Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gsing
New Contributor II

FortiGate Blocking traffic from FortiSwitch (Link port A)

Hello Guys, 

I have 48 Port Fortiswitch which is connected to my FortiGate 60E firewall through Fortilink port A. The problem is Fortigate is blocking traffic from Fortiswitch { Switch is trying to connect to this- 66.35.19.50 (fortiswitch-dispatch.forticloud.com) } . I create policy which allowed all the traffic from Fortilink interface to WAN but still traffic is get block by Implicit Deny 0 Policy. Anybody can help me out pleaseDeny by Implicit 0 PolicyDeny by Implicit 0 PolicyPolicyPolicy it is getting blocked

8 REPLIES 8
knagaraju
Staff
Staff

Hello Gsingh,

1.)Please share the below command output from fortigate cli
diagnose ip address list

2.)Also , please run the below commands in fortigate cli and initiate the traffic, please get the outputs.
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr 169.254.1.2
diagnose debug flow filter daddr 66.35.19.50
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug enable

Gsing
New Contributor II

Thanku @knagaraju for helping me out. Please find the output below after running above commands in CLI.output 1.pngOutput 2.png

knagaraju

Thank you for sharing.
Do you have PPP2 interface added in SD-WAN ?
If yes then I suggest you to open a TAC ticket to proceed on further troubleshooting on it.

Gsing
New Contributor II

Hi @knagaraju 

It is set to ppp2 as well. For your clarification I am attaching the screenshot for SD-WAN setting in my firewall. I raised the ticket as well. The ticket number is: 7514487SD wan1.pngSD wan2.png 

CIFortiUser
New Contributor

I am facing the same exact issue. Was your issue resolved? If so, what was the resolution?

gfleming
Staff
Staff

You cannot route APIPA addresses (169.254.0.0/16) outside the local link. If you need this access then change the subnet to something that can route properly like RFC1918 addressing with appropriate SNAT configured on the policy.

Cheers,
Graham
RinoBroer
New Contributor III

The incoming interface for this traffic is FortiLink not default.fortilink (_default) which is configurable only through the CLI. My advice is to create a policy through the CUI and then edit the source interface in the CLI.

Rino Broer
Rino Broer
Damien1
New Contributor II

What's the solutiuon to either allow the traffic or at least prevent the logging of it without turning off logging in policy 0/implicit?

(I tried doing the same as the OP here, but somehow policy 0 is still being cited, which is an inbound rule, but this traffic is in the traffic logs, are polluted with denials multiple times per minute)

Labels
Top Kudoed Authors