I created a IP network on Port 3 but can't ping the gateway from the clients

IDMJohn · ‎01-20-2025

I have a internal (default) network 10.25.0.0/24 on port 1 and 2. I created a new network 10.20.10.0/24 on port 3. Clients connected to the internal network can ping the Fortigate gateway 10.25.0.1. Clients connected to the network on Port 3 cannot ping the Fortigate gateway 10.25.10.1. The clients can all access the internet no issues. In Administrative Access area of the interface configuration for Port 3, I have HTTPS, SSH, PING and Security Fabric Connection checked.

Why can't my connected DHCP clients ping the gateway 10.25.10.1? I can ping this address from CLI from within the firewall no issue (execute ping 10.25.10.1). What am I missing?

Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?

Any help would be appreciated.

Thanks!

dingjerry_FTNT · ‎01-20-2025

Hi @IDMJohn ,

You showed us several times with 10.20.x.x network, but I believe that all networks you are talking about are either 10.25.0.0/24 or 10.25.10.0/24.

It seems that you are careless.

So if you are the one who configured the FGT, you may need to double check all the configurations, such as interface settings, address objects (internal and internal3 address)for those networks, and so on.

Anyway:

1) The policy routes are useless if the routing table is correct. I don't know what the purpose is for you to create those two policy routes.

2) You did not show us the internal3 configurations, so I don't know whether you enabled Ping for the Administrative settings or not;

3) You did not tell us where the IP 10.25.10.1 is. Is it the internal3 IP?

4) If all configurations are correct, you may run the debug flow commands:

diag debug flow show iprope enable

diag debug flow filter proto 1

diag debug flow filter addr 10.25.10.1

diag debug flow trace start 20

diag debug enable

Then Ping 10.25.10.1 to reproduce the issue and collect the debug outputs.

NOTE: Please DO NOT run continuous Ping.

5) "Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?"

So you are allowing traffic from internal to internal3 (aka Port3), but do not allow traffic from internal3 (aka Port3) to internal, right?

If so, just change the action of the firewall policy with the name "Port3 to internal" to Deny.

Regards,

Jerry

View solution in original post

dingjerry_FTNT · ‎01-22-2025

Hi @IDMJohn ,

Since you can Ping Internet IPs, I believe that you should see 10.25.10.1 if you run the following on your PC:

arp -a

If yes, I suspect that there is a device in the middle between FGT and your internal3 network blocking the ICMP traffic between internal networks.

Regards,

Jerry

View solution in original post

IDMJohn · ‎01-22-2025

Aha! you are correct. The root cause is a configuration on the Aruba 1930 switch. The VLAN connected to Port 3 was configured to block all traffic except to the Internet (the default configuration apparently). I removed the restriction and everything came to life! Bi-directional traffic and connectivity :)

I have since denied access from port3 to Internal (as I wanted) and verified that I can access 10.25.10.0 from 10.25.0.0 but not vise versa.

Thank you so much for your help and support through this problem. It turns out not be the firewall at all... it was always correct, it was the connecting switch being too smart for its own (or my) good.

Thank you! Thank you! Thank you!

View solution in original post

dingjerry_FTNT · ‎01-21-2025

Hi @IDMJohn

No. You have a misunderstanding with routing.

1) System will check the routing table for a more specific entry; So if it matches the 10.25.0.0/24 entry, it will not match the 0.0.0.0 entry

2) Ping 10.25.10.1 has nothing to do with checking the routing table for the destination since it is the IP on internal3 interface.

FGT will verify the source for RPF to check the routing table:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reverse-Path-Forwarding-RPF-implementation...

3) Again, your issue seems to be something wrong in your configuration. So please provide all configurations related to 10.25.10.1.

4) And please provide your IP Pool configurations and VIP configurations.

Regards,

Jerry

IDMJohn · ‎01-22-2025

Here is my system interfaces from CLI:

IDM-Firewall # get system interfac
== [ wan1 ]
name: wan1 mode: dhcp ip: 173.44.80.179 255.255.255.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
== [ wan2 ]
name: wan2 mode: dhcp ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
== [ dmz ]
name: dmz mode: static ip: 10.10.10.1 255.255.255.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
== [ internal1 ]
name: internal1 status: up type: physical trunk: disable
== [ internal2 ]
name: internal2 status: up type: physical trunk: disable
== [ internal3 ]
name: internal3 mode: static ip: 10.25.10.1 255.255.255.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
== [ internal4 ]
name: internal4 status: up type: physical trunk: disable
== [ internal5 ]
name: internal5 status: up type: physical trunk: disable
== [ a ]
name: a status: up type: physical src-check: enable trunk: disable aggregate: fortilink
== [ b ]
name: b status: up type: physical src-check: enable trunk: disable aggregate: fortilink
== [ modem ]
name: modem mode: pppoe ip: 0.0.0.0 0.0.0.0 status: down netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
== [ naf.root ]
name: naf.root ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: disable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable wccp: disable
== [ l2t.root ]
name: l2t.root ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable trunk: disable wccp: disable
== [ ssl.root ]

IDM-Firewall #

Here is my Firewall Policies for Port 3 to the Internet, Port3 to Internal, Internal to Internet, Internal to Port3 and finally the Port3 configuration itself

:

Port3 to Internet Policy.png Port3 to Internal Network.png Internal to Internet.png Internal to Port3.png Port3 Interface Config.png

I have no IP pools defined, no policy routes defined, no static routes defined, no routing objects defined. I know I have something miss configured, but I have no idea what :(

IDMJohn · ‎01-22-2025

Here is a complete list of my policies from CLI:

config firewall policy
edit 1
set name "IDM Network Policy"
set uuid 71fe162a-b0f8-51ef-814b-64036f94e359
set srcintf "internal"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set logtraffic all
set nat enable
next
edit 3
set name "vpn_RAVPN_remote_0"
set uuid de5fdb38-c13c-51ef-2df9-c762873a97b1
set srcintf "RAVPN"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "Local_Network"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set nat enable
set comments "VPN: RAVPN (Created by VPN wizard)"
next
edit 4
set name "Port3 to Internet"
set uuid 5cbf927c-d73e-51ef-0bcc-16cd86e411e9
set srcintf "internal3"
set dstintf "wan1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set logtraffic all
set nat enable
next
edit 5
set name "Internal to Port3"
set uuid aea387e8-d765-51ef-2ed6-d34a945ab510
set srcintf "internal"
set dstintf "internal3"
set action accept
set srcaddr "internal"
set dstaddr "internal3 address"
set schedule "always"
set service "ALL"
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
next
edit 6
set name "Port3 to Internal"
set uuid d3765c3a-d765-51ef-274f-6ea3bc4d1c41
set srcintf "internal3"
set dstintf "internal"
set action accept
set srcaddr "internal3 address"
set dstaddr "internal"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

dingjerry_FTNT · ‎01-22-2025

Hi @IDMJohn ,

So far, all configurations seem good to me.

1) Do you have any local-in policy? If yes, please show it to us.

2) Please show the following:

show firewall address "internal3 address"

3) collect ARP outputs

get sys arp

4) Run the following sniffer capture command (I assume you are Pinging from 10.25.10.144, otherwise, please change it):

diag sniffer packet any 'icmp and host 10.25.10.144' 4

Then Ping 10.25.10.1 and 10.25.0.x IPs. Again, please do not run continuous Ping.

Regards,

Jerry

IDMJohn · ‎01-22-2025

Here is my CLI output for #1 and #2:

IDM-Firewall # show firewall address "internal3 address"
config firewall address
edit "internal3 address"
set uuid 202f6088-d740-51ef-4593-ee4c99ab9efd
set type interface-subnet
set subnet 10.25.10.1 255.255.255.0
set interface "internal3"
next
end

IDM-Firewall # get sys arp
Address Age(min) Hardware Addr Interface
10.25.0.110 1 50:41:1c:d9:9c:ec internal
10.25.0.135 4 f2:27:bd:f2:51:07 internal
10.25.0.102 11 44:5b:ed:f2:62:14 internal
10.25.10.108 728 d4:d4:da:26:0f:bc internal3
10.25.0.119 0 fc:3f:db:0e:08:b9 internal
10.25.10.100 21 08:b6:1f:ec:df:5c internal3
10.25.0.111 0 80:3f:5d:71:c5:c3 internal
10.25.0.136 8 46:b3:6c:18:03:85 internal
10.25.0.103 0 34:3a:20:c1:39:52 internal
10.25.0.128 0 cc:96:e5:3d:db:fa internal
173.44.80.1 0 24:7e:12:f1:18:19 wan1
10.25.10.109 68 d4:d4:da:26:5d:dc internal3
10.25.0.120 0 d0:46:0c:89:4e:8b internal
10.25.10.101 49 d4:d4:da:26:1c:a0 internal3
10.25.0.104 1 34:3a:20:c1:41:a4 internal
10.25.0.5 0 98:b7:85:1e:c3:06 internal
10.25.0.129 0 60:45:2e:80:f4:ee internal
10.25.10.110 729 d4:d4:da:25:f0:28 internal3
10.25.10.102 485 d4:d4:da:26:34:90 internal3
10.25.0.105 0 34:3a:20:c1:3e:06 internal
10.25.10.111 39 08:b6:1f:ec:5c:54 internal3
10.25.10.103 71 d4:d4:da:26:6b:94 internal3
10.25.0.147 0 e4:f1:4c:5c:6c:88 internal
10.25.0.106 3 34:3a:20:c1:3f:b8 internal
10.25.0.131 0 68:05:ca:13:78:7d internal
10.25.0.123 0 ae:c8:d6:c1:5c:93 internal
10.25.10.104 729 08:b6:1f:ec:39:30 internal3
10.25.0.115 0 54:f0:b1:cf:43:14 internal
10.25.0.107 0 34:3a:20:c1:3d:2c internal
10.25.0.132 2 00:2b:67:81:64:f2 internal
10.25.10.113 3 ee:67:fa:39:ac:fd internal3
10.25.0.124 1 30:c9:ab:55:34:d9 internal
10.25.0.116 2 a6:5b:9f:68:19:21 internal
10.25.10.105 729 d4:d4:da:26:6b:ac internal3
10.25.0.108 0 f2:34:58:cc:28:eb internal
10.25.0.133 5 56:94:81:6a:22:b8 internal
10.25.0.100 11 bc:d7:a5:7a:56:c6 internal
10.25.0.166 0 40:8d:5c:bf:28:7b internal
10.25.10.114 0 4c:5f:70:d4:72:c7 internal3
10.25.10.106 850 d4:d4:da:25:e0:8c internal3
10.25.0.126 2 86:a5:1a:ae:c6:62 internal
10.25.10.107 61 d4:d4:da:26:5c:cc internal3
10.25.0.118 0 d4:5d:64:47:ee:a5 internal

IDM-Firewall #

I ran the diag sniffer (using 10.25.10.114 which is my windows client on that network). When I pinged 10.25.10.1 and 10.25.0.1 nothing was logged. I then pinged 75.75.75.75 (external IP address) to make sure it was working and it logged the following:

IDM-Firewall # diag sniffer packet any 'icmp and host 10.25.10.114' 4
interfaces=[any]
filters=[icmp and host 10.25.10.114]
69.404498 internal3 in 10.25.10.114 -> 75.75.75.75: icmp: echo request
69.417072 internal3 out 75.75.75.75 -> 10.25.10.114: icmp: echo reply
70.410092 internal3 in 10.25.10.114 -> 75.75.75.75: icmp: echo request
70.420481 internal3 out 75.75.75.75 -> 10.25.10.114: icmp: echo reply
^C
4 packets received by filter
0 packets dropped by kernel

IDM-Firewall #

So it would seem that the ping request never makes it to the firewall for the internal addresses? Not sure what this tells me, except its broken.

dingjerry_FTNT · ‎01-22-2025

Hi @IDMJohn ,

1) The outputs of ARP show all IPs from 10.25.0.0/24 and 10.25.10.0/24 subnets.

2) Can you ping 10.25.10.114 from FortiGate?

exe ping 10.25.10.114

3) On your PC (10.25.10.114), run tracert:

tracert 10.25.10.1

4) You may show the routing table on your PC as well.

For Windows:

route print

Regards,

Jerry

IDMJohn · ‎01-22-2025

Oh, and there are no local-in-policy defined:

IDM-Firewall # show firewall local-in-policy
config firewall local-in-policy
end

IDM-Firewall #

IDMJohn · ‎01-22-2025

This is the result of the route print and tracert on the 10.25.10.114 client:

C:\Users\jheimann>route print
===========================================================================
Interface List
3...b0 41 6f 10 8d f8 ......Realtek PCIe GbE Family Controller #2
5...4c 5f 70 d4 72 c8 ......Microsoft Wi-Fi Direct Virtual Adapter
14...4e 5f 70 d4 72 c7 ......Microsoft Wi-Fi Direct Virtual Adapter #2
6...4c 5f 70 d4 72 c7 ......Intel(R) Wi-Fi 6 AX200 160MHz
15...4c 5f 70 d4 72 cb ......Bluetooth Device (Personal Area Network) #2
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.25.10.1 10.25.10.114 45
10.25.10.0 255.255.255.0 On-link 10.25.10.114 301
10.25.10.114 255.255.255.255 On-link 10.25.10.114 301
10.25.10.255 255.255.255.255 On-link 10.25.10.114 301
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.25.10.114 301
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.25.10.114 301
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
6 301 fe80::/64 On-link
6 301 fe80::10b5:d2a3:cec4:991e/128
On-link
1 331 ff00::/8 On-link
6 301 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

C:\Users\jheimann>tracert 10.25.10.114

Tracing route to 10.25.10.1 over a maximum of 30 hops

1 * * * Request timed out.
2 * ^C

C:\Users\jheimann>

dingjerry_FTNT · ‎01-22-2025

Hi @IDMJohn ,

Since you can Ping Internet IPs, I believe that you should see 10.25.10.1 if you run the following on your PC:

arp -a

If yes, I suspect that there is a device in the middle between FGT and your internal3 network blocking the ICMP traffic between internal networks.

Regards,

Jerry

IDMJohn · ‎01-22-2025

Here is my arp -a results:

C:\Users\jheimann>arp -a

Interface: 10.25.10.114 --- 0x6
Internet Address Physical Address Type
10.25.10.1 84-39-8f-77-2b-25 dynamic
10.25.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

C:\Users\jheimann>

I created a IP network on Port 3 but can't ping the gateway from the clients

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website