Hi there,
Let me start off by saying I'm new to Fortigate. I just passe NSE-2 and are currently 'studying' NSE-3 and afterwards NSE-4. I work for a small service provider and kind of got the firewall thrown in my lap. Not that i mind, I like the challenge, but still there is a lot to learn...
With that in mind, I ran in to a conundrum. One of our clients has 9 stores with customer counters. One of these stores cannot connect with the server for updates. They all go though the same FW...
So i made a new policy for this location and get client-RST or Accept: IP connection error when using a laptop to go to the portal the counter should go. When I Telnet to the location I can reach it without problems or errors on the FW.
Can anyone tell me what I can troubleshoot next?
If anymore info is needed please tell me what you need. Thanks in advance
Solved! Go to Solution.
Since you're a service provider, I assume those FGTs (or just one?) are brand-new. Then my best advise would be to use TAC support wisely as needed.
Anyway, you mentioned "all go through the same FW". Is it at their HQ location? How those stores can get to the "FW"? Over VPNs? Give us a little more info about the topology.
FGT = Fortigate
from the serial numbers "FGT-xxx" :)
Unless you supply more information this is wild guessing. Not that I mind a challenge...
If telnet is allowed, and "going to" is not, then probably the service isn't allowed in policy 37.
Could you please post a screenshot, or the CLI (command line interface) equivalent "show firewall policy 37" in text form so that we can talk about that?
Since you're a service provider, I assume those FGTs (or just one?) are brand-new. Then my best advise would be to use TAC support wisely as needed.
Anyway, you mentioned "all go through the same FW". Is it at their HQ location? How those stores can get to the "FW"? Over VPNs? Give us a little more info about the topology.
I don't understand what a FGT is..
But we host their VPN and their breakout to the internet is through the firewall. Which I try to manage, poorly it seems.
I've been googling the error messages, but come up short. How do I see what this means:
ActionAccept: IP connection errorThreat262144Policy37Policy UUIDbe146836-0133-51ea-36c1-0b2da7f5b7a8Policy Typepolicy
Does this mean an NAT error because op the IP? Shouldn't this be an port error then? And why does thsi have a green 'check' under result, even thou it doesn't work.
And at the same time i have an unchecked result for;
Actionclient-rstPolicy37Policy UUIDbe146836-0133-51ea-36c1-0b2da7f5b7a8Policy Typepolicy
I do not understand what i should do with this error.
Regards,
Marnix
FGT = Fortigate
from the serial numbers "FGT-xxx" :)
Unless you supply more information this is wild guessing. Not that I mind a challenge...
If telnet is allowed, and "going to" is not, then probably the service isn't allowed in policy 37.
Could you please post a screenshot, or the CLI (command line interface) equivalent "show firewall policy 37" in text form so that we can talk about that?
I sovled the problem, it wasnt the FW.
The CPE had no MTU 1492 configured, but that was needed for the ISP connection. Changing the setting solved this.
Thanks for trying to help!!
Glad you solved it in the end. Every solution may be helpful for others in the future.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.