Hello everyone,
I am currently setting up a test infrastructure to update all our fortigate to forti os 7.0.x.
For now all the fortigates are in version 6.4.12
I declare the IP 10.10.1.80 as my DMZ (only one IP can be set as DMZ) and until two days ago all the connection was sent to the FortiGate and all was working so for example when I wanted to connect to the SSL VPN I was using the public IP of the router and it was working fine, I could also ping and connect to a Forticlient EMS that I had set up.
But to test the failover I restarted the active FortiGate, at this moment I loose my VPN connection, and I also loose the connection on the local address.
From this moment I never got access again to the fortigate outside of my network again.
I sniffed the traffic to check that the firewall was receibing it and I saw the Forticlient TCP request, but the fortigate do not reply to it :
And at the end of the sniff, the kernel dropped 0 packet.
To try to debug that I allowed all connection in the firewall local-In-policy :
This do not work either.
I also create ALL to ALL rules for almost all my interfaces.
To make sure the problem was not from my router, I set another device as DMZ and I could access it from internet. So the problem is probably on the fortigate.
Do someone has already got the problem or an idea to solve this ?
Thanks for your help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is it only traffic destined to the FortiGate that is affected? What about inbound/outbound traffic forwarded by the FortiGate is it OK?
how is your DMZ set up on the router? Is it just pointing to an IP address? Could be when you switched HA the router didn't get the GARP. Try rebooting your router?
Can you change your router into bridged mode? This way the FortiGate will receive the public IP directly and will make your life easier without doing double NAT etc.
Hello,
I would recommend to collect debug flow below:
diagnose debug flow filter saddr <source IP address>
diagnose debug flow show function-name enable
show function name
diagnose debug flow trace start 10
diagnose debug enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.