Hello,
I' m encountering a problem witha a new setup.
I' ve created an interface on a fortinet device with many vlan subinterface.
When Router 1 connect to VLAN 3, no problem (red arrow)
When a LAN host connect to VLAN 3, it does' nt work (blue arrow)
I' d like to troubleshoot this problem but don' t really know what to do and where to begin ?!
Could you help me to solve this problem ?
When Router 1 connect to VLAN 3, no problem (red arrow)
When a LAN host connect to VLAN 3, it does' nt work (blue arrow)
I' d like to troubleshoot this problem but don' t really know what to do and where to begin ?!
Could you help me to solve this problem ?
i would staet with diag debug flow and not guess what the problem is
e.g
diag debug reset
diag debug en
diag debug flow filter addr x.x.x.x
( x.x.x.x wouuld either be the src or dst host and you have other fiters options )
diag debug flow show console enable
diag debug flow trace start 100
Generate some traffic by x.x.x. to whatever that' s broke and monitor the trace. In 2 minutes you will know for 100% if it' s dropped by a polic, if it' s matched by a polic, if it' s drop by rpf-checks, or IPS or etc.......
btw, nice diagram outlining your setup
After the conclusion of the diagnostic please ensure you;
diag debug reset
diag debug disable
After the conclusion of the diagnostic please ensure you;
diag debug reset
diag debug disable
Baptiste and Emnoc thank you for your help.
Baptiste there is no NAT on the policy rule.
Emnoc what a great tip you give me there !
The firewall talk to me now ! 
And I can see my ping request arriving but it is " Denied by forward host policy check"
Strange because I have created a rule from LAN to VLAN 3 (src any - dst any - svc any)
And I can see my ping request arriving but it is " Denied by forward host policy check"
Strange because I have created a rule from LAN to VLAN 3 (src any - dst any - svc any)
Denied by forward host policy checkGood so now you know for sure and don' t have to guess
Are you 100% on the firewal policy for that interfaces? The messages typically means;
you firewall policy ordering is wrong? Your policy is missing?
What I would do is to go into the WebGUI, filter on SRC interfaces LAN ( assuming that is the interface that' s having problems ) and then DST interface vlan3 ( once again assuming that' s the destination ) and just scan thru your firewall policies. One of those policies should match your traffic if correct.
Let us know what you find and I will repeat myself ; diag debug flow is your best friend
Just send us a check for consulting fees at 2 hours and 150 p/hr 
Glad it worked out for you.
Glad it worked out for you.
