Been working on this for awhile and no luck. I have two subnets that I need to allow communication between, 10.1.2.0 and 192.168.1.0. This seems simple but I am missing something somewhere.
Do I need to add a static route?
Thanks for any help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No need to add static route.
Check forward traffic logs to see if the traffic is reaching the firewall and if it is being blocked.
Being blocked by the local-in-policy. How do I go about allowing this through.
The local-in-policy wouldn't block traffic between interfaces. It can block only traffic destined to the FGT itself, like admin access, incoming VPNs, FortiGuard traffic, etc.
Toshi
Make sure you are configuring the right gateways on your hosts. Then please share port configuration and policy configuration.
Here is the policy:
edit 27
set status enable
set name "Internal_Communitcation"
set uuid 352dc698-72ec-51ec-2074-a13ec13cf71b
set srcintf "internal" "Wireless-user"
set dstintf "Wireless-user" "internal"
set action accept
set nat64 disable
set nat46 disable
set ztna-status disable
set srcaddr "all"
set dstaddr "all"
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set internet-service6 disable
set internet-service6-src disable
unset reputation-minimum6
set rtp-nat disable
set schedule "always"
set schedule-timeout disable
set policy-expiry disable
set service "ALL"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set passive-wan-health-measurement disable
set utm-status disable
set inspection-mode flow
set profile-protocol-options "default"
set ssl-ssh-profile "no-inspection"
set logtraffic all
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set np-acceleration enable
set nat disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set fec disable
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set srcaddr6-negate disable
set dstaddr-negate disable
set dstaddr6-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
Additional information. I am not seeing the denies in the Forward Traffic logs but I am seeing them in the Local Traffic logs.
That means the FGT is not blocking. If you sniff ping packets on "Wireless-user" interface while you're pinging from "internal" inteface side, you would see them going out. That policy should be allowing them. But my guess is ping replies are not coming back from the AP side.
Toshi
Toshi
Then you are somehow pinging FGT, not your hosts.
Check if the IP you are pinging is on the FGT as well. Can you also share interface configuration?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1557 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.