Hello,
I run into issues with a "simple" policy.
Here some screenshots to explain the problem.
One policy 16 that allows all from "dial-up" to "root-vpn0". Counters going up:
Policy lookup failed for one I am sure that one should match the above one ID 16:
A route lookup that looks good to me:
Hitting 0.0.0.0/0:
Even "diagnose debug flow" looks good:
But no page displayed on the browser on client ip-address: 10.64.1.2
Did troubleshooting with an extra switch, new extra VDOM, factory-reset restore config, but no succes.
Does anyone can give me a hint to look for?
Kind regards,
Philip
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Philip,
Check if the policy is enabled and in the right sequence: Ensure that the policy is enabled and in the right sequence to be matched. The policy sequence can be checked in the policy section of the GUI.
Clear the cache: Clear the cache in your web browser and refresh the page. This will ensure that the page is loaded with the latest information from the FortiGate unit.
Try a different browser: Try accessing the FortiGate GUI from a different browser. If the issue persists, try accessing it from a different machine.
Regards,
Shilpa
Hi,
Can you post the output for:
get router info routing-table details IP , for both IPs?
Here the requested info:
FG100D-D (root) # get router info routing-table details 10.63.1.3
Routing table for VRF=0
Routing entry for 10.63.1.0/24
Known via "ospf", distance 110, metric 11, best
Last update 00:11:34 ago
* 10.77.1.5, via dial-up_0
FG100D-D (root) # get router info routing-table details 171.22.67.34
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "ospf", distance 110, metric 10, best
Last update 00:10:27 ago
* 10.0.199.2, via root-vpn0
Kind regards,
Philip
Very strange. Maybe it's just a visual thing in the GUI ?
Does a policy lookup from the CLI say that it doesnt match any rule ?
diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>
If I understand correctly the traffic is working as expected as for the debug flow ?
The "diagnose debug flow" gives an "Allowed by Policy-16", the correct policy.
Here the output of 2 times the diagnose firewall iprope lookup:
FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 61628 171.22.67.34 443 6 dial-up
<src [10.63.1.3-61628] dst [171.22.67.34-443] proto 6 dev dial-up> doesn't match any policy.
Command fail. Return code -49
FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 0 171.22.67.34 443 6 dial-up
<src [10.63.1.3-0] dst [171.22.67.34-443] proto 6 dev dial-up> doesn't match any policy.
Command fail. Return code -49
Maybe you need dial-up_0 ?
That one looks better:
FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 0 171.22.67.34 443 6 dial-up_0
<src [10.63.1.3-0] dst [171.22.67.34-443] proto 6 dev dial-up_0> matches policy id: 16
I'll check the OSPF config.
Found the problem. An upstream FortiGate had a static route.
Troubleshooting this issue, I used "Policy Lookup" on a downstream FortiGate, the FortiGate where I worked on. This one finally didn't had an issue.
But, why didn't the Policy Lookup work. Here my troubleshooting steps.
The command: diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>
This one helped me.
Here a policy match for 1 lan interface and 2 dial-up interfaces. Notice the "dial-up_1" and "dial-up_0":
In the Monitor => IPsec Monitor section, there are 2 tunnels, dial-up_0 and dial-up_1:
The policies 22, 23 and 25, see above diagnose screenshot, have counters increasing:
But the Policy Lookup:
just doesn't show up interfaces dial-up_0 and dial-up_1, instead of the lan interfaces which is shown.
The CLI diag firewall iprope lookup works, the GUI simply does not for dial-up interfaces.
Above troubleshooting was on:
FortiGate 100D
v6.2.13 build1343 (GA)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.