Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Faiz
New Contributor

Created on ‎01-12-2020 06:47 PM

Could not Ping to Internet from Specific Device

We have installed a new device in bridge mode, between the switch and fortigate, I have made a policy for outgoing traffic from this device, but still couldn't ping the internet (eg 8.8.8.8), I tried to debug, and the results are as follows:

 

fw-fg100e # id=20085 trace_id=1108 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.100.100:49496->8.8.8.8:2048) from port1. type=8, code=0, id=49496, seq=1." id=20085 trace_id=1108 func=init_ip_session_common line=5625 msg="allocate a new session-0087b8c1" id=20085 trace_id=1108 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=2131165186: to 8.8.8.8 via ifindex-8" id=20085 trace_id=1108 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-116.xxx.xxx.129 via wan2" id=20085 trace_id=1108 func=fw_forward_handler line=636 msg="Denied by forward policy check (policy 0)"

 

Any suggestions would be appreciated. Thanks in advance

Faiz
Faiz
4979
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-12-2020 08:58 PM

What the flow debug result is saying is it doesn't see a matching policy for the ping packet from 192.168.100.100 on port1 to wan2. Check the policy again.

3836
0 Kudos
Faiz
New Contributor
In response to Toshi_Esumi

Created on ‎01-13-2020 02:53 AM

toshiesumi wrote:

What the flow debug result is saying is it doesn't see a matching policy for the ping packet from 192.168.100.100 on port1 to wan2. Check the policy again.

Thanks for your reply toshiesumi, I think the policy I made was right, below is the policy I made for outgoing traffic from 192.168.100.100

 

Incoming Interface = VLAN_100 (since IP 192.168.100.000 is a member of VLAN_100 zone) Outgoing Interface = SD-WAN (Wan2 is a member of of SD-WAN Interface) Source = 192.168.100.100 Destination = All Schedule=Always Service=All NAT Enable

 

 

 

Faiz
Faiz
3836
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Faiz

Created on ‎01-13-2020 07:41 AM

As I wrote, it's seeing coming from "port1" not from "VLAN_100".

3825
0 Kudos
Faiz
New Contributor
In response to Toshi_Esumi

Created on ‎01-13-2020 09:13 AM

As you see an image attached, VLAN_100 is member of port1 interface... 

Faiz
Faiz
interfaces.JPG
Preview file
79 KB
3825
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Faiz

Created on ‎01-13-2020 09:23 AM

VLAN subinterfaces are independent from the parent port in policies. The 192.168.100.100 device is likely sending untagged packets. Try sniffing packets on "VLAN_100" and "port1" to verify. 

3827
0 Kudos
Faiz
New Contributor
In response to Toshi_Esumi

Created on ‎01-13-2020 09:44 AM

toshiesumi wrote:

VLAN subinterfaces are independent from the parent port in policies. The 192.168.100.100 device is likely sending untagged packets. Try sniffing packets on "VLAN_100" and "port1" to verify. 

Ok toshiesumi thanks for you assistance, i'll try to sniffing packets on VLAN_100 and port1 as well

 

 

 

are those syntaxes are correct?

Faiz
Faiz
3827
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to Faiz

Created on ‎01-13-2020 09:56 AM

If you're asking about syntax for sniffing,

  diag sniffer packet VLAN_100 (or port1) 'host 192.168.100.100'

3836
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.