Can t ping from my host client to internet via fortinet Firewall
Hello, Can you help me please I have a correct static routes and policies that enable the traffic to access internet my firewall can access internet when I ping 22.214.171.124 but the host client that is in the same network as the lan of the firewall and has as a gateway the Ip of the Lan can t ping to the internet I get request time out, I have policies of outbound that enable all traffic from Lan to wan
FortiOS-VM64 # config firewall policy
FortiOS-VM64 (policy) # edit 3
FortiOS-VM64 (3) # show config firewall policy edit 3 set name "Lan to wan" set uuid 161ce1d2-2fa9-51ee-1c02-94434bc9f1d1 set srcintf "port5" set dstintf "port1" set action accept set srcaddr "LAN" set dstaddr "all" set schedule "always" set service "ALL" set log traffic all set Nat enable next end
, and static route FortiOS-VM64 (2) # show config router static edit 2 set gateway 192.168.10.1 set device "port1" next end port1 is the wan and port2 in the Lan here are my interfaces FortiOS-VM64 (interface) # show config system interface edit "mgmt" set vdom "root" set allow access ping https ssh fgfm set status down set type physical set dedicated-to management set snmp-index 1 next edit "port1" set vdom "root" set ip 192.168.10.100 255.255.255.0 set allowaccess ping https ssh http set type physical set alias "wan" set lldp-reception enable set role wan set snmp-index 2 next
edit "port5" set vdom "root" set ip 126.96.36.199 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set alias "LAN" set lldp-transmission enable set role lan set snmp-index 6 , thank you
yes I can oing to the ISP gateway this time is 172.20.10.1 FortiOS-VM64 # exec ping 172.20.10.1 PING 172.20.10.1 (172.20.10.1): 56 data bytes 64 bytes from 172.20.10.1: icmp_seq=0 ttl=64 time=12.7 ms 64 bytes from 172.20.10.1: icmp_seq=1 ttl=64 time=9.3 ms ^C --- 172.20.10.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 9.3/11.0/12.7 ms
You need to check if the traffic is hitting the firewall interface first.
You can check that by running a packet capture using the source IP of the host
diag sniffer packet any 'host x.x.x.x' 4 0 a ( x.x.x.x is the source IP of the host machine in your LAN network)
I could see that 188.8.131.52 is the IP you have mentioned as the source interface IP, I would request you to check the IP once again as it is public IP. Please ensure the host machine is in the Lan network.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.