Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
IDMJohn
New Contributor III

Created on ‎01-20-2025 10:43 AM

I created a IP network on Port 3 but can't ping the gateway from the clients

I have a internal (default) network 10.25.0.0/24 on port 1 and 2. I created a new network 10.20.10.0/24 on port 3.  Clients connected to the internal network can ping the Fortigate gateway 10.25.0.1.  Clients connected to the network on Port 3 cannot ping the Fortigate gateway 10.25.10.1.  The clients can all access the internet no issues.  In Administrative Access area of the interface configuration for Port 3, I have HTTPS, SSH, PING and Security Fabric Connection checked.

 

Why can't my connected DHCP clients ping the gateway 10.25.10.1?  I can ping this address from CLI from within the firewall no issue (execute ping 10.25.10.1).  What am I missing?

 

Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?

 

Any help would be appreciated.

 

Thanks!

Labels:
1067
0 Kudos
3 Solutions
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-20-2025 06:55 PM Edited on ‎01-20-2025 06:56 PM

Hi @IDMJohn ,

 

You showed us several times with 10.20.x.x network, but I believe that all networks you are talking about are either 10.25.0.0/24 or 10.25.10.0/24.

 

It seems that you are careless.

 

So if you are the one who configured the FGT, you may need to double check all the configurations, such as interface settings, address objects (internal and internal3 address)for those networks, and so on.

 

Anyway:

 

1) The policy routes are useless if the routing table is correct.  I don't know what the purpose is for you to create those two policy routes.

 

2) You did not show us the internal3 configurations, so I don't know whether you enabled Ping for the Administrative settings or not;

 

3) You did not tell us where the IP 10.25.10.1 is.  Is it the internal3 IP?

 

4) If all configurations are correct, you may run the debug flow commands:

 

diag debug flow show iprope enable

diag debug flow filter proto 1

diag debug flow filter addr 10.25.10.1

diag debug flow trace start 20

diag debug enable

 

Then Ping 10.25.10.1 to reproduce the issue and collect the debug outputs.

 

NOTE:  Please DO NOT run continuous Ping.

 

5) "Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?"

 

So you are allowing traffic from internal to internal3 (aka Port3), but do not allow traffic from internal3 (aka Port3) to internal, right?

 

If so, just change the action of the firewall policy with the name "Port3 to internal" to Deny.

Regards,

Jerry

View solution in original post

982
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-22-2025 08:36 AM

Hi @IDMJohn ,

 

Since you can Ping Internet IPs, I believe that you should see 10.25.10.1 if you run the following on your PC:

 

arp -a

 

If yes, I suspect that there is a device in the middle between FGT and your internal3 network blocking the ICMP traffic between internal networks.

Regards,

Jerry

View solution in original post

663
0 Kudos
IDMJohn
New Contributor III
In response to dingjerry_FTNT

Created on ‎01-22-2025 10:42 AM

Aha!  you are correct.  The root cause is a configuration on the Aruba 1930 switch.  The VLAN connected to Port 3 was configured to block all traffic except to the Internet (the default configuration apparently).  I removed the restriction and everything came to life!  Bi-directional traffic and connectivity :)

 

I have since denied access from port3 to Internal (as I wanted) and verified that I can access 10.25.10.0 from 10.25.0.0 but not vise versa.

 

Thank you so much for your help and support through this problem.  It turns out not be the firewall at all... it was always correct, it was the connecting switch being too smart for its own (or my) good.

 

Thank you! Thank you! Thank you!

 

View solution in original post

617
0 Kudos
35 REPLIES 35
funkylicious
SuperUser
SuperUser

Created on ‎01-20-2025 11:27 AM

do you have a firewall policy from internal to port3 ?

"jack of all trades, master of none"
"jack of all trades, master of none"
389
IDMJohn
New Contributor III
In response to funkylicious

Created on ‎01-20-2025 11:33 AM

I do.  This is a picture of it:

Port3_Policy.png

384
0 Kudos
funkylicious
SuperUser
SuperUser
In response to IDMJohn

Created on ‎01-20-2025 11:34 AM

you have a policy from port3 to Internet, so no.

you want to acces from internal ( port1+2 ) the network on port3. you need to create one.

"jack of all trades, master of none"
"jack of all trades, master of none"
380
IDMJohn
New Contributor III
In response to funkylicious

Created on ‎01-20-2025 12:18 PM

I do, sorry.  See screen shots below:

Internal to Port3.png

and 

Port3 to Internal.png

In addition, I have added the following Policy Routes:

Internal Policy Route.png

and 

Port3 Policy Route.png

371
0 Kudos
IDMJohn
New Contributor III
In response to IDMJohn

Created on ‎01-20-2025 12:20 PM

DHCP clients connected to the 10.25.10.0 network cannot ping the gateway 10.25.10.1 or see/connect to any clients on the 10.20.0.0 network.  Clients on the 10.25.0.0 network cannot see/connect to clients on the 10.20.10.0 network.

369
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to IDMJohn

Created on ‎01-20-2025 06:55 PM Edited on ‎01-20-2025 06:56 PM

Hi @IDMJohn ,

 

You showed us several times with 10.20.x.x network, but I believe that all networks you are talking about are either 10.25.0.0/24 or 10.25.10.0/24.

 

It seems that you are careless.

 

So if you are the one who configured the FGT, you may need to double check all the configurations, such as interface settings, address objects (internal and internal3 address)for those networks, and so on.

 

Anyway:

 

1) The policy routes are useless if the routing table is correct.  I don't know what the purpose is for you to create those two policy routes.

 

2) You did not show us the internal3 configurations, so I don't know whether you enabled Ping for the Administrative settings or not;

 

3) You did not tell us where the IP 10.25.10.1 is.  Is it the internal3 IP?

 

4) If all configurations are correct, you may run the debug flow commands:

 

diag debug flow show iprope enable

diag debug flow filter proto 1

diag debug flow filter addr 10.25.10.1

diag debug flow trace start 20

diag debug enable

 

Then Ping 10.25.10.1 to reproduce the issue and collect the debug outputs.

 

NOTE:  Please DO NOT run continuous Ping.

 

5) "Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?"

 

So you are allowing traffic from internal to internal3 (aka Port3), but do not allow traffic from internal3 (aka Port3) to internal, right?

 

If so, just change the action of the firewall policy with the name "Port3 to internal" to Deny.

Regards,

Jerry
983
IDMJohn
New Contributor III
In response to dingjerry_FTNT

Created on ‎01-21-2025 04:04 AM

You are correct, I miss typed.  10.20 was a mistake.  I meant to type 10.25.  I created the policy routes in an attempt to try and get traffic to flow between the 2 networks  because it was not flowing after I created the security policies. To start with I was trying to get bi-directional connectivity.  When I am done, I want to restrict traffic from Port3 onto Internal.

273
0 Kudos
IDMJohn
New Contributor III
In response to IDMJohn

Created on ‎01-21-2025 04:11 AM

This is my Port3 configuration.  As you can see the port is configured as 10.25.10.1 and ping is enabled:

Port3 Configuration.png

269
0 Kudos
IDMJohn
New Contributor III
In response to dingjerry_FTNT

Created on ‎01-21-2025 04:35 AM

When I run the diag debug commands and ping Port3 from the 10.25.10.0/24 network I get nothing.  I do the same commands on the Internal Port IP address 10.25.0.1 and I see the debug messages from the ping on the 10.25.0.0/24 network.  What does this tell me?

267
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.