Hello, i am facing this problem for the first time and i don't know where im doing it wrong. I have to access my own ip address both from inside and outside the network . The problem is that from outside i am able to connect to the ip and do my stuff, but when i am connected locally i can't..
I tried pinging the address from the fortigate CLI and i get no response. If i ping it from outside (another public ip, or by using a smartphone 4g) it works like a charm. Can someone explain me why please?
I have a fortigate 60E with 7.2.0 Build 1157
The public IP address ou trying to ping, is configured in one of the fortigate's interfaces?
The WAN1 of the fortigate is connected to the router like i always do on fortigates. The problem is that from the fortigate i can't ping my OWN ipaddress, the one i am connected to. The same ip has no problem from outside the network
So the firewall does not have an public ip of it's own? What do you mean as your own IP address? The router IP, the Fortigate IP?
If it's a fortigate IP, the ping is enabled on the interface?
Sorry for the easter delay .
The configuration is asfollow:
Router 192.168.1.1 - Fortigate WAN 192.168.1.15, LAN 192.168.90.15 - Switch - PCs
Ping is enabled and everything is working from outside the network (smartphone 4g, another connection etc). When im connected to the switch or directly to the Forti, or on the FortiCLI itself, i can't ping or interact with anything on my Public IP
If the public IP is directly configured, or owned by, the FortiGate, then for the LAN->WAN direction to reach the public IP, you will need a firewall policy for exactly this direction.
This may be a bit more complicated if you're trying to reach a service through a VIP. (let us know if this is the case)
If the public IP is actually located on the router upstream of the FortiGate (the idea being that the router might be doing some DNAT/port-forwarding, or filtering traffic in the direction inbound to your FortiGate), then you will need to check with someone managing that router. Maybe it just doesn't allow the traffic to flow in such direction?
Sorry for the easter delay .
The public ip is on the router, where i have a NAT 1:1 on the local ip 192.168.1.15 where i connected the FortiGate with the WAN port.
as i replied to tio3udes: ping is enabled and everything is working from outside the network (smartphone 4g, another connection etc). When im connected to the switch or directly to the Forti, or on the FortiCLI itself, i can't ping or interact with anything on my Public IP
In that case I would suggest running a sniffer on the FortiGate to find out whether you are receiving the ping packet, when it goes from the WAN direction, at all.
diag sniffer packet <wan> "host <source-ip> and icmp" 4 0 a
# test now
CTRL+C to stop the capture
replace <wan> with the actual name of your "WAN" interface (the one pointing to the router upstream), and <source-ip> with the public IP of your client-device sending the test-pings.
If you see the packet arrive, some further investigation on the FortiGate will be needed. But if you don't see it arriving at all, you'll need to check futher upstream (router or ISP), because there's nothing we can do on the FortiGate if the packet does not reach it at all.
Thanks for the reply. I did the tests you suggested to me and i did it on 2 fortigate, the one i own without problems and the client one where i have this problem. for security reason i will write symbols instead of the IPs, i hope it will be clear.
My own IP: X.X.X.X (this is where everything is working)
My Client IP: Y.Y.Y.Y (this is where we have the problem).
On my own FortiGate i tried the command with X.X.X.X and Y.Y.Y.Y and it worked with 0 packet loss to both of them, however
On client Fortigate i tried the command with X.X.X.X and Y.Y.Y.Y aswell, the first one (on my own ip) worked with 0 packet loss, the second (client ip) did not worked. I will just past this last log:
FortiGate # diag sniffer packet wan1 "host Y.Y.Y.Y and icmp" 4 0 a
interfaces=[wan1]
filters=[host Y.Y.Y.Y and icmp]
# test now
^C
0 packets received by filter
0 packets dropped by kernel
That's all, thanks for your time and help.
Hi Team,
From the previous sniffer, we could not able to observe any output. I will request you to run the sniffer in this way:
diag sniffer packet any 'host 8.8.4.4 and icmp' 4 0 a
Once you enter this sniffer, ping to 8.8.4.4 from the firewall other console and share the result with us.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.