Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: How to allow address groups to communicate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to allow address groups to communicate
Hi all. I'm in a pickle. My network guy just left and I have a situation where I have 2 subnets that I need to comunicate with one another. I am not a network guy and Fortigate is very hard for me to understand. I really need someone to explain to me, like I'm 5, how to get these subnets to communicate. For some unknown reason one of the subnets is a /32 and only contains the IP of a domain controller. The client devices are all grabbing IP addresses on a totally different subnet, so my client is unable to join their new PC's to the domain.
I've tried reading all the documentation and watching videos but it's all Greek to me. Address groups and interfaces and VLAN's oh my. If anyone out there is willing to assist me with understanding what I'm doing here I would be forever grateful. Thanks.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If possible share a network topology and firewall config (if you have no security concern)
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/702257/configuration-backups
Mrinmoy Purkayastha
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Can you please explain to us from which network you are trying to communicate? Just share your network topology here so that we can understand properly and assist you better.
you need a firewall policy to allow communication between two networks. Please refer to this article.:- https://docs.fortinet.com/document/fortigate/7.0.0/sd-wan-sd-branch-deployment-guide/198932/allowing...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
Let me try another approach since any further use of network jargon may complicate things.
What I understood so far is that you want the two subnets to communicate where one has/32 subnets assigned to a domain controller.
Imagine your Fortigate as a house and you can relate the subnets as different rooms. Now for anyone to move from one room to another, one need to pass through the doors. These doors are the route(inside the routing table) that allows one to move from one room to another. If anyone wants to go from room 1 to room 2, one need to go through the specific doors.
Likewise, if anyone want to go from room 1 to room 3, one cannot use the room 2 door but have to use the door specific to 1 and 3. So routes are cleared in terms of doors. Specific routes(door) allow specific subnets(rooms) to communicate with each other. This means that, for your problem, we have to check whether the door is there or not or it's just a room with no door at all(weird I know) Hence we have to verify the routing as one of the checks.
Secondly, firewalls also have firewall policies that allow any connection from one subnet to another. Consider this firewall policy as a security guard standing in front of the door. So, even if you have the door if the security guard does not have your name on his permit list, you won't be able to pass just yet. Hence we have to check the firewall policy as well in your case.
For example, if one of the subnets is 192.168.1.1/24 (don't stress too much /xx at this stage) and wants to reach 10.10.10.1/32, then we can try to ping(as good as say "hello") from 192 to 10 and will run some test at the FortiGate. Please follow the below steps:
Step 1:
-------
Go to the PC, and press the window+R at the same time. A small window will open, type cmd and click ok. A black window will open. For example, if the domain controller IP address is 10.10.10.1 then in this black window, type ping 10.10.10.1 -t and keep this running.
Step 2:
-------
Now login to your FortiGate CLI type the sniffer command and hit enter. You will see some outputs After 3-4 min, press ctrl+c in the FortiGate CLI window(where you run the sniffer command) and this should stop the commands outputs. After that run the command "get router info routing-table all" and hit enter. You will get some outputs. Now, navigate to the top right corner of the black window in the FortiGate CLI page and click the down arrow and this should download a file to your download folder. FYI, refer to the attached photos to assist you with each section of "ping", "sniffer", "route table" and "log file".
Please share this file here so that we can check this further. We aim to verify things one by one so as not to overwhelm the situation.
Thanks
Atul Srivastava
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for breaking this down for me @Atul_S .
Sniffer:
Routing table (truncated due to security reasons). Our routing table is very large.
Please let me know if you need more info. Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
Thanks for this. Even though the static route is in place, we are not getting an echo reply from 192.168.60.35 private range for 198.237.189.60 public
Please confirm the below:
-Can you ping any other address within 192.168.60.0/24 from vlan 444?
Step A:
------
-Run the same ping again from 198.237.189.60 towards 192.168.60.35 and capture the below command output:
diag sys session filter clear
diag sys session filter src 198.237.189.60
diag sys session filter proto 1 // once you ready up to this point, start ping with 20 packets from 198.237.189.60 towards 192.168.60.35. Now, run the below command and share the output
diag sys session list
Step B:
-------
Once you complete the above steps, run the sniffer you ran earlier in the FortiGate and start pinging from 192.168.60.35 towards 198.237.189.60 and share the outputs.
Thanks,
Atul Srivastava
Created on 10-10-2024 11:42 AM Edited on 10-10-2024 01:18 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diag sys session list:
I am unfortunately not currently able to test ping in the opposite direction, as I don't have anyone on site. I will need to coordinate this portion.
**edited for spelling**
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There,
Based on the session list, it seems like we need more investigation(remote session), which is not scalable using a forum at this stage. Please log in to your FortiCare account and create a ticket for TAC to investigate this further.
Thanks,
Atul Srivastava
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Quarantined IP Address Group 159 Views
- ForticlientVPN - Permission denied (-455) 883 Views
- Configuring SAML SSO Entra Login 1049 Views
- Auto update policy and objects in... 324 Views
- Issue with VLANs created on Fortigate... 436 Views
Labels
-
FortiGate
8,501 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.