Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniel337
New Contributor

Created on ‎07-27-2024 02:01 AM

FortiGate for testing in internal network

Hello,

 

I want to test a FortiGate with its security functions in my existing home environment without changing the existing internet connection or any other network configuration on the router with its WAN access.

 

For this I place the FGT inside the local (same) subnet. I put static routes on my client so that google.com and www.google.com are going through the FGT. On the FGT there is only one static route that points to the router that has WAN connection.

 

Actual setting is as following:

 

Client (192.168.0.15)  >>  FortiGate (192.168.0.245)  >>  Router (192.168.0.250)  >>  WAN

 

After set up the static routes on the client for Google the ping and traceroute on the clients points to the FortiGate.

Also on the FortiGate there is this ICMP traffic visible in the diagnostics packet view. However, all of the test policies I created on the FortiGate do not have any hit, also the forwarding log is empty, no traffic, and so i cannot play with the security profiels and log settings on the firewall.

 

Please help me. Where is the fault in this scenario or at which step am I wrong in thinking herewith?

 

Daniel

 

Labels:
717
0 Kudos
3 REPLIES 3
dbhavsar
Staff
Staff

Created on ‎07-27-2024 05:48 AM

Hello @daniel337 ,

 

- Can you please share the policy and following debugs while pinging to google from client machine:
di de reset
diagnose debug flow filter addr <src-addr> <dst-addr> and
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug console timestamp enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 30
diagnose debug enable

DNB
678
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-27-2024 06:26 AM

Since all the nodes are in the same subnet the reply from the router will not go through the FGT, it will reach the Client directly.

If you want to do this with less changes, I would suggest to create another subnet for the clients (ex. 192.168.5.0/24) in FGT and enable NAT in the firewall policy that allows the client traffic and to use 192.168.0.245 as an Outgoing Interface. By doing this you don't need any change in the router as all the traffic will appear as sourced by 192.168.0.245.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
674
0 Kudos
sahmed_FTNT
Staff
Staff

Created on ‎07-27-2024 12:59 PM

Hello , as per your topology :

 

Client (192.168.0.15)  >>  FortiGate (192.168.0.245)  >>  Router (192.168.0.250)  >>  WAN

 

You can consider configuring wan connection on the fgt to have better control on traffic, but it will filter all your traffic.

you can also consider connecting 1 port from ISP modem to FGT configure it as wan then connect your pc with the FGT and use UTM as per your testing requirements

Security all we want
633
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.