- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Issues with GNS3 and FortiOS
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issues with GNS3 and FortiOS
Hey guys I'm having some issues where I believe it's the routing and ports on the Fortigate. I'm trying to run Fortios 6.4 but noticing I'm running into some routing issues. My setup is really basic. A PC on the LAN then the Fortigate (providing DHCP) then a router acting as the ISP to reach out to the internet. From the fortigate I can reach Google. However from the LAN side I cant reach the internet. No hops observed either. Policies, static routes etc are all fine. I came across a similar post however the guy who left the comment saying how to resolve it just ignores my PM lol.
omegle xender
Labels:
- Labels:
-
FortiGate
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Here are some helpful tips:
- Sometimes one forget to add static route to the LAN on the last router, so either add that route or NAT outgoing traffic on FGT
- Try diag debug sniffer on FGT
- Enable all logs on policy and on implicit deny policy then check traffic log
In case this doesn't work, share routing table from PC, FGT and router, and share firewall policy details.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a typical situation, and resolvable.
My first guess would be routing as well.
On the FGT, you need a default route pointing to the WAN interface.
In the outgoing policy, you need to enable NAT to the WAN interface's IP address (just tick the checkbox).
Then please check the address definition of your LAN interface, esp. the network mask. You must be able to ping the PC from the FGT's LAN side, and vice versa.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there is no specific Calculator tool or software called "Fortiplanner" associated with Fortinet or any widely known networking company like dito. However, Fortinet does offer a range of networking and security products, including wireless access points (APs)
In general, the height calculation for installing an AP is based on factors like the coverage area, signal propagation, interference, and the intended use case. To determine the ideal height for installing an AP, you typically consider the following:
Coverage Area: The size of the area you want to cover with Wi-Fi. Larger areas might require higher AP placement.
Signal Propagation: The signal strength and coverage area of the AP depend on its height. Higher installations may provide broader coverage.
fortiazy
fortiazy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rarac,
adding that if you see there is no traffic going through, it'd be good to verify.
FortiGate has a build in packet capture that allows to see live if the FortiGate receives traffic in the first place. If there is no traffic, nothing can be routed.
If there is traffic, then the sniffer can also show traffic that leaves the FortiGate. if it does not, then it has a problem finding the correct policy for a variety of reasons.
My take is usually:
- from the client, resolve some website, best with static IP.
- on FortiGate run a sniffer against that IP:
diag sniffer packet any 'host <thatIP>' 4 0 ait shows inbound interface and outbound interface if traffic passes the firewall
- if traffic is not passing firewall or leaves the wrong interface:
diag debug console timestamp enable
diag debug flow filter addr <thatIP>
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 20then contact the FQDN/IP again and see what it gives you there. It shows routing decisions as well as a more or less readable policy decision.
Best regards,
Markus
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
examples:
found IP from client CLI:
PING fortinet.com (54.177.212.176) 56(84) bytes of data.ran sniffer with output:
diag sniffer packet any 'host 54.177.212.176' 4 0 a
interfaces=[any]
filters=[host 54.177.212.176]
2023-12-26 12:07:26.760932 a in 192.168.111.2 -> 54.177.212.176: icmp: echo request
2023-12-26 12:07:26.761005 wan1 out 92.50.117.70 -> 54.177.212.176: icmp: echo request
2023-12-26 12:07:26.931340 wan1 in 54.177.212.176 -> 92.50.117.70: icmp: echo reply
2023-12-26 12:07:26.931367 a out 54.177.212.176 -> 192.168.111.2: icmp: echo reply
^C
4 packets received by filter
0 packets dropped by kernel
ran flow trace without output:
id=65308 trace_id=1 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=1, 192.168.111.2:10->54.177.212.176:2048) tun_id=0.0.0.0 from a. type=8, code=0, id=10, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6020 msg="allocate a new session-0000a545"
id=65308 trace_id=1 func=iprope_dnat_check line=5466 msg="in-[a], out-[]"
id=65308 trace_id=1 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=1 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.168.48.1 via wan1"
id=65308 trace_id=1 func=__iprope_fwd_check line=801 msg="in-[a], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=109, len=6"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-44, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-48, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-1, ret-matched, act-accept"
id=65308 trace_id=1 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=1 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffbffc02c364"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=1 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=1 func=get_new_addr line=1258 msg="find SNAT: IP-192.168.48.1(from IPPOOL), port-60427"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2358 msg="policy-1 is matched, act-accept"
id=65308 trace_id=1 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=1 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-1"
id=65308 trace_id=1 func=iprope_reverse_dnat_check line=1337 msg="in-[a], out-[wan1], skb_flags-02000000, vid-0"
id=65308 trace_id=1 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=1 func=fw_forward_handler line=985 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=1 func=__ip_session_run_tuple line=3411 msg="SNAT 192.168.111.2->192.168.48.1:60427"Notice the route decision:
id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-192.168.48.1 via wan1"
id=65308 trace_id=1 func=__iprope_fwd_check line=801 msg="in-[a], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
You can match that against your set of policies when you see this.
Best regards,
Markus
Related Posts
- FortiOS 7.2.8 WAF Event ID not... 287 Views
- FortiClient VPN - Error 6005 9970 Views
- ZTNA - tcp forwarding not working... 347 Views
- 43658 - LOG_ID_EVENT_WIRELESS_STA_DHCP_NO_RESP 296 Views
- FortiOS 7.2.7 for 1801F notices 313 Views
Labels
-
FortiGate
6,546 -
FortiClient
1,306 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiAP
335 -
FortiSwitch
333 -
FortiClient EMS
264 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
Firewall policy
24 -
FortiConnect
24 -
SD-WAN
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
FortiPAM
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.