Execute traceroute showing first and last hop 127.0.0.1 for connected subnet
I have a FortiGate 100e device in which I have taken out one LAN port and set WAN role on it. I have assigned a /30 subnet IP address to the port. The port is up and I can PING it from other zones. However, I cannot PING the remote IP address of the /30 subnet. Execute traceroute shows the only hop as 127.0.0.1. I have deployed ANY-ANY policy from LAN to the above interface but PING from LAN workstation to remote /30 IP address gets DESTINATION HOST UNREACHABLE reply from firewall. I am at my wit's end. Please help.
if you want to and have the time you could create a link aggregate on the FortiGate, make port16 a member of it and see if that gets a working situation. that does require removing the IP from port16, removing the firewall policy and the route. then putting them back on the link aggregate.
This happens in all of my FGT that I manage. What I've notice, if the trace route is done to a "wan" or "port" interface that is not part of a virtual-switch it looks normal. If you do a trace route to a address connected to a port of a virtual-switch, the 127.0.0.1 comes up
MANHATTANSOUTH # diag ip arp list | grep wan
index=8 ifname=wan2 xxx.xxx.1 00:1b:bc:11:43:1a state=00000004 use=61 confirm=47 update=27 ref=51
MANHATTANSOUTH # execute traceroute xxx.xxx.200.1
traceroute to xxx.xxx.200.1 (xxx.xxx.200.1), 32 hops max, 3 probe packets per hop, 72 byte packets
1 xxx.xxx.200.1 0.373 ms 0.330 ms 0.173 ms
and here's a LAN ( virtual-switch )
MANHATTANSOUTH # execute traceroute 10.1.1.50
traceroute to 10.1.1.50 (10.1.1.50), 32 hops max, 3 probe packets per hop, 72 byte packets
1 127.0.0.1 <gearssdk.opswat.com> 2994.351 ms !H 2999.669 ms !H 2999.987 ms !H
Opswat does end-point protection, so it's something in fortOS that using some protection. Fortinet is a partner of opswat.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.