- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Default route in case of Zscaler proxy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Default route in case of Zscaler proxy
Hi, Users are using zscaler proxy for internet.
We are having zscaler s2s vpn tunnels configured and added default route for internet.
Zscaler tunnel - distance - 10, priority - 1
Internet ILL - distance - 10, priority - 2
Now if we do the ping to ILL wan ip we are not getting ping of wan ip.
If we do priority 1 to ILL and priority 2 to Zscaler tunnel then only we are able to ping to wan ip.
Can someone please guide in this case.
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ganesh_karale ,
It sounds an asymmetric routing issue to me, please check if the routing is working as expected in your infrastructure.
Please attach a diagram that shows the devices involved and their IP, also shows from where your users are pinging.
Running a packet capture on both ends would be good to understand if and where the packet are received:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
On the FortiGate you can also run a debug flow at the same time of the packet sniffer (on a second SSH window, to avoid mixing up the logs):
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we do packet capture it shows that if we are pinging to wan ip from public network traffic receiving on wan interface but reply going out via zscaler.
Created on 07-02-2024 01:40 AM Edited on 07-02-2024 01:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ganesh_karale ,
If you attach a diagram which shows the IPs and the devices involved, it would be beneficial.
You might find the below article useful:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...
You can also collect the following (x.x.x. are the three first octets and x.x.x.x is the IP you are pinging):
get router info routing-table all | grep x.x.x.
get router info routing-table database | grep x.x.x.
get router info routing-table detail x.x.x.x/32
diag ip rtcache list | grep x.x.x.
get router info kernel | grep x.x.x.
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Trying to ping from 14.143.59.30 to 103.250.149.61.
Run sniffer packet and there traffic comes in through respective wan interface and going out through zscaler interface.
Please find below logs for the same.
========================================
FGTRGISURAT # get router info routing-table details 8.8.8.8
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* via Zscaler_MUM tunnel 10.0.0.1, tun_id
* via Zscaler_Che tunnel 10.0.0.2, tun_id
* 116.72.19.1, via internal5
* 10.201.0.1, via ppp2
FGTRGISURAT #
FGTRGISURAT # diagnose sniffer packet any "host 103.250.149.61 and icmp" 4 0 a
interfaces=[any]
filters=[host 103.250.149.61 and icmp]
2024-07-02 11:16:55.694288 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:16:55.694436 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
2024-07-02 11:17:00.539766 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:17:00.539804 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
2024-07-02 11:17:05.519582 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:17:05.519617 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
2024-07-02 11:17:10.524323 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:17:10.524426 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
^C
32 packets received by filter
0 packets dropped by kernel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ganesh_karale ,
Thank you for the sniffer logs.
As explained earlier, a network diagram would be beneficial in order to help you.
Also I cannot see the correct routing commands outputs that I suggest you to collect.
It might be better to raise a ticket with our support so you can share the required logs and config backups accordingly.
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @ganesh_karale,
You can use policy route to route traffic over the tunnel. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
Regards,
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate using proxy to update fortigurad... 287 Views
- zScaler VPN with dynamic ip 141 Views
- proxy-fqdn "default.fqdn" 516 Views
- Explicit Proxy on FGT - what... 351 Views
Labels
-
FortiGate
7,212 -
FortiClient
1,423 -
5.2
801 -
5.4
639 -
FortiManager
622 -
FortiAnalyzer
463 -
6.0
416 -
FortiAP
378 -
FortiSwitch
376 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
282 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
178 -
FortiNAC
129 -
6.4
128 -
FortiGuard
117 -
IPsec
111 -
SSL-VPN
110 -
FortiGateCloud
97 -
FortiSIEM
95 -
FortiCloud Products
90 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
66 -
4.0MR3
64 -
SD-WAN
51 -
FortiProxy
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
40 -
FortiGate v5.4
36 -
FortiExtender
35 -
FortiSandbox
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
VLAN
32 -
FortiSwitch v6.4
32 -
High Availability
32 -
DNS
25 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
FortiConverter
23 -
LDAP
22 -
Certificate
21 -
BGP
21 -
SAML
20 -
FortiGate v5.2
20 -
Interface
20 -
FortiPortal
18 -
Routing
18 -
FortiSwitch v6.2
17 -
Authentication
17 -
VDOM
17 -
FortiLink
16 -
FortiMonitor
15 -
RADIUS
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
NAT
14 -
FortiDDoS
14 -
Logging
14 -
SSL SSH inspection
13 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
11 -
Virtual IP
11 -
Application control
11 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
IP address management - IPAM
9 -
FortiManager v5.0
9 -
OSPF
9 -
4.0MR2
9 -
WAN optimization
9 -
RMA Information and Announcements
8 -
FortiSOAR
8 -
Proxy policy
8 -
FortiAnalyzer v5.0
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
Web application firewall profile
7 -
Security profile
7 -
FortiAP profile
7 -
Automation
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Traffic shaping policy
6 -
trunk
6 -
IPS signature
5 -
Packet capture
5 -
Port policy
5 -
Antivirus profile
5 -
System settings
5 -
DNS Filter
5 -
FortiCache
5 -
FortiTester
5 -
FortiManager v4.0
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Traffic shaping profile
4 -
FortiPAM
4 -
Fortinet Engage Partner Program
4 -
FortiCarrier
4 -
3.6
4 -
FortiScan
4 -
DLP sensor
4 -
DoS policy
4 -
Email filter profile
3 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Application signature
3 -
DLP Dictionary
3 -
FortiDB
3 -
DLP profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
FortiHypervisor
2 -
Schedule
2 -
Authentication rule and scheme
2 -
Explicit proxy
2 -
Internet Service Database
2 -
VoIP profile
2 -
4.0MR1
1 -
File filter
1 -
RIP
1 -
Multicast policy
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Zone
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
FortiManager-VM
1 -
SDN connector
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1082 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.