Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Fortigate 80E Policy not being recognized
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 80E Policy not being recognized
Hi Everyone. I have a Fortigate 80E on v6.0.12. I'm using 4 interfaces, interface 1 is incoming traffic going to interfaces 2, 3, and 4. If i click create new interface and put all 4 interfaces in a software/hardware switch interface, traffic flows between them automatically. When i separate them out and try to route traffic from interface 1 to interface 2 or interface 1 to interface 3 or interface 1 to interface 4 it doesn't work which is weird. They are all on the same subnet using same gateway ip, just 3 different webservers interfaces 2,3,4. I made a policy to allow all traffic between interface 1 (incoming int./source) and interface 2 (outgoing int./destination) as a test and it doesn't show any traffic going through the policy at all. I've tried creating multiple policies and none of them get used no matter what i do and the implicit deny isn't blocking any traffic, yet connection to the web server sites through interfaces 2, 3, and 4 are still happening (if i put all 4 interfaces in an interface switch group) haha so I'm all confused and feel like I'm missing something.
Ultimately when I get this thing recognizing policies I want to limit access on the subnet by IP but first i just want to get it to recognize any policy at all i make.
Thank you so much in advance! I'm new to the fortinet world and so far i love it but hopefully it's just something small i'm missing.
Solved! Go to Solution.
Labels:
- Labels:
-
Firewall policy
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So here is what I would do in your situation:
Create a wan interface in your case it would be connected to the network you are managing the FortiGate from. You can assign this interface an IP or let it receive a DHCP address depending on how the network is configured.
Create an 802.3 aggregate interface and assign ports 2, 3 and 4. Assign the port an IP address of your choosing, in my scenario it will be 192.168.10.254/24. Enable DHCP on this interface and plug in your webservers and allow them to get an IP address. This will allow you to not have to manually configure a default gateway on your web servers.
Create policies allowing traffic sourcing from the WAN interface and destination be the webserver interface. Clone the policy to allow traffic from the webservers to your wan interface as well so you can originate traffic from either the webserver or your network on the other side of the lan interface.
From here you should be able to see traffic going from the wan interface to the webservers.
Please let me know if this helps or if you need something more tailored to your specific scenario.
CCNA | FCP | CWNA
CCNA | FCP | CWNA
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Based on your details, you wanted to allow connection from Internal 1 to all other interfaces
Can you confirm how did you separate Internal 2,3,4 interfaces if they are using the same gateway? what subnets did you apply on the interfaces?
Please also provide below:
get router info routing-table all
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, that is correct, i would like traffic coming in through the int. 1 ip 8.8.8.2/32 to go to the other 3 ports (corresponding web servers). int. 2 is ip 8.8.8.10/32, int. 3 is 8.8.8.11/32, int. 4 is 8.8.8.12/32. Their role is set to LAN and i have device detection and fortitelemetry for each. If i set that up wrong or if there's a better way please let me know =)
the routing table command produced:
S 8.8.8.0/24 [10/0] via 8.8.8.1, port1, [1/0]
S 8.8.8.10/32 [10/0] via 8.8.8.1, port2, [1/0]
S 8.8.8.11/32 [10/0] via 8.8.8.1, port3, [1/0]
S 8.8.8.12/32 [10/0] via 8.8.8.1, port4, [1/0]
C 10.10.1.0/24 is directly connected, wan1
the wan1 connection is just the network i manage it from. Not sure if those routes are correct but was trying multiple things.
below is a policy i have just to try to test to catch all traffic between int. 1 and int. 2:
name: test
incoming interface: port1
outgoing interface: port2
source: all
destination: all
schedule: always
service: all
action: accept
nat: off
security profiles: off (for the moment)
logging options: all sessions
comments:
enable this policy: yes
under logging settings i have it set to memory, no remote or cloud logging.
The traffic coming through int. 1 is a pc with ip 16.160.1.10 using gateway 8.8.8.1 to connect to one of the web servers on int. 2, 3, or 4 is the data flow.
what did i mess up?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @hbac,
I'm not sure? Just how i figured things might work. A friend gave me an old fortigate to learn. As i stated before I'm new to all of this so trying to figure out a best/better way. ultimately just want to route traffic through port 1 to 3 different web servers ports 2, 3, or 4 using a policy and be able to see traffic in log files. I'm sure i probably messed that up so trying to understand and get it right =)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So here is what I would do in your situation:
Create a wan interface in your case it would be connected to the network you are managing the FortiGate from. You can assign this interface an IP or let it receive a DHCP address depending on how the network is configured.
Create an 802.3 aggregate interface and assign ports 2, 3 and 4. Assign the port an IP address of your choosing, in my scenario it will be 192.168.10.254/24. Enable DHCP on this interface and plug in your webservers and allow them to get an IP address. This will allow you to not have to manually configure a default gateway on your web servers.
Create policies allowing traffic sourcing from the WAN interface and destination be the webserver interface. Clone the policy to allow traffic from the webservers to your wan interface as well so you can originate traffic from either the webserver or your network on the other side of the lan interface.
From here you should be able to see traffic going from the wan interface to the webservers.
Please let me know if this helps or if you need something more tailored to your specific scenario.
CCNA | FCP | CWNA
CCNA | FCP | CWNA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Genobaseball10,
Thanks! I didn't have the aggregate type for interfaces on v6.0.12 so i upgraded to v6.4.14, setup wan interface, and made the 802.3 aggregate for the servers as you stated, created my policies again, and started seeing traffic! idk if it was software version or my routes/subnet setup being funky but I'm g2g now. Thank you all for the assist, I really appreciate it being a new person to this community!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can't tell you the exact reason why it wasn't working in the beginning without diving deep into what was going on but I'm glad I was able to get you a solution that worked! Thank you for the feedback. As someone who is also new in the community, its great to see and be apart of this kind of collaboration. Best of luck to you SoleCipher!
CCNA | FCP | CWNA
CCNA | FCP | CWNA
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,738 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1732 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.