Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sebastan_bach
New Contributor

Issues with setting up Fortigate VM

Hi,

 

I have installed fortigate VM 64 bit running VMware. I have enabled 2 interfaces WAN & LAN & enabled management access on both the interfaces. I have assigned static IP address to both the interfaces. The WAN interface VM NIC mode is set to Nat & the Lan interface of the fortigate VM NIC is set to host mode. From the fortigate firewall I am able to ping the internet & the lan guest VM as well. But i am not able to access internet from the internal guest VM though I have a policy with nat enabled & allowed all services. Any guesses or ideas to get this working would be really helpful.

 

Regards

 

Sebastan

1 Solution
neonbit

Hi Sebastan, you don't need a dedicated management port, enabling management on an interface would be enough.

 

Sounds a little weird that your internal pc cant ping through the firewall since a) firewall can ping the internet, b) pc can ping firewall lan interface c) allow all policy has nat enabled.

 

My suspicion is that there is a problem with the policy (are you referencing the correct interfaces?).

 

Ultimately the best way to test this out is to do a diag debug from the FortiGate CLI to confirm exactly where these packets are going.

 

Firstly make sure you are not pinging 8.8.4.4. Connect to the FortiGate CLI then type the following commands:

 

diag debug flow filter daddr 8.8.4.4

diag debug flow show console enable

diag debug enable

diag debug flow trace start 3

 

Once this is done start pinging 8.8.4.4 from your internal PC. Observe the FortiGate CLI output, it should confirm two key things 1) what route/interface the packets match & 2) what policy it hit.

 

 

View solution in original post

6 REPLIES 6
MikePruett
Valued Contributor

Is the VM on the proper switch with the proper IP/gateway etc? I would check to see if the guest VM can even ping the inside interface of the Gate (be sure to enable ping on the appropriate interface). If you can't, chances are it's a VM ware issue and not a FortiGate issue.

Mike Pruett Fortinet GURU | Fortinet Training Videos
sebastan_bach

Hi Mike,

 

Do we need to have a dedicated management interface ?. I have enabled management functions on both the firewall interfaces.

 

My Inside host can ping the fortigate lan interface & from the fortigate firewall I can ping the global DNS servers of 8.8.8.8 & 8.8.4.4 as well. I have a default route on the Firewall as well.

 

But the issue is that inside host cannot ping the internet even with a allow all firewall policy in place.

 

What is the best way to troubleshoot any suggestions please

 

Regards

 

Sebastan

neonbit

Hi Sebastan, you don't need a dedicated management port, enabling management on an interface would be enough.

 

Sounds a little weird that your internal pc cant ping through the firewall since a) firewall can ping the internet, b) pc can ping firewall lan interface c) allow all policy has nat enabled.

 

My suspicion is that there is a problem with the policy (are you referencing the correct interfaces?).

 

Ultimately the best way to test this out is to do a diag debug from the FortiGate CLI to confirm exactly where these packets are going.

 

Firstly make sure you are not pinging 8.8.4.4. Connect to the FortiGate CLI then type the following commands:

 

diag debug flow filter daddr 8.8.4.4

diag debug flow show console enable

diag debug enable

diag debug flow trace start 3

 

Once this is done start pinging 8.8.4.4 from your internal PC. Observe the FortiGate CLI output, it should confirm two key things 1) what route/interface the packets match & 2) what policy it hit.

 

 

sebastan_bach

Hi, 

 

Thanks for your troubleshooting tips. I followed the exact same steps as yours. I can see in the debug the packet for 8.8.8.8 arriving at the right port2 Lan interface. The firewall allocates a new session id. Firewall finds a route via the configured gateway via port1 which is the WAN port. but there is no traffic passing through. 

The same log I can see on the console trice . one thing I can see is there is no policy lookup that is happening post the route-lookup. 

 

Is there something very basic I am missing out here. 

 

Regards

 

Sebastan

 

 

jwowens

I would suggest 2 things, 1 create a policy to allow traffic passing from port 2 -> port 1

jamesc
New Contributor

i have same issue

 

same setup and results of diag

Labels
Top Kudoed Authors