- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet From To Source Destination
Ok first my firewall works as is but I don't think it's setup right. My internal network is a /18 and the LAN is a /24 contained in that /18. I have the /18 setup as a static route on the LAN network. Basically pointing the /18 route at the L3 Meraki switch I have behind the firewalls.
All the rules work as is today BUT on inbound rules I have to leave To = any. I still set the From, Source and Destination. On outbound rules I'm able to set all 4 From To Source Destination. If I set the To on the inbound rule the rule doesn't work. Should my LAN interface be configured as a 255.255.192.0 instead of a 255.255.255.0?
- Labels:
-
FortiGate
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by ACL? Is it on Meraki? You never mentioned about it in the original post.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry the Firewall Policy page under Policy & Objects. I just call it the ACL. I built a new Policy with new objects that it should hit but it doesn't.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you determining the traffic you generated didn't hit the policy by checking the matching traffic counter on the policy in GUI? Eventually you have to run "flow debug" to see how the traffic is handled by the FGT. But the traffic needs to match the source and destination interfaces and destination subnet you configured.
How to do flow debug is in below at "step 4".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I spoke with Fortinet support today and figured this out. Kind of feel dumb. My management interface is on the same subnet as the computer I was trying to access because of that it won't use the default route on the other LAN interface it wants to talk to the computer from the interface its contained on. Makes perfect sense.
- « Previous
-
- 1
- 2
- Next »