Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Forwarding stops working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forwarding stops working
Hello.
I have a Fortigate 110C in HA configuration.
the problem I am having is that it has started to stop forwarding traffic to an internal server.
It has worked fine for many moths and suddenly started to give me problems.
I upgraded the firmware to v5.0,build0252 (GA Patch 5) in case but it still behave the same.
When I reboot it immediatly starts to work again when the other unit takes over and after that i works for up to two days before failing again.
Anyone got any hint in what is going on?
The setup is as below. I have configured a virtual ip listening to port 443 on ip #.#.#.141. Then a policy to allow the traffic.
config system zone
edit " UntrustZONE"
set interface " wan1"
set intrazone allow
next
edit " TrustZONE"
set interface " port1"
set intrazone allow
next
end
config firewall vip
edit " FPTimeExt"
set extip #.#.#.141
set extintf " wan1"
set portforward enable
set color 25
set mappedip 172.29.1.11
set extport 443
set mappedport 443
next
end
config firewall policy
edit 20
set srcintf " UntrustZONE"
set dstintf " TrustZONE"
set srcaddr " all"
set dstaddr " FPTimeExt"
set action accept
set schedule " always"
set service " ANY"
set logtraffic enable
next
end
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you really need a zone for this? I would rid the zone members and apply the policies directly and see what happens.
Have you done any diagnostics;
flow, sniffer,etc......
Are you sure no other policies where moved, dropped or changed due to the upgrade.
and imho a zone with just one member, is adding more complexity to a fwpolicies & offers no advantage.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@emnoc:
and imho a zone with just one member, is adding more complexity to a fwpolicies & offers no advantageThere is an advantage: by using a zone you can completely rename a port. I cannot see how that would add complexity though, just on the contrary. The OP is probably using zones in transition from a Netscreen/JunOS firewall configuration. @Dagwyn: I remember having read about a recent quirk when using ports in firewall policies which where also members of a zone. I think 5.0.6 fixed that, have a look at the Release Notes. But READ them before upgrading, definitely! Not using zones might be a good idea after all, only for different reasons.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven' t found it in the actual release notes, but there was one issue regarding Zones in v5, but that shouldn' t apply here...
Policies that used interfaces directly, which were also used in zones would get delete upon upgrade (I think to 5.0.4) - I think this kind of policy was dropped with this release!
I would also recommend to sniff and do a flow debug to see why this traffic isn' t processed!
Regarding the Zone Topic:
It is often very very usefull to start an installation from scratch with using Zones as good as you can!
If you might make bigger changes in the network topology this can save days and weeks of work:
- Easily add an additional internal vlan, SSID, Remote APs whatever via just some clicks...
- Add an additional ISP uplink or migrate uplink connectivity
- ...
br,
Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This setup was configured by our supplier when installed. I have on a few occasions started with a fresh config when doing firmware upgrade but have kept the zones, they are not really needed as some has mentioned.
I have tried logging the traffic but when it is not working it does not generate ANYTHING.
# diagnose debug enable # diagnose debug flow filter addr # diagnose debug flow show console enable # diagnose debug flow show function-name enable # diagnose debug flow trace start 100 id=13 trace_id=1 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=6, #.#.86.157:38504->#.#.#.141:443) from wan1." id=13 trace_id=1 func=init_ip_session_common line=4430 msg=" allocate a new session-00015605" id=13 trace_id=1 func=get_new_addr line=2401 msg=" find SNAT: IP-172.29.1.11(from IPPOOL), port-443" id=13 trace_id=1 func=fw_pre_route_handler line=175 msg=" VIP-172.29.1.11:443, outdev-wan1" id=13 trace_id=1 func=__ip_session_run_tuple line=2522 msg=" DNAT #.#.#.141:443->172.29.1.11:443" id=13 trace_id=1 func=vf_ip4_route_input line=1603 msg=" find a route: gw-172.29.1.11 via port1" id=13 trace_id=1 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=4" id=13 trace_id=1 func=fw_forward_handler line=663 msg=" Allowed by Policy-20:" etc.Just realised that it seems as it' s always the same unit that behave like this. When I reboot it switches to the slave and it works for a while. Both units have the same priority.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible, that there is another device on the outside, that might hook onto that .141 ip address and poisons the ARP table of the outside router?
Labels
-
FortiGate
10,796 -
FortiClient
2,213 -
FortiManager
905 -
FortiAnalyzer
690 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
582 -
FortiAP
568 -
IPsec
445 -
6.0
416 -
SSL-VPN
393 -
FortiMail
380 -
5.6
362 -
FortiNAC
297 -
FortiWeb
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
205 -
FortiAuthenticator
185 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
118 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
93 -
Customer Service
88 -
FortiProxy
79 -
ZTNA
79 -
SAML
78 -
Routing
77 -
Fortivoice
73 -
BGP
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
56 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
42 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
29 -
FortiGate v5.2
28 -
Fortigate Cloud
26 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2712 | |
| 1416 | |
| 810 | |
| 733 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.