Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IDMJohn
New Contributor III

Created on ‎01-20-2025 10:43 AM

I created a IP network on Port 3 but can't ping the gateway from the clients

I have a internal (default) network 10.25.0.0/24 on port 1 and 2. I created a new network 10.20.10.0/24 on port 3.  Clients connected to the internal network can ping the Fortigate gateway 10.25.0.1.  Clients connected to the network on Port 3 cannot ping the Fortigate gateway 10.25.10.1.  The clients can all access the internet no issues.  In Administrative Access area of the interface configuration for Port 3, I have HTTPS, SSH, PING and Security Fabric Connection checked.

 

Why can't my connected DHCP clients ping the gateway 10.25.10.1?  I can ping this address from CLI from within the firewall no issue (execute ping 10.25.10.1).  What am I missing?

 

Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?

 

Any help would be appreciated.

 

Thanks!

Labels:
1133
0 Kudos
3 Solutions
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-20-2025 06:55 PM Edited on ‎01-20-2025 06:56 PM

Hi @IDMJohn ,

 

You showed us several times with 10.20.x.x network, but I believe that all networks you are talking about are either 10.25.0.0/24 or 10.25.10.0/24.

 

It seems that you are careless.

 

So if you are the one who configured the FGT, you may need to double check all the configurations, such as interface settings, address objects (internal and internal3 address)for those networks, and so on.

 

Anyway:

 

1) The policy routes are useless if the routing table is correct.  I don't know what the purpose is for you to create those two policy routes.

 

2) You did not show us the internal3 configurations, so I don't know whether you enabled Ping for the Administrative settings or not;

 

3) You did not tell us where the IP 10.25.10.1 is.  Is it the internal3 IP?

 

4) If all configurations are correct, you may run the debug flow commands:

 

diag debug flow show iprope enable

diag debug flow filter proto 1

diag debug flow filter addr 10.25.10.1

diag debug flow trace start 20

diag debug enable

 

Then Ping 10.25.10.1 to reproduce the issue and collect the debug outputs.

 

NOTE:  Please DO NOT run continuous Ping.

 

5) "Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?"

 

So you are allowing traffic from internal to internal3 (aka Port3), but do not allow traffic from internal3 (aka Port3) to internal, right?

 

If so, just change the action of the firewall policy with the name "Port3 to internal" to Deny.

Regards,

Jerry

View solution in original post

1048
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-22-2025 08:36 AM

Hi @IDMJohn ,

 

Since you can Ping Internet IPs, I believe that you should see 10.25.10.1 if you run the following on your PC:

 

arp -a

 

If yes, I suspect that there is a device in the middle between FGT and your internal3 network blocking the ICMP traffic between internal networks.

Regards,

Jerry

View solution in original post

729
0 Kudos
IDMJohn
New Contributor III
In response to dingjerry_FTNT

Created on ‎01-22-2025 10:42 AM

Aha!  you are correct.  The root cause is a configuration on the Aruba 1930 switch.  The VLAN connected to Port 3 was configured to block all traffic except to the Internet (the default configuration apparently).  I removed the restriction and everything came to life!  Bi-directional traffic and connectivity :)

 

I have since denied access from port3 to Internal (as I wanted) and verified that I can access 10.25.10.0 from 10.25.0.0 but not vise versa.

 

Thank you so much for your help and support through this problem.  It turns out not be the firewall at all... it was always correct, it was the connecting switch being too smart for its own (or my) good.

 

Thank you! Thank you! Thank you!

 

View solution in original post

683
0 Kudos
35 REPLIES 35
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-22-2025 10:43 AM

Hi @IDMJohn ,

 

Great. We have 10.25.10.1 and its MAC address there.

 

Please run the following command to confirm whether the MAC address is the same as the one on FGT:

 

diag hardware deviceinfo nic internal3

 

If the MAC addresses are the same, that means some equipment or your PC Windows Firewall blocking the ICMP traffic between internal networks.  

 

I would suggest you to disable your Windows Firewall for a try first.

 

Regards,

Jerry
177
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dingjerry_FTNT

Created on ‎01-22-2025 10:46 AM

Hi @IDMJohn ,

 

6...4c 5f 70 d4 72 c7 ......Intel(R) Wi-Fi 6 AX200 160MHz

 

It seems that your PC is using WiFi.  Is it possible that you can try it with wired connection?

Regards,

Jerry
172
0 Kudos
IDMJohn
New Contributor III
In response to dingjerry_FTNT

Created on ‎01-22-2025 10:42 AM

Aha!  you are correct.  The root cause is a configuration on the Aruba 1930 switch.  The VLAN connected to Port 3 was configured to block all traffic except to the Internet (the default configuration apparently).  I removed the restriction and everything came to life!  Bi-directional traffic and connectivity :)

 

I have since denied access from port3 to Internal (as I wanted) and verified that I can access 10.25.10.0 from 10.25.0.0 but not vise versa.

 

Thank you so much for your help and support through this problem.  It turns out not be the firewall at all... it was always correct, it was the connecting switch being too smart for its own (or my) good.

 

Thank you! Thank you! Thank you!

 

684
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-22-2025 11:54 AM

Hi @IDMJohn ,

 

I am so glad that this issue has been resolved.  Enjoy our products!

Regards,

Jerry
162
0 Kudos
IDMJohn
New Contributor III

Created on ‎01-22-2025 08:19 AM

Interestingly, the firewall can't ping 10.25.10.114:

 

IDM-Firewall # exe ping 10.25.10.114
PING 10.25.10.114 (10.25.10.114): 56 data bytes

--- 10.25.10.114 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

IDM-Firewall #

129
0 Kudos
IDMJohn
New Contributor III

Created on ‎01-22-2025 08:21 AM

So the client can't ping the firewall and the firewall can't ping the client, but the client can use the firewall (physical port3 at 10.25.10.1) to get out to the internet.

222
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.