# diagnose sniffer packet any ' host 145.238.203.14' 4 0.634692 port1 out A.B.C.D.123 -> 145.238.203.14.123: udp 48 0.646904 port1 in 145.238.203.14.123 -> A.B.C.D.123: udp 48UPDATE Exemple (don' t work)
#diagnose sniffer packet any ' host 208.91.112.68' 4 8.432481 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419 11.431059 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419 17.431062 port1 out 10.63.32.14.7033 -> 208.91.112.68.443: syn 4151528419I can resolve but not go out:
firewall-a # execute traceroute update.fortiguard.net traceroute to update.fortiguard.net (96.45.33.88), 32 hops max, 72 byte packets 1 10.63.32.13 1.740 ms 1.705 ms 1.600 ms 2 *Normal; 10.63.32.0 is not routed over internet. Is there a mistake in my config? What can I do for this? Using a radius proxy server: To forward requests from my 310B directly on update.fortiguard.net:443 via DMZ interface (which is routed on internet, of course). I was not able to configure it over Apache2, I have no answers from the update.fortiguard.net server. My fault? Using VDom Maybe is this the only way to solve my problem? I have no Fortigate v5 for tests but if it' s the only one solution, via internal FGT routing, I will try. Let me know if it' s the solution for me. Using Local-in policy I Think this is not the solution, i have just read the docs and I think that it can' t resolve this kind of problems. Thanks for your suggestions; Sorry for my poor English. Regards, Adrien
firewall-a # execute traceroute update.fortiguard.net traceroute to update.fortiguard.net (96.45.33.88), 32 hops max, 72 byte packets 1 10.63.32.13 1.740 ms 1.705 ms 1.600 ms 2 *So how does the fgt get to internet if the 10net is not NAT' d by the SP? Some where down the line, something/somewhere is doing a source-nat.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
config log fortianalyzer setting set status enable set server MYANALYZER set enc-algorithm enable set source-ip MY-IP-DMZ-INTERFACE endor other exemple who' s working, DNS:
config system dns set primary 8.8.8.8 set secondary 208.91.112.52 set source-ip MY-IP-DMZ-INTERFACE end
firewall-a # get system source-ip status The following services force their communication to use a specific source IP address: service=NTP source-ip=MY-IP-DMZ-INTERFACE service=DNS source-ip=MY-IP-DMZ-INTERFACE service=FortiAnalyzer #1 source-ip=MY-IP-DMZ-INTERFACE service=Syslog #1 source-ip=MY-IP-DMZ-INTERFACEEDIT 2: Here is the related documentation: FortiOS source-ip But i have not the exemple line of the docs:
FortiGuard Updates (AV/IPS): x.x.x.x FortiGuard Queries (WebFilter/SpamFilter): x.x.x.xImpossible to find/activate it in my CLI. Is Fortiguard is the updates that i' m looking (i think)? (I have no " FortiCloud" , " FortiManager" , just a full UTM licence(bundle)).
PCNSE
NSE
StrongSwan
Ahead of the Threat. FCNSA v5 / FCNSP v5
Fortigate 1000C / 1000D / 1500D
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.