Dear colleagues, hello.
I have:
1. Fortigate, where terminates several networks
2. Mostly - they all are isolated from one another
3. I need an access from a specific IP A to IP B from from Network A to Network B and vice verse
4. I've created mirroring policies, allowing traffic from Source IP A from incoming Interface A to Destination IP B from outgoing Interface B and created second policy, where changed places and source is B and destination is A.
5. I can ping from A to B, but can not from B to A.
No polocies above, that can deny that.
Any clues?
Thank you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You didn't mention about interfaces, if A and B are connected on two different interfaces, or VLAN subinterfaces, etc. But if so, I would sniff on interface for A while pinging from B to see if they're going out. If not going out, it's time to run "flow debug" to see why the FGT drops them. You can find many discussions and articles about flow debug on the internet.
Also mind the order of your policies! POlicies are handled top-down and the first match wins the packet. So if there is a policy that matches the packet and blocks it in front of you mentioned ones then it will be hit instead!
Also reverse Policy is only needed it connections shall be initiated from both sides.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you fro the responses.
@Toshi, A and B are both on different VLAN subs, although it's one physical.
@sw2090 can I debug somehow to check what policy treats the exact traffic from host A ot host B? Thank you!
BTW is it possible to use Virtual IP option to conigure direct port mapping for internal IPs? If I want to keep port from IP A:2002 (example) to IP B:2002 and vice verse?
You could use policy lookup on web gui to check this.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Could you please advise me, as I can't figure that bymyslef. How can I keep a port in local tcp session between two IPs 192.168.10.10 and 172.18.1.1 for example? I see on an end device, taht session was start from port 9002 but on a destination address it goes to 60601 for example. And I need exact mah 9002 -> 9002. I have NAT enabled and "preserve source port" as well. Can I do it via Virtual IP port mapping?
Hello,
you can configure the ports to have an exact match 9002 -> 9002. You should follow this KB : https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD48438 Best regards Benoit
@Benoit but will it work for internal IPs, that are local for Fortigate, there is no need to map external IPs (public) to local. I need to map LOCAL - LOCAL. Thank you in advance
Hello,
the KB shows external to internal IPs, but you can apply this KB to internal (or local) subnets. basically, it's doing static NAT between your 2 networks. But, from what you request at the beginning of the post, you need to access server B (192.168.10.30) from server A (172.18.1.10) , which are located on subnetB (192.168.10.10 on the FGT) and subnetA (172.18.1.1 on the FGT). * serverB: configure either a defaut route, or a /32 route to 172.18.1.10 through 192.168.10.10 * serverA: configure either a default route, or a /32 route to 192.168.10.30 through 172.18.12.10 * configure firewall policy or policies if both networks can be source network. If you don't use NAT, then your original ports will be kept. Otherwise, you can follow the KB, and have static NAT.
Benoit
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.