i have one new FG100F running on FortiOS 7.2.5.
i noticed that there is some issues using the firewall LAN IP, 172.32.xx.1.
i can ping the LAN IP from same subnets or other subnets but i cannot ping from the LAN IP of the firewall to other IP address.
i also tried adding this firewall to my log Analyzer for syslog logging but no traffic from the firewall to the syslog server.
all the polices are already created to and from the firewall LAN IP.
# di hardware deviceinfo nic port3
Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver
Board :100F
lif id :8
lif oid :72
netdev oid :72
Current_HWaddr 84:39:8f:a7:60:30
Permanent_HWaddr 84:39:8f:a7:60:30
========== Link Status ==========
Admin :up
netdev status :up
autonego_setting :1
link_setting :1
speed_setting :1000
duplex_setting :0
Speed :1000
Duplex :Full
link_status :Up
============ Counters ===========
Rx Pkts :159571037
Rx Bytes :18291058890
Tx Pkts :675617744
Tx Bytes :958872761579
Host Rx Pkts :0
Host Rx Bytes :0
Host Tx Pkts :7
Host Tx Bytes :532
Host Tx dropped :0
FragTxCreate :0
FragTxOk :0
FragTxDrop :0
sw_rx_pkts :159571037
sw_rx_bytes :19265744371
sw_rx_mc_pkts :834192
sw_rx_bc_pkts :45168
sw_tx_pkts :675617413
sw_tx_bytes :961603971227
sw_tx_mc_pkts :9
sw_tx_bc_pkts :60636
If you're unable to ping other IP addresses from the LAN IP of your Fortinet FG100F firewall, or you're not seeing any traffic from the firewall to the syslog server, there could be a number of potential issues at play. Here are a few troubleshooting steps you may want to consider:
1. **Check the Policies:** You mentioned that the policies are already created to and from the firewall LAN IP. Please confirm if they are correctly set. Ensure that the policies allow ICMP (for ping) and UDP/TCP port 514 (for Syslog) traffic from the firewall to the rest of the network. Also, make sure these policies are applied in the correct direction.
2. **Source Interface Configuration:** When configuring the firewall to send logs to a syslog server, you need to specify the source interface. Ensure that the correct interface is selected (in this case, the LAN interface).
3. **Check Routing:** The routing configuration on the firewall and other network devices should be checked. If the routing tables aren't configured properly, the firewall might not know the correct path to the syslog server or other network devices.
4. **Firewall System Settings:** Ensure that the option 'ping' is enabled in the admin settings on the Fortinet firewall. Also, make sure that the option to send logs to a syslog server is enabled.
5. **Syslog Server Settings:** Confirm if the syslog server is set up to receive logs on the correct port and that it's not blocking incoming connections. You could try sending logs from another device to test if the syslog server is functioning correctly.
6. **Network Infrastructure:** Sometimes, network devices like switches or routers might have ACLs or other security mechanisms that block certain types of traffic.
If after checking these points you're still facing issues, it may be helpful to contact Fortinet's support for more specific troubleshooting. It's also always a good idea to make sure your device's firmware is up to date.
Let me know if you need further help with any of these steps.
Hi Yeowkm99,
As you mentioned that from the firewall lan IP you can not ping to other IP address. Please let me know if you tried to ping Public IP address from firewall and if its working ?
Also collect below debug from fortigate by initiating interesting traffic and share the output to check and verify:
diagnose debug reset
diagnose debug disable
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow filter proto 1
diagnose debug flow trace start 99
diagnose debug enable
NOTE: Replicate the issue, After 5-10sec, disable the logs by executing:
diagnose debug disable
Regards,
Parteek
from firewall LAN IP, i can ping 8.8.8.8 after creating a new rule to access WAN.
i just cannot ping from firewall LAN IP.
from other servers in the remote subnet can ping to other servers
Hi,
Could you please execute this command and see if it's pinging?
execute ping-options interface port3
execute ping <IP address>
BR,
Manosh
Created on 08-03-2023 01:04 AM Edited on 08-03-2023 01:13 AM
# execute ping-options interface port3
FGT100F # execute ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1): 56 data bytes
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
^C
--- 172.16.0.1 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
FGT100F # execute ping 172.16.0.11
PING 172.16.0.11 (172.16.0.11): 56 data bytes
sendto failed: 101(Network is unreachable)
^C
--- 172.16.0.11 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
even devices in the same subnet fails
FGT100F # execute ping 172.32.0.3
PING 172.32.0.3 (172.32.0.3): 56 data bytes
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
sendto failed: 101(Network is unreachable)
^C
--- 172.32.0.3 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
100F # execute ping 172.32.0.15
PING 172.32.0.15 (172.32.0.15): 56 data bytes
sendto failed: 101(Network is unreachable)
^C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.