I have one website I can't access behind FG, I check on cli from FG to do traceroute to that website IP but no result for next hop (router) even no ping but other websites I can ping and when do traceroute i can see the hops, so I tried from router bypass FG it is pingable, please ur support how to troubleshoot
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Please check the firewall policy if it's not allowed then firewall block the traffic .
You can sniff and debug also to see if traffic from the source hits to firewall.
1. What are the websites? (If no concern, you can share it here)
2. Did you try from another computer that is not behind the fortigate?
3. Is it related to only one specific website?
4. What is your DNS server? Have you tried nslookup?
5. While pinging the website, can you please try to capture the sniffer and try to see if it leaving the fortigate or not?
6. Are you using any UTM? If yes, can you please try to bypass them?
Hello,
I would recommend to collect debug flow and sniffer while trying to ping:
Sniffer
diagnose sniffer packet any 'host <destination IP address>' 4 0 a
Debug flow
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
Hello @Phill1
The traffic could be blocked by FortiGate because there is no Firewall Policy or because there is a Missconfiguration on a Firewall Policy.
Please, execute the commands below, they may help you to determine whats happening:
diag debug reset
diag debug flow filter addr <Internal Host Address> <Website Public Address> and
diag debug flow show function-name enable
diag debug flow trace start 999
diag debug enable
Thanks!
I did sniffer, I can see traffic sent OUT to WAN interface but no traffic come back, also I checked the policy I can see traffic action Permit, I did ping I can see SYN only from FG Source to website destination but no reply, I used IP instead of hostname same result, I did this also from FG cli to bypass policy but same result, but when I do from router it is pingable
Hello,
I suspect that there is some filtering on the router side. You may consider to check whether there is access list on router side configured.
When do traceroute from FG I can't see next hop(router), if they have ACL on router at least it should I see next hop(router) right
Hello,
ICMP is either filtered or ICMP response is disabled. In current scenario I suspect that ICMP is filtered.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.