Hey guys I'm having some issues where I believe it's the routing and ports on the Fortigate. I'm trying to run Fortios 6.4 but noticing I'm running into some routing issues. My setup is really basic. A PC on the LAN then the Fortigate (providing DHCP) then a router acting as the ISP to reach out to the internet. From the fortigate I can reach Google. However from the LAN side I cant reach the internet. No hops observed either. Policies, static routes etc are all fine. I came across a similar post however the guy who left the comment saying how to resolve it just ignores my PM lol.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
Here are some helpful tips:
In case this doesn't work, share routing table from PC, FGT and router, and share firewall policy details.
This is a typical situation, and resolvable.
My first guess would be routing as well.
On the FGT, you need a default route pointing to the WAN interface.
In the outgoing policy, you need to enable NAT to the WAN interface's IP address (just tick the checkbox).
Then please check the address definition of your LAN interface, esp. the network mask. You must be able to ping the PC from the FGT's LAN side, and vice versa.
there is no specific Calculator tool or software called "Fortiplanner" associated with Fortinet or any widely known networking company like dito. However, Fortinet does offer a range of networking and security products, including wireless access points (APs)
In general, the height calculation for installing an AP is based on factors like the coverage area, signal propagation, interference, and the intended use case. To determine the ideal height for installing an AP, you typically consider the following:
Coverage Area: The size of the area you want to cover with Wi-Fi. Larger areas might require higher AP placement.
Signal Propagation: The signal strength and coverage area of the AP depend on its height. Higher installations may provide broader coverage.
Hi rarac,
adding that if you see there is no traffic going through, it'd be good to verify.
FortiGate has a build in packet capture that allows to see live if the FortiGate receives traffic in the first place. If there is no traffic, nothing can be routed.
If there is traffic, then the sniffer can also show traffic that leaves the FortiGate. if it does not, then it has a problem finding the correct policy for a variety of reasons.
My take is usually:
- from the client, resolve some website, best with static IP.
- on FortiGate run a sniffer against that IP:
diag sniffer packet any 'host <thatIP>' 4 0 a
it shows inbound interface and outbound interface if traffic passes the firewall
- if traffic is not passing firewall or leaves the wrong interface:
diag debug console timestamp enable
diag debug flow filter addr <thatIP>
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 20
then contact the FQDN/IP again and see what it gives you there. It shows routing decisions as well as a more or less readable policy decision.
Best regards,
Markus
examples:
found IP from client CLI:
PING fortinet.com (54.177.212.176) 56(84) bytes of data.
ran sniffer with output:
diag sniffer packet any 'host 54.177.212.176' 4 0 a
interfaces=[any]
filters=[host 54.177.212.176]
2023-12-26 12:07:26.760932 a in 192.168.111.2 -> 54.177.212.176: icmp: echo request
2023-12-26 12:07:26.761005 wan1 out 92.50.117.70 -> 54.177.212.176: icmp: echo request
2023-12-26 12:07:26.931340 wan1 in 54.177.212.176 -> 92.50.117.70: icmp: echo reply
2023-12-26 12:07:26.931367 a out 54.177.212.176 -> 192.168.111.2: icmp: echo reply
^C
4 packets received by filter
0 packets dropped by kernel
ran flow trace without output:
id=65308 trace_id=1 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 192.168.111.2:10->54.177.212.176:2048) tun_id=0.0.0.0 from a. type=8, code=0, id=10, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6020 msg="allocate a new session-0000a545"
id=65308 trace_id=1 func=iprope_dnat_check line=5466 msg="in-[a], out-[]"
id=65308 trace_id=1 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=1 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.168.48.1 via wan1"
id=65308 trace_id=1 func=__iprope_fwd_check line=801 msg="in-[a], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=109, len=6"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-44, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-48, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=65308 trace_id=1 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=1 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffbffc02c364"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=1 func=get_new_addr line=1258 msg="find SNAT: IP-192.168.48.1(from IPPOOL), port-60427"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2358 msg="policy-1 is matched, act-accept"
id=65308 trace_id=1 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=1 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=1 func=iprope_reverse_dnat_check line=1337 msg="in-[a], out-[wan1], skb_flags-02000000, vid-0"
id=65308 trace_id=1 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=1 func=fw_forward_handler line=985 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3411 msg="SNAT 192.168.111.2->192.168.48.1:60427"
Notice the route decision:
id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.168.48.1 via wan1"
id=65308 trace_id=1 func=__iprope_fwd_check line=801 msg="in-[a], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
You can match that against your set of policies when you see this.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1072 | |
751 | |
443 | |
219 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.