Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sagelike
New Contributor

Fortigate 60C Firewall Policies not working

I am trying to configure a new/used Fortigate 60C with firmware 5.2x but can't get firewall policy rules to work to allow inbound traffic. I've configured other 60-series routers including 60C with firmware 4.x or earlier 60A routers without too much difficult but I can't figure out why its not working on 60C with firmware 5.2x. I've configured IP, DNS and Static route and added virtual IPs. The router is in NAT mode. On my other Fortigate routers, I would add a virtual IP and then under Firewall Policy, I would add a new policy and select the Service to allow incoming traffic via a specific IP and service. Port forwarding was not needed. With this router, standard policy rules simply doesn't work. I've gone over the settings multiple times and cannot understand why this is not working. I've many variations on the policies with no luck. I can however setup port forwarding and this does work but I've never had to use port forwarding in the past. With port forwarding, I would need to add many dozens of rules to make this work which would be very inefficient and it shouldn't be required. Anyone know what I might be missing?

Thanks

G

2 REPLIES 2
ede_pfau
SuperUser
SuperUser

hi,

 

willing to help but my crystal ball is in service.

Please post your policy/policies with all object definitions that are used by it (VIPs). Please paste in the text from the CLI ("get firewall policy", "get firewall vip"), no screen shots (like it has become a bad habit lately on the forums...).

 

If you had defined a VIP in the past and not used it in a policy then you just didn't use it - apparently there was no need for it. Why then defining one in the first place?

I sincerely recommend that you look up the relevant parts of the Admin Handbook about policies, and VIPs for external access to your LAN. Maybe that will give you a hint in addition to what we find here in the forum.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
sagelike

Thanks Ede for replying. I finally figured it out.

 

I was selecting WAN1 for Outgoing interface. I am used to previous FortiOS which labeled this as Destination interface.

 

I was being too literal and thinking Outgoing meant Outbound. The naming could be better on this.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors