- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Routing Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing Issue
Hi,
My LAN Users are not able to reach the network behind DMZ Interface due to the route to the internet
0.0.0.0/0.0.0.0 to WAN. I added the route for DMZ Subnets but the users' machines are still taking the internet route. LAN Users' default gateway is the core switch and not the firewall.
LAN Users Subnet: 10.10.1.0/24
LAN Users Default GW: 10.10.1.1 (Core Switch)
Fortigate LAN Int: 10.10.1.2
Fortigate DMZ Int: 192.168.1.2
Fortigate DMZ GW: 192.168.1.1 (Cisco Router)
Once I disable the WAN Interface, users are able to reach the DMZ Subnets.
Thanks.
Labels:
- Labels:
-
FortiGate
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Based on the information provided, it seems that the issue lies with the routing configuration on your network devices. Here are a few steps you can take to troubleshoot and resolve the problem:
1. Verify the default gateway on the LAN users' machines: Confirm that the default gateway configured on the LAN users' machines is set to the IP address of the core switch (10.10.1.1). If it is not set correctly, update the default gateway to the appropriate IP address.
2. Check the routing table on the core switch: Log in to the core switch and examine its routing table. Ensure that there is a route pointing to the Fortigate LAN interface (10.10.1.2) for the DMZ subnets (192.168.1.0/24). If the route is missing, add a static route on the core switch to direct traffic destined for the DMZ subnets to the Fortigate LAN interface.
3. Verify the routing on the Fortigate firewall: Log in to the Fortigate firewall and check its routing table. Ensure that there is a route pointing to the Cisco router (192.168.1.1) for the DMZ subnets (192.168.1.0/24). If the route is missing, add a static route on the Fortigate firewall to direct traffic destined for the DMZ subnets to the Cisco router.
4. Double-check the NAT policies: If you have NAT policies configured on the Fortigate firewall, make sure that they are not interfering with the traffic flow between the LAN users and the DMZ subnets. Verify that the NAT policies are correctly configured to allow traffic from the LAN users (10.10.1.0/24) to the DMZ subnets (192.168.1.0/24).
5. Review the firewall rules: Ensure that there are appropriate firewall rules on the Fortigate firewall to allow traffic from the LAN users to the DMZ subnets and vice versa. Check both the incoming and outgoing firewall rules on the Fortigate firewall for any restrictions or misconfigurations.
6. Consider VLAN configuration: If VLANs are being used in your network, verify that the VLAN configuration on the core switch, Fortigate firewall, and Cisco router is correctly set up to allow communication between the LAN and DMZ networks.
7. Monitor network traffic: Use network monitoring tools to capture and analyze the network traffic between the LAN users and the DMZ subnets. This can help identify any unexpected behavior or potential network issues.
If the issue persists after following these steps, it may be helpful to consult with your network administrator or contact the technical support for the specific devices involved (core switch, Fortigate firewall, and Cisco router) to further investigate and resolve the routing problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Although I checked everything before posting here, yet I will check again and revert.
Thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I connected a pc directly to the firewall and checked without the core switch but same problem. I am not able to reach the subnet behind the DMZ port. I created the static route and policy for the DMZ Network but when I am trying tracert from my PC, it is still taking the WAN route.
Any Suggestions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you directly connected a PC, did you make the FGT's IP, like 10.10.1.2 as the default GW, instead of 10.10.1.1?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes
Created on 07-17-2023 04:08 PM Edited on 07-17-2023 04:12 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you test that again, try running a flow debug below to see how it decides a route and a policy.
diag debug reset
diag debug ena
diag debug flow filter clear
diag debug flow filter addr <the_pc's_ip>
diag debug flow trace start 10
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the problem. I had two policies under policy routing for wan1 and wan2 access. After disabling them I am able to reach the DMZ Subnets. Is it necessary to have policy routing if we need to select different wan interfaces for different lan subnets connected behind the same LAN Interface?
I mean my LAN and WIFI Subnets are connected to the same LAN Port on the firewall and I want to use WAN1 for LAN users and WAN2 for Wifi Users.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why did you think you needed those policy routes? If you need/want to failover wan1 to wan2, generally policy routes would prevent it from happening since policy routes are "sticky" in general. Only in case like one LAN subnet needs to go out wan1 and another LAN subnet needs to go to wan2, you have to set policy routes to nail them down.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was a misunderstanding. Thanks for your help.
Related Posts
- FMG Revision - Config issues when... 77 Views
- Captive portal issue - fails to... 105 Views
- SEW Flag 73 Views
- Implementing FGSP with OSPF ECMP based... 111 Views
- SSL VPN Routing over another VPN 203 Views
Labels
-
FortiGate
6,679 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.