Dear All,
We have recently transitioned to a VLAN segmentation configuration from our previous flat VLAN design.
FortiGate 201F is in Version 7.2.10.
Currently, we have printers located in VLAN 20 and users in VLAN 40.
Our network architecture consists of an Internet connection leading to a FortiGate firewall, which then connects to a switch that serves both printers and user PCs.
Detailed information:
We have an inter-VLAN policy that permits all services between VLAN 20 and VLAN 40, and no security profiles are applied. While devices in these VLANs can successfully ping each other and users can print without issues.
The Issue we facing,
We are encountering a problem with scanning documents from the printer to the PC using SMB.
The strange thing is we don't see any logs at all.
We tested within the same VLAN, where both the printer and PC are located within the same VLAN, shows that scanning functions correctly without routing through the FortiGate.
Does anyone encounter this issue? Able to advise this?
Could you please share the forward traffic and debugs logs. You can run following command on Fortigate:
diag debug flow filter addr X.X.X.X Y.Y.Y.Y and
diag debug flow show function enable
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow trace start 100
diag debug enable
where X.X.X.X is source IP address and Y.Y.Y.Y is destination IP address.
Also, make sure windows firewall is disable.
Hello @SGLeo
1) You need to have Policy from VLAN 40 to VLAN 20 (users to printers)
2) You can test it by enabling the NAT on the Firewall policy from User to Printers. (Most probably it would work), if it works with the NAT, then your printers have some security enabled which is not responding to IP's from different subnets.
3) You can run the sniffer to check the traffic before running the debugs:
#di sniffer packet any "host x.x.x.x and port 139" 4 0 l
x.x.x.x is the destination IP
139 is SMB port
Regards,
Verender
Hi Kumar,
I have a intervlan policy from user to printer and printer to user. But still not working.
I did tried from printer to user doing nat but also can't work.
Just wondering if this is causing the issue? https://support.microsoft.com/en-us/topic/ms16-077-security-update-for-wpad-june-14-2016-2490f086-dc...
Hi,
You might not see any logs if a firewall rule has them disabled.
Have you tried the debug commands provided previously in order to see all the traffic/ports that the printer is trying to use while scanning?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.