Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zmag
New Contributor

External access

FG620B 4.0 MR2 Patch 1 build 0279 I have a complete config built and ready to be tested in production. I also have a 4 hour tech call that came with the purchase and I would like to use it. In order for this to happen support needs remote access. This device is sitting in a different network so I need to edit a new port for a DSL line and create policies just for access in and browsing. I am using a spare port for a WAN link but I must be missing something. port14 , public ip static, admin access = http, https, ssh, ping It seems to me that just having this interface config with admin access I should be able to ping it, but i can not. I can ping out to any public IP from the cli. If I use that static ip in a browser from the dev (local) network it launches the GUI admin page, but it is not reachable from the outside. I created a VIP and forwarded that to the local interface of the firewall to see if that worked but it didn' t. Still can' t ping the firewall. I have a log in the Analyzer - status = deny source - my production ip destination - my VIP Policy ID- 0 <<<<----- ?? Protocal -1 Subtype - Violation Thanks in advance.
16 REPLIES 16
rwpatterson
Valued Contributor III

This post is a bit confusing... The device is in a different network, but has a public IP? Does that ' different' network reside in the same subnet?? Is the default gateway pointed to the interim router, or is this unit on the edge?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
zmag
New Contributor

Sure, The different network is a mirror image of my production network, so the lan ip scheme is 192.168.40.0/22 (same as my prod net). The firewall ip will remain 192.168.40.100/22 in both the dev net and the prod net. We have a DSL connection for this network, and we have 2 seperate ISPs for my prod net. This unit is currently on the edge, no router in dev and the default route states 0.0.0.0/0.0.0.0 Gateway 151.x.x.x. I just realized that this dsl, which is configured at port14 makes the 3rd WAN link. and I wonder if that is an unacceptable config? Also, for clarity, the 2 networks never connect. If it is true that there can only be 2 WAN ports, than I am going to have to blow up this config as I have about 50 rules and lots of addresses that are bound to my other 2 WAN links.
rwpatterson
Valued Contributor III

Maybe I need some caffeine... I' m still not on beam here. One unit? 2 units? 3 DSL connections. 2 identical LANs, OK. On how many units? Sorry for the cement brain.. It' s late, tough day here...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
zmag
New Contributor

I guess I will use a different approach of explaining this. My production network has 11 subnets over 7 sites (this includes vlans) I am working on replacing a CheckPoint NGX with a Fortigate 620B HA cluster for production. I configured the FG620 so it would plug into my production net and replace the CheckPoint. This was done in a very small network that we use for dev simply so I could access the firewall and analyzer and test some of the config. The result is that I have a firewall configured with hundreds of addresses, 125 policies, 1 lan port, 1 dmz port, 2 vdoms and 2 wan ports but it is plugged into my dev network. So, once that was done (to the best of my knowlege) I decided I would take advantage of a " free" 4 hour support call from Fortinet as a sanity check of my new config. The problem with that is that Fortinet requires access to the firewall. Since this firewall is configured as if it were in my production network, it is set up to use either of the 2 isp addresses that I have in production. I' ll call them 12.1.2.3 and 14.1.2.3. Those 2 addresses are not available in dev, but i do have a dsl line (126.1.2.3) sitting there that we use for our dev and testing. So i need to connect the FG to the 126.1.2.3 just for internet and remote access so Fortinet support can take a look. My guess is that I can' t have 3 active WAN ports but I am not sure if this is true or not. Sorry about leaving out massive amounts of detail but I thought it would just be confusing. Let me know if this makes more sense.
rwpatterson
Valued Contributor III

If the two active DSL ports are for load balance, you could move one over for testing.... If they are each assigned different tasks, then you would have to schedule a window for testing. Alternatively, you could change one of the DSL addresses on the test unit to the third line and go with that. It won' t be the correct line, but the functionality will be there, just an IP change and security on the interface. My two cents. By the way: Make sure you enable NAT on the policy going out to the Internet (port 14).

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
SuperUser
SuperUser

Yee-haw, there is nothing wrong with your config. As you have already stated, you can ping any target out there. So the WAN connection is up (which one remains unknown), the routing is OK. My guts tell me it' s a matter of missing permissons. " Policy 0" is the implicit DENY rule, the one that blocks everything after all self-declared policies have been passed. So your traffic has been blocked. There is no limit on " WAN ports" ...all ports can be used for all purposes. So it must be something else. Have you configured " Administrative Hosts" ? That would explain why access from the LAN is permitted and from outside is not. To test whether the WAN config is OK, you could disconnect the 2 other WAN cables and ping an external target from the FG. If that works, routing and policies are correct.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ede_pfau
SuperUser
SuperUser

@rwpatterson: Mercy on you and let the evening come...I wonder in which timezone you are living. Mine is GMT+1 so _I_ am off-hours now. Nearly laughed my head off when I read your mumblings...I' m not sure if we get a decent support together for the rest of the day.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
rwpatterson
Valued Contributor III

:) In New York, and it' s 10 minutes to quitting time. YES! Our Alcatel switches doing layer 3 routing are kicking me in the seat with intermittent 10 second outages. Totally random, not remotely coincidental with anything. Not traffic, CPU load, memory... It sucks! The thin clients drop every time, and I' m catching s**t from all sides. My most hated question... " Do you know when it' s going to be fixed?" My response? " If I knew the answer to that, you would not be asking me that question!" Groan

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
zmag
New Contributor

I guess I have to come to terms with my communication issues (proves my wife right!) There are 3 wan links configured but there is only one plugged in. The other 2 interfaces are configured so they will work when I move this to production. The only one that is plugged in is the DSL for dev.
Have you configured " Administrative Hosts" ? That would explain why access from the LAN is permitted and from outside is not.
I haven' t configured administrative hosts, actually haven' t seen that option. I assume that' s a filter for administrative access per interface?
To test whether the WAN config is OK, you could disconnect the 2 other WAN cables and ping an external target from the FG. If that works, routing and policies are correct.
It does work. So if there is no limit on wan ports, and this traffic is blocked by the implied DENY rule, I am missing a rule to allow this traffic in. The rule I created states; src int = port14 (dev_dsl) src addr = all dst int =port14 (dev_dsl) dst addr = vip_fg1 service= any action = allow enable NAT = yes Finger crossed that this makes sense.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors