Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FG100F LAN interface traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG100F LAN interface traffic
i have one new FG100F running on FortiOS 7.2.5.
i noticed that there is some issues using the firewall LAN IP, 172.32.xx.1.
i can ping the LAN IP from same subnets or other subnets but i cannot ping from the LAN IP of the firewall to other IP address.
i also tried adding this firewall to my log Analyzer for syslog logging but no traffic from the firewall to the syslog server.
all the polices are already created to and from the firewall LAN IP.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yeowkm99
Based on the update, I understand that from Firewall Lan IP as a source your not able to ping other network.
Also when you mentioned that from Lan to Lan reachability is fine, Was this validated from both direction? Is Nat enabled on these firewall policy ?
The other subnet is connected network or remote subnet ?
Regards,
Patterson
Regards,
Patterson
Patterson
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
both direction is working. only firewall LAN IP cannot ping to others.
port 3 is my firewall LAN connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run a diag sniffer from CLI while you initiate a ping towards the syslog server?
diagnose sniffer packet any "host 172.32.xx.1" 4 100
This will help us to confirm if the packet is leaving or not, also if it is taking the right source address or not
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
interfaces=[any]
filters=[host 172.32.0.1]
0.066329 lan in arp who-has 172.32.0.1 tell 172.32.0.5
0.066356 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
0.077448 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914144
1.059736 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914144 ack 3578922795
1.059820 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914256 ack 3578922795
1.074030 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914448
2.069649 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914448 ack 3578922795
2.145546 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914752
3.079601 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914752 ack 3578922795
3.149677 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914976
3.369339 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708298 ack 4118253871
3.369384 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708383
3.377076 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118253871 ack 697708383
3.380025 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118254459 ack 697708383
3.405730 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708383 ack 4118254459
3.439436 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708418
3.456619 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: ack 4118254490
4.089792 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914976 ack 3578922795
4.158045 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831915776
5.099699 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831915776 ack 3578922795
5.157274 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831916000
6.119631 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916000 ack 3578922795
6.140275 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: psh 3578922795 ack 831916224
6.140416 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916224 ack 3578922955
6.195527 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831916272
6.286312 lan in arp who-has 172.32.0.1 (84:39:8f:a7:60:2f) tell 172.32.0.57
6.286335 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
7.129690 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916272 ack 3578922955
7.194823 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831916800
8.139669 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916800 ack 3578922955
8.206527 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831917024
8.529382 lan out arp who-has 172.32.0.30 tell 172.32.0.1
8.529502 lan in arp reply 172.32.0.30 is-at 4c:d9:8f:91:7d:4a
9.129226 lan in arp who-has 172.32.0.1 (84:39:8f:a7:60:2f) tell 172.32.0.30
9.129248 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
9.129522 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917024 ack 3578922955
9.129599 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917296 ack 3578922955
9.142283 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831917424
9.366546 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708418 ack 4118254490
9.366583 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708503
9.374221 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118254490 ack 697708503
9.374989 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118255078 ack 697708503
9.387284 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: ack 4118255109
9.392013 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708503 ack 4118255109
9.429381 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708538
10.139593 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917424 ack 3578922955
10.139679 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917616 ack 3578922955
10.139737 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917856 ack 3578922955
10.139794 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831918320 ack 3578922955
10.139845 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831918544 ack 3578922955
10.150096 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831917856
10.150135 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831918544
10.189253 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831918672
^C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see ARP request/reply,were you pinging 172.32.0.30? do you have any local-in policies in place?
8.529382 lan out arp who-has 172.32.0.30 tell 172.32.0.1
8.529502 lan in arp reply 172.32.0.30 is-at 4c:d9:8f:91:7d:4a
9.129226 lan in arp who-has 172.32.0.1 (84:39:8f:a7:60:2f) tell 172.32.0.30
9.129248 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
172.32.0.30 is one of the servers in the subnet.
how do i check for local-in policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
show firewall local-in-policy
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nothing configured here.
show firewall local-in-policy
config firewall local-in-policy
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yeowkm99,
Could you cross check if there is a IP duplicacy, you may verify the ARP entry on the user/lan machine for the firewall ip, are you seeing the firewall MAC address?
You can get the mac address of the firewall using below command:
di hardware deviceinfo nic <port>
Thank you!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- [Help] SD-WAN with BGP on Loopback... 273 Views
- Traffic Shaping Configuration Issue Affecting ... 97 Views
- primary and seconary WAN connection for... 159 Views
- Output traffic with default route BGP 559 Views
- How to avoid Assymetric Routing with... 159 Views
Labels
-
FortiGate
8,476 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
458 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
179 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.