Based on the information provided, it seems that the issue lies with the routing configuration on your network devices. Here are a few steps you can take to troubleshoot and resolve the problem:
1. Verify the default gateway on the LAN users' machines: Confirm that the default gateway configured on the LAN users' machines is set to the IP address of the core switch (10.10.1.1). If it is not set correctly, update the default gateway to the appropriate IP address.
2. Check the routing table on the core switch: Log in to the core switch and examine its routing table. Ensure that there is a route pointing to the Fortigate LAN interface (10.10.1.2) for the DMZ subnets (192.168.1.0/24). If the route is missing, add a static route on the core switch to direct traffic destined for the DMZ subnets to the Fortigate LAN interface.
3. Verify the routing on the Fortigate firewall: Log in to the Fortigate firewall and check its routing table. Ensure that there is a route pointing to the Cisco router (192.168.1.1) for the DMZ subnets (192.168.1.0/24). If the route is missing, add a static route on the Fortigate firewall to direct traffic destined for the DMZ subnets to the Cisco router.
4. Double-check the NAT policies: If you have NAT policies configured on the Fortigate firewall, make sure that they are not interfering with the traffic flow between the LAN users and the DMZ subnets. Verify that the NAT policies are correctly configured to allow traffic from the LAN users (10.10.1.0/24) to the DMZ subnets (192.168.1.0/24).
5. Review the firewall rules: Ensure that there are appropriate firewall rules on the Fortigate firewall to allow traffic from the LAN users to the DMZ subnets and vice versa. Check both the incoming and outgoing firewall rules on the Fortigate firewall for any restrictions or misconfigurations.
6. Consider VLAN configuration: If VLANs are being used in your network, verify that the VLAN configuration on the core switch, Fortigate firewall, and Cisco router is correctly set up to allow communication between the LAN and DMZ networks.
7. Monitor network traffic: Use network monitoring tools to capture and analyze the network traffic between the LAN users and the DMZ subnets. This can help identify any unexpected behavior or potential network issues.
If the issue persists after following these steps, it may be helpful to consult with your network administrator or contact the technical support for the specific devices involved (core switch, Fortigate firewall, and Cisco router) to further investigate and resolve the routing problem.
I connected a pc directly to the firewall and checked without the core switch but same problem. I am not able to reach the subnet behind the DMZ port. I created the static route and policy for the DMZ Network but when I am trying tracert from my PC, it is still taking the WAN route.
I have found the problem. I had two policies under policy routing for wan1 and wan2 access. After disabling them I am able to reach the DMZ Subnets. Is it necessary to have policy routing if we need to select different wan interfaces for different lan subnets connected behind the same LAN Interface?
I mean my LAN and WIFI Subnets are connected to the same LAN Port on the firewall and I want to use WAN1 for LAN users and WAN2 for Wifi Users.
Why did you think you needed those policy routes? If you need/want to failover wan1 to wan2, generally policy routes would prevent it from happening since policy routes are "sticky" in general. Only in case like one LAN subnet needs to go out wan1 and another LAN subnet needs to go to wan2, you have to set policy routes to nail them down.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.