I have a FortiGate 100e device in which I have taken out one LAN port and set WAN role on it. I have assigned a /30 subnet IP address to the port. The port is up and I can PING it from other zones. However, I cannot PING the remote IP address of the /30 subnet. Execute traceroute shows the only hop as 127.0.0.1. I have deployed ANY-ANY policy from LAN to the above interface but PING from LAN workstation to remote /30 IP address gets DESTINATION HOST UNREACHABLE reply from firewall. I am at my wit's end. Please help.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
boneyard wrote:
if you want to and have the time you could create a link aggregate on the FortiGate, make port16 a member of it and see if that gets a working situation. that does require removing the IP from port16, removing the firewall policy and the route. then putting them back on the link aggregate.
Tried this. Didn't work. :(
what does the diagnose sniffer packet for the link aggregate look like?
This happens in all of my FGT that I manage. What I've notice, if the trace route is done to a "wan" or "port" interface that is not part of a virtual-switch it looks normal. If you do a trace route to a address connected to a port of a virtual-switch, the 127.0.0.1 comes up
e.g
MANHATTANSOUTH # diag ip arp list | grep wan index=8 ifname=wan2 xxx.xxx.1 00:1b:bc:11:43:1a state=00000004 use=61 confirm=47 update=27 ref=51
MANHATTANSOUTH # execute traceroute xxx.xxx.200.1 traceroute to xxx.xxx.200.1 (xxx.xxx.200.1), 32 hops max, 3 probe packets per hop, 72 byte packets 1 xxx.xxx.200.1 0.373 ms 0.330 ms 0.173 ms
and here's a LAN ( virtual-switch )
MANHATTANSOUTH # execute traceroute 10.1.1.50 traceroute to 10.1.1.50 (10.1.1.50), 32 hops max, 3 probe packets per hop, 72 byte packets 1 127.0.0.1 <gearssdk.opswat.com> 2994.351 ms !H 2999.669 ms !H 2999.987 ms !H
Opswat does end-point protection, so it's something in fortOS that using some protection. Fortinet is a partner of opswat.
reference
[link]https://www.opswat.com/partners/fortinet[/link]
So if their is not problem with the connected host, I would chalk this up as cosmetic.
Just my observations.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.