=0.0.0.0"

id=65308 trace_id=7 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-20.0.0.2 via port3"

 

id=65308 trace_id=8 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.0.2:16->20.0.0.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=16, seq=1."

id=65308 trace_id=8 func=init_ip_session_common line=6076 msg="allocate a new session-00000cad, tun_id=0.0.0.0"

id=65308 trace_id=8 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-20.0.0.2 via port3"

 

I am not sure if this is the limitation of the VM version of Fortinet firewall that it only allows you to configure but not allow to pass traffic?

 

I built the same topology with a physical Fortinet firewall and two computers. With the same security policy and IP configurations, ping from inside to outside works fine.

 

I'd like to find out if it is do-able to have Fortinet firewall VM working and forwarding traffic in EVE-NG. The virtual lab in EVE-NG will allow me to test more complex network environment..

 

Thanks,

Fei. 

 

1 Solution
lidartech
New Contributor

Solved the issue by upgrading the FortiGate VM from version 7.2.0 to 7.2.1. 

View solution in original post

2 REPLIES 2
lidartech
New Contributor

Solved the issue by upgrading the FortiGate VM from version 7.2.0 to 7.2.1. 

EEHC
Contributor

To troubleshoot FortiGate you use two things, your understanding of how FortiGate behaves and the log. From the log, you could filter to see if matched traffic is accepted then NAT applied and forwarded. FortiGate first checks the routing and then the policies in sequence. So you first check the routing (which you don't need in this lab) and then the policies. Another thing is related to VM is to confirm that the ports in the same subnet are connected to the same VM network.

EEHC
EEHC
Labels
Top Kudoed Authors