Hi! I'm migrating from old unit FG50B fortiOS 4 to the new one FG50E v5.6.6 build1630. I've transferred working config from old unit with necessary corrections so expect the new FG50E will work the same.
In the config two WAN interfaces are combined to SD-WAN, 4 site-to-site ipsec tunnels grouped under zone "VPN-TO-OFFICE", 2 other dialin vpns - under 2nd zone.
One rule has been set allowing traffic from "VPN-TO-OFFICE" zone to lan, routes are configured. The site-to-site tunnel ("vpn_ks-ukrainka") on "VPN-TO-OFFICE" zone is up with no issue.
But when I try to ping host on lan interface (192.168.1.6) from remote network (192.168.0.8) thru vpn tunnel - there's no response.
Sniffer shows the packets pass the tunnel and reach the new unit:
FG2_NEW # diagnose sniffer packet any "icmp and host 192.168.0.8" 4
7.129330 vpn_ks-ukrainka in 192.168.0.8 -> 192.168.1.6: icmp: echo request
11.899320 vpn_ks-ukrainka in 192.168.0.8 -> 192.168.1.6: icmp: echo request
16.907482 vpn_ks-ukrainka in 192.168.0.8 -> 192.168.1.6: icmp: echo request
21.899167 vpn_ks-ukrainka in 192.168.0.8 -> 192.168.1.6: icmp: echo request
Trace shows they do not match any of rules and fall into implicit deny rule:
id=20085 trace_id=18 func=print_pkt_detail line=5346 msg="vd-root received a packet(proto=1, 192.168.0.8:1->192.168.1.6:2048) from vpn_ks-ukrainka. type=8, code=0, id=1, seq=719."
id=20085 trace_id=18 func=init_ip_session_common line=5505 msg="allocate a new session-00004964"
id=20085 trace_id=18 func=iprope_dnat_check line=4734 msg="in-[vpn_ks-ukrainka], out-[]"
id=20085 trace_id=18 func=iprope_dnat_check line=4747 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=18 func=vf_ip_route_input_common line=2574 msg="find a route: flag=04000000 gw-192.168.1.6 via lan"
id=20085 trace_id=18 func=iprope_fwd_check line=708 msg="in-[vpn_ks-ukrainka], out-[lan], skb_flags-02000008, vid-20, app_id: 0, url_cat_id: 0"
id=20085 trace_id=18 func=__iprope_tree_check line=548 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=18 func=__iprope_check_one_policy line=1928 msg="checked gnum-100004 policy-1, ret-no-match, act-accept"
id=20085 trace_id=18 func=__iprope_check_one_policy line=1928 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=18 func=__iprope_user_identity_check line=1755 msg="ret-matched"
id=20085 trace_id=18 func=__iprope_check_one_policy line=2135 msg="policy-0 is matched, act-drop"
id=20085 trace_id=18 func=iprope_fwd_auth_check line=763 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=18 func=fw_forward_handler line=591 msg="Denied by forward policy check (policy 0)"
The packet should match "policy-1" rule which I guess is the rule with index 1, but for some reason it doesn't match.
The rule 1 is the only one on interface pair "VPN-TO-OFFICE" - "lan":
config firewall policy
edit 1
set uuid 7e5546ce-c4d6-51e8-3aef-6a25c7b8c73a
set srcintf "VPN-TO-OFFICE"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "any"
set logtraffic all
next
So - why the rule is skipped by firewall ?
Did I miss something new in OS 5.6.6 or this is a bug?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.