Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Izanagi
New Contributor

I want to know if it is possible to ping internet from lan interface on fortigate

Hi,

Lets say i have wan1 and internal1 as interfaces where wan1 is connected to internet and internal1 is connected to a laptop.

We have a default route because wan1 is set as DHCP client and we also have a policy to forward traffic from lan to internet (internal1 -> wan1).

If i ping internet from laptop i have connectivity, but if i try to ping internet from interface internal1 on fortinet i have no reply. Why is that?

I see in debug that traffic is not initiated from LAN name, but from "local". Is there a possibility to have reply even if i ping from internal1?

Thank you

1 Solution
Toshi_Esumi
Esteemed Contributor III

That's because if you are IN your FGT pinging from there, regardless what souce IP/interface you specify with the "ping-option source", it would never follow the policy for the ingress-interface to egress-interface. It would just go out through the interface your route is pointing to with the source-IP (in your case) you specify. So no SNAT is applied in your policy. And the ping destination over the internet doesn't know how to route back even if it's not simply dropped because of the private IP for the returning IP.

 

Toshi

View solution in original post

2 REPLIES 2
abelio
Valued Contributor

Hi

Indeed.  Use   ping-options source  option from CLI command.

I.e:
# exec ping-options source <here_your_interface_you_want)to-ping-from>
# exec ping <IP/host of interest>

There're more options to play with:


# exec ping-options  ?

adaptive-ping Adaptive ping <enable|disable>.
data-size Integer value to specify datagram size in bytes.
df-bit Set DF bit in IP header <yes | no>.
interface Auto | <outgoing interface>.
interval Integer value to specify seconds between two pings.
pattern Hex format of pattern, e.g. 00ffaabb.
repeat-count Integer value to specify how many times to repeat PING.
reset Reset settings.
source Auto | <source interface IP>.
timeout Integer value to specify timeout in seconds.
tos IP type-of-service option.
ttl Integer value to specify time-to-live.
use-sdwan Use SD-WAN rules to get output interface <yes | no>.
validate-reply Validate reply data <yes | no>.
view-settings View the current settings for PING option.



 

regards




/ Abel

regards / Abel
Toshi_Esumi
Esteemed Contributor III

That's because if you are IN your FGT pinging from there, regardless what souce IP/interface you specify with the "ping-option source", it would never follow the policy for the ingress-interface to egress-interface. It would just go out through the interface your route is pointing to with the source-IP (in your case) you specify. So no SNAT is applied in your policy. And the ping destination over the internet doesn't know how to route back even if it's not simply dropped because of the private IP for the returning IP.

 

Toshi

Labels
Top Kudoed Authors