Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gsing
New Contributor II

Created on ‎08-25-2022 10:59 AM

FortiGate Blocking traffic from FortiSwitch (Link port A)

Hello Guys, 

I have 48 Port Fortiswitch which is connected to my FortiGate 60E firewall through Fortilink port A. The problem is Fortigate is blocking traffic from Fortiswitch { Switch is trying to connect to this- 66.35.19.50 (fortiswitch-dispatch.forticloud.com) } . I create policy which allowed all the traffic from Fortilink interface to WAN but still traffic is get block by Implicit Deny 0 Policy. Anybody can help me out pleaseDeny by Implicit 0 PolicyDeny by Implicit 0 PolicyPolicyPolicy it is getting blocked

Labels:
5560
0 Kudos
9 REPLIES 9
knagaraju
Staff
Staff

Created on ‎08-25-2022 11:54 PM

Hello Gsingh,

1.)Please share the below command output from fortigate cli
diagnose ip address list

2.)Also , please run the below commands in fortigate cli and initiate the traffic, please get the outputs.
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr 169.254.1.2
diagnose debug flow filter daddr 66.35.19.50
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug enable

5542
Gsing
New Contributor II
In response to knagaraju

Created on ‎08-26-2022 03:48 AM

Thanku @knagaraju for helping me out. Please find the output below after running above commands in CLI.output 1.pngOutput 2.png

5537
0 Kudos
knagaraju
Staff
Staff
In response to Gsing

Created on ‎08-26-2022 04:37 AM

Thank you for sharing.
Do you have PPP2 interface added in SD-WAN ?
If yes then I suggest you to open a TAC ticket to proceed on further troubleshooting on it.

5530
Gsing
New Contributor II

Created on ‎08-26-2022 07:34 AM Edited on ‎08-29-2022 08:45 AM

Hi @knagaraju 

It is set to ppp2 as well. For your clarification I am attaching the screenshot for SD-WAN setting in my firewall. I raised the ticket as well. The ticket number is: 7514487SD wan1.pngSD wan2.png 

5524
0 Kudos
CIFortiUser
New Contributor

Created on ‎01-25-2023 01:23 PM

I am facing the same exact issue. Was your issue resolved? If so, what was the resolution?

5173
0 Kudos
gfleming
Staff
Staff

Created on ‎01-25-2023 01:41 PM

You cannot route APIPA addresses (169.254.0.0/16) outside the local link. If you need this access then change the subnet to something that can route properly like RFC1918 addressing with appropriate SNAT configured on the policy.

Cheers,
Graham
5168
0 Kudos
RinoBroer
New Contributor III

Created on ‎04-23-2023 12:59 PM

The incoming interface for this traffic is FortiLink not default.fortilink (_default) which is configurable only through the CLI. My advice is to create a policy through the CUI and then edit the source interface in the CLI.

Rino Broer
Rino Broer
4802
0 Kudos
Damien1
New Contributor II

Created on ‎09-30-2023 02:42 PM

What's the solutiuon to either allow the traffic or at least prevent the logging of it without turning off logging in policy 0/implicit?

(I tried doing the same as the OP here, but somehow policy 0 is still being cited, which is an inbound rule, but this traffic is in the traffic logs, are polluted with denials multiple times per minute)

4025
0 Kudos
Kiuu_White
New Contributor

Created on ‎04-24-2024 03:54 PM

I eneded up just turning it off :)

config system flan-cloud

(flan-cloud) # get
interval : 3
name : fortiswitch-dispatch.forticloud.com
port : 443
status : enable

set status disable

end

2471
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.