I created a IP network on Port 3 but can't ping the gateway from the clients

IDMJohn · ‎01-20-2025

I have a internal (default) network 10.25.0.0/24 on port 1 and 2. I created a new network 10.20.10.0/24 on port 3. Clients connected to the internal network can ping the Fortigate gateway 10.25.0.1. Clients connected to the network on Port 3 cannot ping the Fortigate gateway 10.25.10.1. The clients can all access the internet no issues. In Administrative Access area of the interface configuration for Port 3, I have HTTPS, SSH, PING and Security Fabric Connection checked.

Why can't my connected DHCP clients ping the gateway 10.25.10.1? I can ping this address from CLI from within the firewall no issue (execute ping 10.25.10.1). What am I missing?

Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?

Any help would be appreciated.

Thanks!

dingjerry_FTNT · ‎01-20-2025

Hi @IDMJohn ,

You showed us several times with 10.20.x.x network, but I believe that all networks you are talking about are either 10.25.0.0/24 or 10.25.10.0/24.

It seems that you are careless.

So if you are the one who configured the FGT, you may need to double check all the configurations, such as interface settings, address objects (internal and internal3 address)for those networks, and so on.

Anyway:

1) The policy routes are useless if the routing table is correct. I don't know what the purpose is for you to create those two policy routes.

2) You did not show us the internal3 configurations, so I don't know whether you enabled Ping for the Administrative settings or not;

3) You did not tell us where the IP 10.25.10.1 is. Is it the internal3 IP?

4) If all configurations are correct, you may run the debug flow commands:

diag debug flow show iprope enable

diag debug flow filter proto 1

diag debug flow filter addr 10.25.10.1

diag debug flow trace start 20

diag debug enable

Then Ping 10.25.10.1 to reproduce the issue and collect the debug outputs.

NOTE: Please DO NOT run continuous Ping.

5) "Also how do I setup a one way route so that a connection to 10.25.10.X can be initiated from the 10.25.0.X network, but not vise versa?"

So you are allowing traffic from internal to internal3 (aka Port3), but do not allow traffic from internal3 (aka Port3) to internal, right?

If so, just change the action of the firewall policy with the name "Port3 to internal" to Deny.

Regards,

Jerry

View solution in original post

dingjerry_FTNT · ‎01-22-2025

Hi @IDMJohn ,

Since you can Ping Internet IPs, I believe that you should see 10.25.10.1 if you run the following on your PC:

arp -a

If yes, I suspect that there is a device in the middle between FGT and your internal3 network blocking the ICMP traffic between internal networks.

Regards,

Jerry

View solution in original post

IDMJohn · ‎01-22-2025

Aha! you are correct. The root cause is a configuration on the Aruba 1930 switch. The VLAN connected to Port 3 was configured to block all traffic except to the Internet (the default configuration apparently). I removed the restriction and everything came to life! Bi-directional traffic and connectivity :)

I have since denied access from port3 to Internal (as I wanted) and verified that I can access 10.25.10.0 from 10.25.0.0 but not vise versa.

Thank you so much for your help and support through this problem. It turns out not be the firewall at all... it was always correct, it was the connecting switch being too smart for its own (or my) good.

Thank you! Thank you! Thank you!

View solution in original post

funkylicious · ‎01-21-2025

I would disable NAT on policy, Internal to port3 and delete the policy routes and for port3 to Internal set as Deny.

You really dont need those policy routes, unless you want to manipulate the traffic and not follow the routing table for some reason.

"jack of all trades, master of none"

IDMJohn · ‎01-21-2025

I clicked Solved by mistake :(

IDMJohn · ‎01-21-2025

This is my Port3 configuration. As you can see Port 3 is assigned IP address 10.25.10.1 and it has Ping enabled. Port3 Configuration.png

When I ran the Diag Debug commands and ran a ping of 10.25.10.1 from a client on 10.25.10.112, I get nothing. When I do the same for the Internal network, pinging 10.25.0.1 from 10.25.0.129 I see the ping happen in the debug statements. It would seem that the ping of 10.25.10.1 from 10.25.10.112 never makes it to the port?

IDMJohn · ‎01-21-2025

I removed the policy routes, removed NAT from the 2 security policies, and nothing changed. This is my routing table:

Routing Table.png

dingjerry_FTNT · ‎01-21-2025

Hi @IDMJohn ,

If FGT can't even see Ping from 10.25.10.112, that is your network issue, not FGT's issue because 10.25.10.112 and 10.25.10.1 are on the same network. They should see each other even no gateway.

Regards,

Jerry

IDMJohn · ‎01-21-2025

Not sure how it could be. That port is connected to a dedicated switch and the clients to the switch. The only connections on that switch are the clients and to the FTG. The FGT is handing out DHCP addresses to all connected clients on this network (see screen shot), and the clients can connect to the internet, which is WAN1 only, so it has to be going though the FGT. I am not sure what could be broken here.

Port3 DHCP List.png

dingjerry_FTNT · ‎01-21-2025

Hi @IDMJohn ,

If 10.25.10.0/24 users can access the Internet, please run the debug flow commands again with 10.25.10.112 as the "addr" filter instead.

Regards,

Jerry

IDMJohn · ‎01-21-2025

OK, I ran the trace against 10.25.10.114 (my connected client). When I pinged 10.25.10.1, I get nothing. When I pinged an external IP address (75.75.75.75) this is what I got:

IDM-Firewall # id=20085 trace_id=39 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 10.25.10.114:1->75.75.75.75:2048) tun_id=0.0.0.0 from internal3. type=8, code=0, id=1, seq=1745."
id=20085 trace_id=39 func=init_ip_session_common line=6048 msg="allocate a new session-003a5d28, tun_id=0.0.0.0"
id=20085 trace_id=39 func=iprope_dnat_check line=5338 msg="in-[internal3], out-[]"
id=20085 trace_id=39 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=39 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=39 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-173.44.80.1 via wan1"
id=20085 trace_id=39 func=iprope_fwd_check line=784 msg="in-[internal3], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=20085 trace_id=39 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-4, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=39 func=__iprope_user_identity_check line=1816 msg="ret-matched"
id=20085 trace_id=39 func=__iprope_check line=2274 msg="gnum-4e20, check-ffffffbffc02b1e0"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-9, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-10, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-11, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-12, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-1, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-14, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-5, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-16, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-2, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-3, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-4, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-8, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2027 msg="checked gnum-4e20 policy-7, ret-matched, act-accept"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2244 msg="policy-7 is matched, act-accept"
id=20085 trace_id=39 func=__iprope_check line=2291 msg="gnum-4e20 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=39 func=get_new_addr line=1223 msg="find SNAT: IP-173.44.80.179(from IPPOOL), port-60417"
id=20085 trace_id=39 func=__iprope_check_one_policy line=2244 msg="policy-4 is matched, act-accept"
id=20085 trace_id=39 func=iprope_fwd_check line=821 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=20085 trace_id=39 func=iprope_fwd_auth_check line=840 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=20085 trace_id=39 func=iprope_reverse_dnat_check line=1302 msg="in-[internal3], out-[wan1], skb_flags-02000000, vid-0"
id=20085 trace_id=39 func=iprope_reverse_dnat_tree_check line=919 msg="len=0"
id=20085 trace_id=39 func=fw_forward_handler line=881 msg="Allowed by Policy-4: SNAT"
id=20085 trace_id=39 func=ids_receive line=418 msg="send to ips"
id=20085 trace_id=39 func=__ip_session_run_tuple line=3489 msg="SNAT 10.25.10.114->173.44.80.179:60417"
id=20085 trace_id=40 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 75.75.75.75:60417->173.44.80.179:0) tun_id=0.0.0.0 from wan1. type=0, code=0, id=60417, seq=1745."
id=20085 trace_id=40 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-003a5d28, reply direction"
id=20085 trace_id=40 func=__ip_session_run_tuple line=3502 msg="DNAT 173.44.80.179:0->10.25.10.114:1"
id=20085 trace_id=40 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.25.10.114 via internal3"
id=20085 trace_id=40 func=npu_handle_session44 line=1187 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000000 ses.state=00052204 ses.npu_state=0x04001008"
id=20085 trace_id=40 func=fw_forward_dirty_handler line=410 msg="state=00052204, state2=00004001, npu_state=04001008"
id=20085 trace_id=40 func=ids_receive line=418 msg="send to ips"
id=20085 trace_id=41 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 10.25.10.114:1->75.75.75.75:2048) tun_id=0.0.0.0 from internal3. type=8, code=0, id=1, seq=1746."
id=20085 trace_id=41 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-003a5d28, original direction"
id=20085 trace_id=41 func=npu_handle_session44 line=1187 msg="Trying to offloading session from internal3 to wan1, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x04001008"
id=20085 trace_id=41 func=fw_forward_dirty_handler line=410 msg="state=00012204, state2=00004001, npu_state=04001008"
id=20085 trace_id=41 func=ids_receive line=418 msg="send to ips"
id=20085 trace_id=41 func=__ip_session_run_tuple line=3489 msg="SNAT 10.25.10.114->173.44.80.179:60417"
id=20085 trace_id=42 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 75.75.75.75:60417->173.44.80.179:0) tun_id=0.0.0.0 from wan1. type=0, code=0, id=60417, seq=1746."
id=20085 trace_id=42 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-003a5d28, reply direction"
id=20085 trace_id=42 func=__ip_session_run_tuple line=3502 msg="DNAT 173.44.80.179:0->10.25.10.114:1"
id=20085 trace_id=42 func=npu_handle_session44 line=1187 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x04001008"
id=20085 trace_id=42 func=fw_forward_dirty_handler line=410 msg="state=00012204, state2=00004001, npu_state=04001008"
id=20085 trace_id=42 func=ids_receive line=418 msg="send to ips"
id=20085 trace_id=43 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 10.25.10.114:1->75.75.75.75:2048) tun_id=0.0.0.0 from internal3. type=8, code=0, id=1, seq=1747."
id=20085 trace_id=43 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-003a5d28, original direction"
id=20085 trace_id=43 func=npu_handle_session44 line=1187 msg="Trying to offloading session from internal3 to wan1, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x04001008"
id=20085 trace_id=43 func=fw_forward_dirty_handler line=410 msg="state=00012204, state2=00004001, npu_state=04001008"
id=20085 trace_id=43 func=ids_receive line=418 msg="send to ips"
id=20085 trace_id=43 func=__ip_session_run_tuple line=3489 msg="SNAT 10.25.10.114->173.44.80.179:60417"
id=20085 trace_id=44 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 75.75.75.75:60417->173.44.80.179:0) tun_id=0.0.0.0 from wan1. type=0, code=0, id=60417, seq=1747."
id=20085 trace_id=44 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-003a5d28, reply direction"
id=20085 trace_id=44 func=__ip_session_run_tuple line=3502 msg="DNAT 173.44.80.179:0->10.25.10.114:1"
id=20085 trace_id=44 func=npu_handle_session44 line=1187 msg="Trying to offloading session from wan1 to internal3, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x04001008"
id=20085 trace_id=44 func=fw_forward_dirty_handler line=410 msg="state=00012204, state2=00004001, npu_state=04001008"
id=20085 trace_id=44 func=ids_receive line=418 msg="send to ips"

Clearly it is going through the FGT to get to the internet, and the gateway is 10.25.10.1. So why don't I see anything when I ping the gateway, but I do when I ping an external IP address?

dingjerry_FTNT · ‎01-21-2025

Hi @IDMJohn ,

We still need to check your FGT configuration.

If you can't provide whole FGT config, you may backup your FGT config, search for 10.25.10.1, provide all the configurations related to 10.25.10.1.

In this way, you can mask any sensitive info.

Regards,

Jerry

IDMJohn · ‎01-21-2025

Question. When looking at my routing table I have a connected route from 10.25.0.0/24 to 0.0.0.0 and a connected route from 10.25.0.0/24 to 0.0.0.0 and a static route from 0.0.0.0 to my external IP address. Does this mean that the ping traffic goes from 10.25.10.114 to 0.0.0.0 and then is statically routed to my external IP address (internet) so that it never hits the Port IP of 10.25.10.1?

I am not sure how this works, but I would have thought I would have a route from 10.25.10.0/24 to 10.25.0.0/24 and vise versa given my policy settings.

Am I on to something, or am I just ignorant?

Thanks for the help! Routing Table.png

I created a IP network on Port 3 but can't ping the gateway from the clients

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website