Hello!
I'm moving from Juniper to Fortigate and I'm having issues setting up subinterfaces.
I have setup a port 3 VLAN subinterface with VLAN tag 704 (port 3 IP is 0.0.0.0/0.0.0.0):
edit "port3"
set vdom "root"
set type physical
set snmp-index 7
edit "port3/3.6"
set vdom "root"
set ip 10.2.4.1 255.255.255.0
set allowaccess ping https ssh
set description "z_DB"
set snmp-index 35
set interface "port3"
set vlanid 704
Then I have done static route as well:
edit 35
set dst 10.2.4.0 255.255.255.0
set device "port3/3.6"
next
When I try to ping the fortigate unit from a MacBook Pro that is connected directly to Fortigate 800C port 3 and I gave the mac a static ip 10.2.4.22, then added VLAN 704 interface as well with ip 10.2.4.23. Now when I ping the fortigate unit the ping does not go through and fortigate unit does not show anything when I try to debug address 10.2.4.1
diag debug reset
diag debug enable
diag debug flow filter addr 10.2.4.1
diag debug flow show console enable
diag debug flow trace start 100
When I change the port 3/3.6 ip to 10.2.10.1 and add ip 10.2.4.1 directly to port 3 interface then the diag shows me that policy is blocking access and that's the way I want it to be.
I also tested so that I added port 3/3.6 to VLAN 500 (same as my office switch ports have) and connected it to switch and the computer to switch as well. Still nothing. Sniffer does not show that any packets are coming in from port 3/3.6 or to ip 10.2.4.1 when the ip is given to port 3/3.6 (subinterface). When the ip is given to port 3 directly then sniffer and flow debug show me that policy is blocking the traffic.
Where could the problem be? I can show you my configuration as well if needed.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The tagging in macsox can be havoc to do did you do a tcpdump and ensure the tag was present?
hint: if you don't have the layer2 ARP address of the FGT than you know the tagging is bad or incorrect. So I would double check the client side if that's what your doing.
PCNSE
NSE
StrongSwan
Do a capture in mac and confirm it is sending tagged packet.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.