Fortigate 201F 7.6.0 LAN -> WAN ALL/ALL not working

Shane-NP · ‎08-26-2024

Hi everyone,

Fresh out of the box and upgraded, no previous Fortigate here, so I am very green to this. Anyway, I have a rule from my LAN to SD-WAN with Source and Destination "All" and I have ICMP, DNS, Web Services, UDP 443, and Speedtest.net all allowed Services. Yet it gets Zero traffic.

Meanwhile below it I have specific VLAN in the interface and source and ALL /ALL Destination and Service and that is catching all my internet traffic. FG is top down correct? Any idea where to look, I thought LAN interface (all the VLANS are under the LAN Virtual Switch) and all would cover the VLANS as well....seems to work for the implicit deny.

Here is the "all" address edit screen:

SD-WAN is only a single local LAN address while I set it up...and that only Static Route is 0.0.0.0/0 to the virtual-wan-link.

Thanks for any help and pointers...wondering if I went to "high" on the version.

Nchandan · ‎08-26-2024

Hi Shane,

You have check why the expected policy is not being used by doing a policy lookup and it will give the details of how the policy should be configured in order for it to work.

Regards

Chandan

View solution in original post

patelr · ‎08-26-2024

Hello @Shane-NP,

Please review https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explaining-the-SD-WAN-rule-matching-proces... for knowing SD-WAN selects rule for traffic processing.

Thanks,

Ronak Patel

Shashwati · ‎08-26-2024

Hello,

Please run these following command to see the traffic flow while test icmp traffic

diagnose debug reset
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow filter addr X.X.X.X [Source IP]
diagnose debug flow filter addr X.X.X.X [Destination IP]
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 10000
diagnose debug enable

To stop debug run following

diagnose debug disable

diagnose debug reset

Jackie_T · ‎08-26-2024

Hi Shane,

Yes, is top-down rule.
If you have multiple vlans, I believe you already configure trunk to allow those vlans on the switch?

You might want to check below:
1. Ensure routing is configure correctly:
#get router info routing-table all
You should see your default route listed and is active.

2. Try to ping from FGT to the gateway, make sure the uplink connection is good:
#execute ping-option source x.x.x.x
#execute ping x.x.x.x

3. Ensure the traffic from your downlink arrive at FGT by doing a packet capture.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Packet-capture-sniffer/ta-p/198313

4. Perform the debug flow as share by Shashwati to ensure there is valid policy to allow the traffics.

Thanks.

Jackie Tai

Nchandan · ‎08-26-2024

Hi Shane,

You have check why the expected policy is not being used by doing a policy lookup and it will give the details of how the policy should be configured in order for it to work.

Regards

Chandan

Shane-NP · ‎08-27-2024

Nchandan,

Thank you your method help clear up my confusion. I thought a VLAN switch would encompass all the VLANs under it. It does not based upon the lookups. I have to make rules for each VLAN, and there doesn't appear to be a catch all like explicit deny uses.

Everyone one else, thank you as well, but nothing pointed me to the write answer until I did the policy lookup.

Fortigate 201F 7.6.0 LAN -> WAN ALL/ALL not working

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website