Hello,
Although I have some experience with Fortigate, I think I always have worked with profile-based mode. Now I just set up a lab to test policy based mode, just to find that two PCs connected to different LANs on different FG ports can ping each other, with no existing security policies yet. Is that normal? Do I have to explicitly block the traffic?
Looks like they can ping each other, but not the WAN interface, or other addresses located on the WAN interface. FortiOS is 7.0.5
Thank you in advance
Daniel
do you have NAT enabled on some policy? Or is there some policy allowing src any to dst any or similar?
You could do some flow debug to see which policy is being hit.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi,
No, I just installed the FG, set the hostname, IP addresses of WAN, LAN1 and LAN2 interfaces, allowed ping on all interfaces but http/https only on the WAN, set the LAN1 as DHCP server, and changed the settings to policy based. The rest is the configuration by default (only the deny all policy exists). If it helps, it's a KVM virtualized FG, but I think it should not be important.
I thought about doing debugging it, but the thing is that it should not match anything. Tomorrow I will if I don't find any logic behind it.
Regards,
Finally I found the issue. I was breaking my head, watching how the matching policy was the default one, and even though the traffic was allowed through the Fortigate.
It was an issue with the memory assigned to the VM, it was less than the recommended, but all this time, the lab worked perfectly with profile-based configurations, now I just assigned more vRAM, and everything started to work as expected.
Hey Wanderer,
thanks for sharing the solution with us :).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.