Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filu
New Contributor

Created on ‎07-24-2019 02:04 AM

Problem with Policy

Hello, 

 

I have two networks connected to port1 and port 16 on my FG100. I want connect from Port1 to Port16 . 

I can't ping any address in this network. 

 

config of my port 16 

edit "port16"
--More-- set vdom "root"
--More-- set ip 172.100.x.2 255.255.255.0
--More-- set allowaccess ping https http fgfm capwap
--More-- set type physical
--More-- set alias "MGMT_LAB"
--More-- set device-identification enable
--More-- set snmp-index 4
--More-- next

 

config my port 1

 edit "port1"
--More-- set vdom "root"
--More-- set ip 172.17.x.1 255.255.255.0
--More-- set allowaccess ping https ssh snmp
--More-- set type physical
--More-- set netflow-sampler both
--More-- set alias " LAN"
--More-- set device-identification enable
--More-- set device-identification-active-scan enable
--More-- set snmp-index 11
--More-- set secondary-IP enable
--More-- config secondaryip
--More-- edit 1
--More-- 
--More-- set allowaccess ping
--More-- next
--More-- end

 

config of my policy 

 

edit 40
--More-- set name "MGMTto LAB"
--More-- set uuid 48e6f806-ad20-51e9-08e5-b0363071ad14
--More-- set srcintf "port1"
--More-- set dstintf "port16"
--More-- set srcaddr "LAN 172.16.0.0"
--More-- set dstaddr "all"
--More-- set action accept
--More-- set schedule "always"
--More-- set service "ALL"
--More-- set logtraffic all
--More-- set timeout-send-rst enable
--More-- next

Log for this policy 

 

Date07/23/2019Time15:23:32Duration75sSession ID37486893Virtual Domainroot

 

SourceIP172.16.0.61Country/RegionReservedPrimary MACfxxxSource Interfaceport1Host NamexxxDevice TypeWindows PCOS NameWindows MEUnauthenticated Userxxx$Unauthenticated User SourcekerberosUser xxx$

 

DestinationIP172.101.0.1Host NamexxxCountry/RegionUnited StatesDestination Interfaceport16

 

ApplicationApplication NamePINGCategoryunscannedProtocolicmpServicePING

 

DataReceived Bytes0 BReceived Packets0Sent Bytes240 BSent Packets4

 

ActionActionAcceptPolicy40Policy UUID48e6f806-ad20-51e9-08e5-b0363071ad14Policy Typepolicy

 

SecurityLevel 

 

OtherSource Interface RoleundefinedLog ID13byod_nameskypewawaProtocol Number1roll64317byod_devicewindows-pcLog event original timestamp1563888212Destination Interface Roleundefineddstcountry_codeUSSource Server0Sub TypeforwardSecurity Events[]

 

Should I configure some else ? 

1428
0 Kudos
1 REPLY 1
orani
Contributor II

Created on ‎07-24-2019 02:31 AM

1. you source address at the policy is not part of the source interface.

2. the source address is a network address not a host address.

3. you might need to configure also the reverse policy

4. at the policy config you say port 1 to port 16 (lab to mgmt) but you named the policy mgmt to lab. (this is not misconfiguration but it doesnot look right

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
783
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.