Hi everyone,
Fresh out of the box and upgraded, no previous Fortigate here, so I am very green to this. Anyway, I have a rule from my LAN to SD-WAN with Source and Destination "All" and I have ICMP, DNS, Web Services, UDP 443, and Speedtest.net all allowed Services. Yet it gets Zero traffic.
Meanwhile below it I have specific VLAN in the interface and source and ALL /ALL Destination and Service and that is catching all my internet traffic. FG is top down correct? Any idea where to look, I thought LAN interface (all the VLANS are under the LAN Virtual Switch) and all would cover the VLANS as well....seems to work for the implicit deny.
Here is the "all" address edit screen:
SD-WAN is only a single local LAN address while I set it up...and that only Static Route is 0.0.0.0/0 to the virtual-wan-link.
Thanks for any help and pointers...wondering if I went to "high" on the version.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Shane,
You have check why the expected policy is not being used by doing a policy lookup and it will give the details of how the policy should be configured in order for it to work.
Regards
Chandan
Hello @Shane-NP,
Please review https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-the-SD-WAN-rule-matching-proces... for knowing SD-WAN selects rule for traffic processing.
Thanks,
Ronak Patel
Hello,
Please run these following command to see the traffic flow while test icmp traffic
diagnose debug reset
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow filter addr X.X.X.X [Source IP]
diagnose debug flow filter addr X.X.X.X [Destination IP]
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 10000
diagnose debug enable
To stop debug run following
diagnose debug disable
diagnose debug reset
Hi Shane,
Yes, is top-down rule.
If you have multiple vlans, I believe you already configure trunk to allow those vlans on the switch?
You might want to check below:
1. Ensure routing is configure correctly:
#get router info routing-table all
You should see your default route listed and is active.
2. Try to ping from FGT to the gateway, make sure the uplink connection is good:
#execute ping-option source x.x.x.x
#execute ping x.x.x.x
3. Ensure the traffic from your downlink arrive at FGT by doing a packet capture.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313
4. Perform the debug flow as share by Shashwati to ensure there is valid policy to allow the traffics.
Thanks.
Hi Shane,
You have check why the expected policy is not being used by doing a policy lookup and it will give the details of how the policy should be configured in order for it to work.
Regards
Chandan
Nchandan,
Thank you your method help clear up my confusion. I thought a VLAN switch would encompass all the VLANs under it. It does not based upon the lookups. I have to make rules for each VLAN, and there doesn't appear to be a catch all like explicit deny uses.
Everyone one else, thank you as well, but nothing pointed me to the write answer until I did the policy lookup.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.