Been working on this for awhile and no luck. I have two subnets that I need to allow communication between, 10.1.2.0 and 192.168.1.0. This seems simple but I am missing something somewhere.
Do I need to add a static route?
Thanks for any help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just to clarify I am seeing the denies in the local traffic log.
Hi,
Local traffic is traffic that originates or terminates on the FortiGate itself. It is any traffic that is destined for any IP on the Fortigate itself. Also, I see that there are no local in policies configured as it's showing Policy ID 0.
Execute these commands on the Fortigate and initiate a ping:
diag sniffer packet any 'host <src_IP address and host <dst IP address> and icmp' 4 0 a
Copy and past the output.
BR,
Manosh
2023-06-28 12:47:22.267805 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:27.284242 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:32.292599 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:37.288380 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:42.298757 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:47.286140 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:52.282935 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:47:57.291272 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:48:02.319036 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:48:07.297312 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
2023-06-28 12:48:12.281832 internal in 192.168.1.199 -> 10.1.2.239: icmp: echo request
^C
11 packets received by filter
0 packets dropped by kernel
Here is the config for the first interface.
config system interface
edit "internal"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set ip 192.168.1.100 255.255.255.0
set allowaccess ping https ssh snmp fgfm fabric
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type hard-switch
set netflow-sampler both
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set trunk disable
set description ''
set alias ''
set l2tp-client disable
set security-mode none
set ike-saml-server ''
set stp enable
set stp-ha-secondary priority-adjust
set device-identification enable
set device-user-identification enable
set lldp-reception vdom
set lldp-transmission vdom
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set role lan
set snmp-index 6
set secondary-IP enable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-mgmt-vlan 4094
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set swc-first-create 0
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv enable
set ip6-manage-flag disable
set ip6-other-flag enable
set ip6-max-interval 600
set ip6-min-interval 198
set ip6-link-mtu 0
set ip6-default-life 1800
set dhcp6-relay-service disable
end
set priority 1
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set idle-timeout 0
set disc-retry-timeout 1
set padt-retry-timeout 1
set dns-server-override enable
set dns-server-protocol cleartext
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
set mtu-override disable
next
end
Config for the second interface.
config system interface
edit "Wireless-user"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set ip 10.1.2.100 255.255.255.0
set allowaccess ping https ssh snmp fgfm fabric
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type hard-switch
set netflow-sampler both
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set trunk disable
set description ''
set alias "IoT"
set l2tp-client disable
set security-mode none
set ike-saml-server ''
set stp disable
set stp-ha-secondary priority-adjust
set device-identification enable
set device-user-identification enable
set lldp-reception vdom
set lldp-transmission enable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set role lan
set snmp-index 8
set secondary-IP enable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-mgmt-vlan 4094
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set swc-first-create 0
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv enable
set ip6-manage-flag disable
set ip6-other-flag enable
set ip6-max-interval 600
set ip6-min-interval 198
set ip6-link-mtu 0
set ip6-default-life 1800
set dhcp6-relay-service disable
end
set priority 1
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set idle-timeout 0
set disc-retry-timeout 1
set padt-retry-timeout 1
set dns-server-override enable
set dns-server-protocol cleartext
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
set mtu-override disable
next
end
Hi wraithhunter,
can you get the output of the diagnose debug flow command with this syntax:
# diagnose debug enable
# diagnose debug flow filter addr 10.1.2.239
# diagnose debug flow show function-name enable
# diagnose debug flow trace start 100
This should show the policy id which blocks the traffic.
id=65308 trace_id=89 func=init_ip_session_common line=5964 msg="allocate a new session-02d29f66, tun_id=0.0.0.0"
id=65308 trace_id=89 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2: to 10.1.2.100 via ifindex-36"
id=65308 trace_id=89 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-10.1.2.100 via root"
id=65308 trace_id=89 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"
id=65308 trace_id=90 func=print_pkt_detail line=5779 msg="vd-root:0 received a packet(proto=1, 192.168.1.199:1->10.1.2.239:2048) tun_id=0.0.0.0 from internal. type=8, code=0, id=1, seq=9184."
id=65308 trace_id=90 func=init_ip_session_common line=5964 msg="allocate a new session-02d29f69, tun_id=0.0.0.0"
id=65308 trace_id=90 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2: to 10.1.2.100 via ifindex-36"
id=65308 trace_id=90 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-10.1.2.100 via root"
id=65308 trace_id=90 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop"
id=65308 trace_id=91 func=print_pkt_detail line=5779 msg="vd-root:0 received a packet(proto=6, 192.168.1.199:1133->10.1.2.239:81) tun_id=0.0.0.0 from internal. flag [S], seq 1550623952, ack 0, win 64240"
Created on 06-30-2023 02:16 AM Edited on 06-30-2023 02:18 AM
Hi,
Do you have any SDWAN rules in place?
Please share the output of this command::
config system sdwan
config service
sh full
BR,
Manosh
Please share a screenshot of you policy routes.
Also try disable policy routes and run the test again.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.