Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Shane-NP
New Contributor II

Created on ‎08-26-2024 11:59 AM

Fortigate 201F 7.6.0 LAN -> WAN ALL/ALL not working

Hi everyone,

Fresh out of the box and upgraded, no previous Fortigate here, so I am very green to this. Anyway, I have a rule from my LAN to SD-WAN with Source and Destination "All" and I have ICMP, DNS, Web Services, UDP 443, and Speedtest.net all allowed Services. Yet it gets Zero traffic.

 

Meanwhile below it I have specific VLAN in the interface and source and ALL /ALL Destination and Service and that is catching all my internet traffic. FG is top down correct? Any idea where to look, I thought LAN interface (all the VLANS are under the LAN Virtual Switch) and all would cover the VLANS as well....seems to work for the implicit deny.

 

 
 

FG_rules.png

 Here is the "all" address edit screen:

FG_all_address_edit.png

SD-WAN is only a single local LAN address while I set it up...and that only Static Route is 0.0.0.0/0 to the virtual-wan-link.

FG_SD_WAN.png

Thanks for any help and pointers...wondering if I went to "high" on the version.

Labels:
476
0 Kudos
1 Solution
Nchandan
Staff
Staff

Created on ‎08-26-2024 09:36 PM

Hi Shane,

 

You have check why the expected policy is not being used by doing a policy lookup and it will give the details of how the policy should be configured in order for it to work.

 

Regards

Chandan

View solution in original post

398
0 Kudos
5 REPLIES 5
patelr
Staff
Staff

Created on ‎08-26-2024 01:44 PM

Hello @Shane-NP,

 

Please review https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-the-SD-WAN-rule-matching-proces... for knowing  SD-WAN selects rule for traffic processing.

 

Thanks,

Ronak Patel

450
0 Kudos
Shashwati
Staff
Staff

Created on ‎08-26-2024 02:05 PM Edited on ‎08-26-2024 02:06 PM

Hello,

 

Please run these following command to see the traffic flow while test icmp traffic

 

diagnose debug reset
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow filter addr X.X.X.X    [Source IP]
diagnose debug flow filter addr X.X.X.X    [Destination IP]
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 10000
diagnose debug enable

 

To stop debug run following 

 

diagnose debug disable

diagnose debug reset

444
0 Kudos
Jackie_T
Staff
Staff

Created on ‎08-26-2024 07:37 PM

Hi Shane,

 

Yes, is top-down rule.
If you have multiple vlans, I believe you already configure trunk to allow those vlans on the switch?

You might want to check below:
1. Ensure routing is configure correctly:
#get router info routing-table all
You should see your default route listed and is active.

 

2. Try to ping from FGT to the gateway, make sure the uplink connection is good:
#execute ping-option source x.x.x.x
#execute ping x.x.x.x

 

3. Ensure the traffic from your downlink arrive at FGT by doing a packet capture.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

 

4. Perform the debug flow as share by Shashwati to ensure there is valid policy to allow the traffics.


Thanks.

Jackie Tai
410
0 Kudos
Nchandan
Staff
Staff

Created on ‎08-26-2024 09:36 PM

Hi Shane,

 

You have check why the expected policy is not being used by doing a policy lookup and it will give the details of how the policy should be configured in order for it to work.

 

Regards

Chandan

399
0 Kudos
Shane-NP
New Contributor II

Created on ‎08-27-2024 06:15 AM

Nchandan,

Thank you your method help clear up my confusion. I thought a VLAN switch would encompass all the VLANs under it. It does not based upon the lookups. I have to make rules for each VLAN, and there doesn't appear to be a catch all like explicit deny uses.

 

Everyone one else, thank you as well, but nothing pointed me to the write answer until I did the policy lookup.

359
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.