Firewall: FortiGate 60F
Firmware: 6.4.8 Build 1914 (GA)
Mode: NAT
NGFW Mode: Profile-based
Central SNAT: Enabled
Switches: S148FP
Switches Firmware: S148FP-v7.0.2-build0049
Issue: VLAN 30 (Workstations) cannot add a printer via TCPIP to VLAN 60 (Printers)
Firewall Policy is set to wide open for traffic to pass either way, but cannot connect any printer.
I have tried to use a NAT rule going both ways with no luck.
Also tried a multicast policy both way with no luck.
Been going back and fourth with a Fortinet tech but have gotten no where.
If more details are required, please let me know.
Any advise would be appreciated.
At this point there is no evidence that the FortiGate is blocking any traffic between Windows and your Printer.
Next steps I would recommend:
- Try adding the printer manually. After auto discovery fails you should be able to add the printer manually.
- Make sure printer is listening on Port 9100
- If printer is using some other protocol you may need to add it again using IPP device type
- If you want further idea of how the printer is working, run a packet capture using Wireshark on your Windows endpoint while you add the printer successfully when the endpoint is on the same VLAN. This should show you how Windows is discovering it and which protocol it is using.
Most likely what's happening is auto discovery is not working since the printer is not on the same subnet. Need to manually configure it basically.
I can confirm the port is on.
and the port is setup correctly.
Still unable to print.
Created on 10-05-2022 10:59 AM Edited on 10-05-2022 10:59 AM
OK what is the error message? "Error - Prin...."
Can you please do packet capture but this time filter out for port 9100.
Also try the flow trace debug with a filter on port 9100 (diagnose debug flow filter port 9100).
Then try printing and see what we see in the network traffic.
So far we have only seen SNMP traffic and it is not getting blocked.
The full message was "Error - Printing"
Here is the PCAP - https://wormhole.app/Xbp5a#E42ceDN2LDeTyD5XbRFk5w
I used the following setting for the debug:
diag debug enable
diagnose debug flow filter saddr 10.100.30.22
diagnose debug flow filter daddr 10.100.60.40
diagnose debug flow filter port 9100
diag debug flow show iprope enable
diag debug flow trace start 100
diag debug enable
diag debug enable
diagnose debug flow filter port 9100
diag debug flow show iprope enable
diag debug flow trace start 100
diag debug enable
Both did not produce any output.
So there is no evidence your workstation is communicating with the printer on port 9100. At this point it's not a FortiGate issue. This is a Windows issue. Need to figure out how to get Windows to communicate with the printer on port 9100.
It's obviously trying to poll it using SNMP and that is failing. But there should be a way to override this step and add the printer using LPP or some other protocol manually. Unfortunately not a Windows expert so I can't help much more.
I would suggest posing this issue in a Windows forum. The issue you are having is you are unable to add a printer to a workstation in a different subnet as the printer. The firewall is not blocking anything. Windows is, however, unable to add it for some reason.
I appreciate you helping me with this and thanks for the showing me ways to trace traffic.
I'll post here when I have found out the actual issue.
I forgot to mention. The printer can be discovered and be added by IP with no issues. It's not until I move the printer into a different VLAN that the problems appear.
Yes fully aware of the fact you can add it on the same subnet—we covered that earlier.
The fact that we do not see any traffic blocked on the FortiGate or any traffic on port 9100 on your captures when its on the different subnet is pretty clear evidence that its a Windows issue. Hence why we need to take this to a Windows forum for assistance.
The only thing I could suggest doing before that is comparing a packet capture from the workstation when adding the printer when it's on the local subnet and then comparing the capture with one when it's on the different subnet.
Hi,
Is NAT enabled on the policy? If not, could you try enabling NAT and check if it brings any difference?
Best regards,
Jin
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.