Hi,
Lets say i have wan1 and internal1 as interfaces where wan1 is connected to internet and internal1 is connected to a laptop.
We have a default route because wan1 is set as DHCP client and we also have a policy to forward traffic from lan to internet (internal1 -> wan1).
If i ping internet from laptop i have connectivity, but if i try to ping internet from interface internal1 on fortinet i have no reply. Why is that?
I see in debug that traffic is not initiated from LAN name, but from "local". Is there a possibility to have reply even if i ping from internal1?
Thank you
Solved! Go to Solution.
That's because if you are IN your FGT pinging from there, regardless what souce IP/interface you specify with the "ping-option source", it would never follow the policy for the ingress-interface to egress-interface. It would just go out through the interface your route is pointing to with the source-IP (in your case) you specify. So no SNAT is applied in your policy. And the ping destination over the internet doesn't know how to route back even if it's not simply dropped because of the private IP for the returning IP.
Toshi
Hi
Indeed. Use ping-options source option from CLI command.
I.e:
# exec ping-options source <here_your_interface_you_want)to-ping-from>
# exec ping <IP/host of interest>
There're more options to play with:
# exec ping-options ?
adaptive-ping Adaptive ping <enable|disable>.
data-size Integer value to specify datagram size in bytes.
df-bit Set DF bit in IP header <yes | no>.
interface Auto | <outgoing interface>.
interval Integer value to specify seconds between two pings.
pattern Hex format of pattern, e.g. 00ffaabb.
repeat-count Integer value to specify how many times to repeat PING.
reset Reset settings.
source Auto | <source interface IP>.
timeout Integer value to specify timeout in seconds.
tos IP type-of-service option.
ttl Integer value to specify time-to-live.
use-sdwan Use SD-WAN rules to get output interface <yes | no>.
validate-reply Validate reply data <yes | no>.
view-settings View the current settings for PING option.
regards
/ Abel
That's because if you are IN your FGT pinging from there, regardless what souce IP/interface you specify with the "ping-option source", it would never follow the policy for the ingress-interface to egress-interface. It would just go out through the interface your route is pointing to with the source-IP (in your case) you specify. So no SNAT is applied in your policy. And the ping destination over the internet doesn't know how to route back even if it's not simply dropped because of the private IP for the returning IP.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.