I'm happy to try and help you are you able to show provide a screenshot of your firewall policy created for devices sourced from Internal3 > WAN1 as well as the routes currently setup so I can see what is configured?
I would work my way from the bottom up i.e. ensure device has correct IP, ensure that it can ping the default gateway etc. If the device can ping the default gateway that means it is reaching the firewall if so, try doing an nslookup and see if you can resolve DNS it could be that you have a DNS issue or perhaps the NAT option isn't selected in your policy. I'd also run some ping/DNS tests from the firewalls WAN1 interface to ensure your external circuit is operating properly.
If you can run those tests and show me the CLI output or screenshot of the policy in the GUI as well as routes that'll be helpful in understanding what is currently configured and how the firewall will handle traffic.
- Ethernet on device under int3, has following setting:
IP : 184.108.40.206
dns server: (dns given by ISP wan1)
Not sure if this is a typo, but the IP and gateway are the same address. As mentioned, I'd go through those tests first confirming IP details are required, running pings/nslookups to test connectivity to gateway, internet etc. This should hopefully shed some light.
I will try also to shed some light if you don't mind. Did you tried also to ping 220.127.116.11??? I am asking this because if you managed to do so, then maybe there is a problem with your DNS and not with connection overall. Also, I know it is a generic question, but you IP routes are configured correctly??? Because in your above screenshot I cannot detect anything wrong. (Maybe I would change the Inspection Mode to Flow just for testing).
I am in agreement with elsantas, this is definitely an issue with either DNS or routing. Since you can resolve DNS and ping ISP from the WAN interface I would hazard a guess that this is a routing issue. Can you show us the routes you currently have setup?
3.from CLI, set interface to int3 (use ping-option souurce)
- ping to 18.104.22.168 -> replied (not RTO)
- ping to gateway ISP -> lost 100%
4. from CLI, set interface wan1 (use ping-option souurce) - ping to gateway ISP -> replied - ping to google.com -> replied
You can run a traceroute from that source IP to see where it fails, which will help identify the issue. Can you also shed some light on the topology you have set up, I'm noticing that you're using public addressing is this a transit network?
If you do not have any static routes setup, how are you routing traffic to the outside?
Unless you're using WAN interfaces as DHCP clients, then the ISP may push the IP and a default route, in that case you don't need to configure static routes. If not, static routes will be required which in your case may look something like this:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.