Dear
i'm facing the traceroute issue on the fortigate
when i try to tracroute from the cisco router to fortigate it's not showing the route form router to firewall
the FG firewall configured behind of the router.
everything is working fine i can ping form the router but when i tracerouter it showing *****
when i try form the computer it's showing me the hop count
i also tried to check from the switch i'm getting same result as like the router, not showing the route.
please help
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In the CLI, check the PING options. Make sure the interface is the one you want to trace route from.
Gateway # exec ping-options source
<string> auto | <source interface ip>
Also, if the other end of the trace route is over a tunnel, make sure the source (or interface) IP is allowed over that span.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Also worth noting: For sending traceroute "request" packets, Windows uses ICMP, where-as Cisco uses UDP.
If the traceroute destination is a FG, then we expect the FG to be listed in the final line of the traceroute report. But per https://kb.fortinet.com/kb/documentLink.do?externalID=FD31967 , the FG will only respond to the Windows traceroute, not the Cisco one: "The FortiGate is designed not to allow UDP packets in the local-in policy."
If the traceroute destination is instead on the other side of a FG in NAT (Layer3/routing) mode, then we expect to see the FG listed earlier than the final line of the traceroute report. The first (typically 3) traceroute packets reaching the FG would at that point have TTL=1; the FG should reply with ICMP "Time Exceeded" packets; per https://kb.fortinet.com/kb/documentLink.do?externalID=FD33838 , Fortinet takes this seriously. But per https://forum.fortinet.com/tm.aspx?m=115674 , subsequent Windows/ICMP traceroute packets may be considered flow continuations and handled via NP hardware, which cannot reply. After the first packets (TTL=1), all other packets from the same traceroute command have TTL>1; to forward these and to allow any resulting ICMP "Time Exceeded" replies sent from further-away routers, the FG needs appropriate polices; see http://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-troubleshooting/troubleshooting_tips.... .
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.