Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Systeme
New Contributor

Created on ‎04-20-2023 07:49 AM

Fortigate do not answer to external request

Hello everyone,

I am currently setting up a test infrastructure to update all our fortigate to forti os 7.0.x.

For now all the fortigates are in version 6.4.12

explication.drawio (1).png

I declare the IP 10.10.1.80 as my DMZ (only one IP can be set as DMZ) and until two days ago all the connection was sent to the FortiGate and all was working so for example when I wanted to connect to the SSL VPN I was using the public IP of the router and it was working fine, I could also ping and connect to a Forticlient EMS that I had set up.

 

But to test the failover I restarted the active FortiGate, at this moment I loose my VPN connection, and I also loose the connection on the local address. 

 

From this moment I never got access again to the fortigate outside of my network again. 

 

I sniffed the traffic to check that the firewall was receibing it and I saw the Forticlient TCP request, but the fortigate do not reply to it : 

 

2023-04-20 16_38_05-COM3 (USB Serial Port (COM3)).png

And at the end of the sniff, the kernel dropped 0 packet. 

To try to debug that I allowed all connection in the firewall local-In-policy : 

2023-04-20 16_43_05-COM3 (USB Serial Port (COM3)).png

This do not work either.

I also create ALL to ALL rules for almost all my interfaces.

 

To make sure the problem was not from my router, I set another device as DMZ and I could access it from internet. So the problem is probably on the fortigate. 

 

Do someone has already got the problem or an idea to solve this ? 

 

Thanks for your help

Labels:
1199
0 Kudos
2 REPLIES 2
gfleming
Staff
Staff

Created on ‎04-20-2023 08:44 AM

Is it only traffic destined to the FortiGate that is affected? What about inbound/outbound traffic forwarded by the FortiGate is it OK?

 

how is your DMZ set up on the router? Is it just pointing to an IP address? Could be when you switched HA the router didn't get the GARP. Try rebooting your router?

 

Can you change your router into bridged mode? This way the FortiGate will receive the public IP directly and will make your life easier without doing double NAT etc.

Cheers,
Graham
1193
abarushka
Staff
Staff

Created on ‎04-20-2023 08:49 AM

Hello,

 

I would recommend to collect debug flow below:

 

diagnose debug flow filter saddr <source IP address>

diagnose debug flow show function-name enable
show function name

diagnose debug flow trace start 10

diagnose debug enable

FortiGate
1192
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.