Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adi45
New Contributor

Created on ‎04-30-2019 01:59 AM

Fortigate Blocking some IPs

Hi team,

I am facing a very strange issue. I configured fortigate 100E for one of my company`s client with 2 ISPs(without load balancing). Every thing works fine but some ips from LAN is blocking to get internet from WAN1 while the same hosts can reach the internet from WAN2.

I created 2 policies one LAN>WAN2 and 2nd LAN>WAN1. i want my all traffic get internet from WAN2 but some traffic passing out through WAN1. and some ips are blocking from WAN1.

LAN>WAN2 ( sources set to all ) .... while the 2nd policy is for failover. (sources set to all)

any suggestion...?????

 

 

5610
0 Kudos
8 REPLIES 8
Toshi_Esumi
SuperUser
SuperUser

Created on ‎04-30-2019 09:28 AM

The problem is routing. If you have two default routes with equal cost/priority in the routing table, you don't have control which way to send out. The basic set-up for your situation is below. I haven't learned how to do the same with SD-WAN so ask somebody else if you prefer SD-WAN.

https://cookbook.fortinet...net-basic-failover-56/

PS. looks like they're moving cookbooks to the doc library. I hope they would be still searchable from search engines.

 

3585
0 Kudos
Ashik_Sheik
Contributor II
In response to Toshi_Esumi

Created on ‎04-30-2019 12:24 PM

Configure SD-WAN to achieve ur requirement  , it is enhanced version of old  WAN Link load balancer .You can have single policy and routing as well. For more information please refer below link

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/990932/redundant-internet-with-sd-wan 

Ashu 

 

Ashu
3585
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Ashik_Sheik

Created on ‎04-30-2019 01:56 PM

You've stated that you don't want to load-balance. In this case, assign a higher metric to the default route of your backup ISP. There will only be one default route now in the Routing monitor (Monitor > Routing Monitor) until ISP1 fails. Then the second, backup default route will be inserted and used.

Even source addresses going out WAN1 and odd ones going out WAN2 is a symptom of load balancing (which uses a hash of source address and source port, and something else).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3585
0 Kudos
Adi45
New Contributor
In response to ede_pfau

Created on ‎05-01-2019 04:41 AM

Thanks ede...

I did that before but issue is fortigate blocking some of ips ... when i configured only my wan2 and disabled wan1 those ips cant get internet regarless of machines only ips are blocking and when i configure only wan1 fortigate behave the same with some other ips. ( Blocked ips for wan1 and wan2 are diffrent).

 

3585
0 Kudos
Adi45
New Contributor
In response to Ashik_Sheik

Created on ‎05-01-2019 04:58 AM

Ashu brother thanks.

this is not my first fortigate unit i deployed a bunch of devices for my different clients. for some sd-wan is good but here i need wan1 for email server as priority and wan2 for lan ( both are separate lans). but issue is fortigate is blocking some ips through both wans ( different ips for both wans).

 

3585
0 Kudos
Dave_Hall
Honored Contributor
In response to Adi45

Created on ‎05-01-2019 11:29 AM

Hi Adil.

 

I'm kinda with the others on this with regards to using SD-WAN (or WAN LLB).  You can pretty much direct traffic via priority rules out whichever Interface (e.g. WAN1, WAN2) as well is specific one of the ports for the email server.

 

That said, if you are adamant about keeping your existing setup, we need more information on your issue, like a network layout and/or what other troubleshooting has been done (e.g. like ruling out physical connection drops), packet trace, etc.

 

diag debug reset diag debug flow filter proto 6 diag debug flow filter addr <internal IP> diag debug flow show console enable diag debug flow trace start 1000 diag debug en

The only time I have heard something like this happening is when a sysadmin introduced a typo when entering the subnet range/mask for an address object. 

 

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
42 KB
3585
0 Kudos
Adi45
New Contributor
In response to Dave_Hall

Created on ‎05-01-2019 11:42 PM

thankx dave Hall,

brother i did the debugging but no output of any command 

and also the blocked ips successfully ping the gateway from where it is blocked 

For example 192.168.1.128 is blocked from 192.168.100.1 ( PTCL Router gateway) but it can ping it successfully but cant get internet from it rather for internet it moved to other static ip gateway ( used for port forwarding). sory to forget the user is using AD Server for authentication. 

3585
0 Kudos
Adi45
New Contributor
In response to Toshi_Esumi

Created on ‎05-01-2019 04:50 AM

Toshi brother i don`t want SD-WAN because WAN1 is used for Email server port forwarding which is configured as a separate port with separate lan 172.16.10.0/24.

i made priorities using ipv4 policies.

fortigate uses the first available policy and i created first one LAN>WAN2 with sources all(initially). in this case fortigate should allow all traffic from LAN through wan2.

and 2nd LAN>WAN1 same with sources all.now if the wan2 is not available or reachable than fortigate unit move all traffic from wan1.but in this unit all traffic go through wan2 while some ips from wan1 because fortigate is blocking them from wan2

 

3585
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.