- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Can' t ping despite policy allowing all acces...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can' t ping despite policy allowing all access
I' d appreciate some help troubleshooting a thorny issue where I can' t ping a server that is located behind a firewall, despite a policy that I believe would allow all access.
The short of it is that I have a network with device identification, where identified devices are allowed (and able to) connect to the outside world. But I also want to allow inbound connections to the same network. This is what I can' t seem to get working.
The long version: this takes place across a VPN between two Fortigates. Both Fortigates have multiple networks behind them, but I' ll just diagram the relevant ones here:
Net1 ------> FG1 ------ IPSec VPN ------> FG2 ----------> Net2
----------> Net3
Net1: 192.168.1.0/24 - gateway is 192.168.1.1
Net2: 192.168.17.0/28 - gateway is 192.168.17.1, with a device identification policy on this interface.
Net3: 192.168.17.128/25 - gateway is 192.168.17.129, no device identification policy on this interface.
I can ping from Net1 to servers in Net3, and also to 192.168.17.1 (the gateway address of Net2), but not to 192.168.17.5 on Net2. 192.168.17.5 can connect outbound, so I am reasonably sure this is not a routing problem.
I am wondering if this might be because on Net2, I am using a device identity policy, even though that policy is further down in the list.
I created the following policies on FG2 (in this order):
Src Interface: VPN
Src Address: all
Dst Interface: Net2
Dst Address: all
Services: all
Action: allow
(the counter in this rule, and the fortigate logs, shows that my pings are accepted, so it is probably the echo response that is somehow blocked).
... (unrelated policies for other interfaces)
(Device Identity Policy for devices on Net2)
Src Interface: Net2
Src Address: all
Device: authorized servers (includes the one I am trying to ping)
Destination address: all
Services: all
Action: allow
(there are additional authentication rules, but the first one is already an allow-all rule).
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do realize that NET3 is a subset of NET2...
Also with identity based policies, any matching from-to pairs below will never get hit.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, thank you! I suspected as much. So basically, any network that has identity-based policies can' t also have regular policies?
Ultimately, the question then becomes: how does one handle inbound connections with identity-based policies?
Ultimately, the goal is to be able to set up an RDP session to one of the identified devices through the Fortigate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what do you mean a subset? net2 and net3 are 2 unique subnets within the 192.168.17.0/24 block.
Op, what does you diag debug flow for icmp packet generate at the left or right gateways?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right... I need to get to bed... All 4 of my eyes saw /24... 
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc, thank you so much for pointing me to the debug flow command!
That was exactly what I needed. It showed me that the ICMP packets traveled through the firewall and left on the correct interface, but the target computer never sent a response.
Armed with that knowledge, I found out that somebody had misconfigured the Windows firewall on the target computer. Wasn' t a Fortigate issue at all!
Thanks for your help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
:)
I had to go get my extra 2 eyes to be sure that I didn' t missed read anything.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can' t speak enough for diag debug flow. It validates that packets are being sent, and actually matching against a firewall policy-id #.
http://socpuppet.blogspot.com/2013/03/flow-diagnostic-fortigate.html
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- Dysfunctional "Monitor Wifi Login Failures", Widget 46 Views
- access problems towards vpn s2s 98 Views
- Setting SSL/SSH inspection profile causes most... 91 Views
- Fortiportal SSID Greyed out 36 Views
- Disable forticlient on startup 62 Views
Labels
-
FortiGate
6,494 -
FortiClient
1,297 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiSwitch
331 -
FortiAP
331 -
FortiClient EMS
260 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
104 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
70 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
FortiAuthenticator
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSID
6 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
NAC policy
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.