Hello Guys,
I have 48 Port Fortiswitch which is connected to my FortiGate 60E firewall through Fortilink port A. The problem is Fortigate is blocking traffic from Fortiswitch { Switch is trying to connect to this- 66.35.19.50 (fortiswitch-dispatch.forticloud.com) } . I create policy which allowed all the traffic from Fortilink interface to WAN but still traffic is get block by Implicit Deny 0 Policy. Anybody can help me out please it is getting blocked
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Gsingh,
1.)Please share the below command output from fortigate cli
diagnose ip address list
2.)Also , please run the below commands in fortigate cli and initiate the traffic, please get the outputs.
diagnose debug reset
diagnose debug flow filter clear
diagnose debug flow filter saddr 169.254.1.2
diagnose debug flow filter daddr 66.35.19.50
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug enable
Thanku @knagaraju for helping me out. Please find the output below after running above commands in CLI.
Thank you for sharing.
Do you have PPP2 interface added in SD-WAN ?
If yes then I suggest you to open a TAC ticket to proceed on further troubleshooting on it.
Hi @knagaraju
It is set to ppp2 as well. For your clarification I am attaching the screenshot for SD-WAN setting in my firewall. I raised the ticket as well. The ticket number is: 7514487.
I am facing the same exact issue. Was your issue resolved? If so, what was the resolution?
You cannot route APIPA addresses (169.254.0.0/16) outside the local link. If you need this access then change the subnet to something that can route properly like RFC1918 addressing with appropriate SNAT configured on the policy.
The incoming interface for this traffic is FortiLink not default.fortilink (_default) which is configurable only through the CLI. My advice is to create a policy through the CUI and then edit the source interface in the CLI.
What's the solutiuon to either allow the traffic or at least prevent the logging of it without turning off logging in policy 0/implicit?
(I tried doing the same as the OP here, but somehow policy 0 is still being cited, which is an inbound rule, but this traffic is in the traffic logs, are polluted with denials multiple times per minute)
I eneded up just turning it off :)
config system flan-cloud
(flan-cloud) # get
interval : 3
name : fortiswitch-dispatch.forticloud.com
port : 443
status : enable
set status disable
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.