Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Phill1
New Contributor

Website not ping/trace/accessible

I have one website I can't access behind FG, I check on cli from FG to do traceroute to that website IP but no result for next hop (router) even no ping but other websites I can ping and when do traceroute i can see the hops, so I tried from router bypass FG it is pingable, please ur support how to troubleshoot 

8 REPLIES 8
msolanki
Staff
Staff

Hello,

Please check the firewall policy if it's not allowed then firewall block the traffic .

You can sniff and debug also to see if traffic from the source hits to firewall.

Mrinmoy
Staff
Staff

1. What are the websites? (If no concern, you can share it here)

2. Did you try from another computer that is not behind the fortigate?

3. Is it related to only one specific website?

4. What is your DNS server? Have you tried nslookup?

5. While pinging the website, can you please try to capture the sniffer and try to see if it leaving the fortigate or not?

6. Are you using any UTM? If yes, can you please try to bypass them?

Mrinmoy Purkayastha
abarushka
Staff
Staff

Hello,

 

I would recommend to collect debug flow and sniffer while trying to ping:

 

Sniffer

 

diagnose sniffer packet any 'host <destination IP address>' 4 0 a

 

Debug flow

 

diagnose debug flow filter daddr <destination IP address>
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable

FortiGate
mauromarme
Staff
Staff

Hello @Phill1 

The traffic could be blocked by FortiGate because there is no Firewall Policy or because there is a Missconfiguration on a Firewall Policy.
Please, execute the commands below, they may help you to determine whats happening:

diag debug reset
diag debug flow filter addr <Internal Host Address> <Website Public Address> and
diag debug flow show function-name enable
diag debug flow trace start 999
diag debug enable

Thanks!


Mauricio Marin
Fortinet TAC Senior Engineer
Phill1
New Contributor

I did sniffer, I can see traffic sent OUT to WAN interface but no traffic come back, also I checked the policy I can see traffic action Permit, I did ping I can see SYN only from FG Source to website destination but no reply,  I used IP instead of hostname same result, I did this also from FG cli to bypass policy but same result, but when I do from router it is pingable

abarushka

Hello,

 

I suspect that there is some filtering on the router side. You may consider to check whether there is access list on router side configured.

FortiGate
Phill1
New Contributor

When do traceroute from FG I can't see next hop(router), if they have ACL on router at least it should I see next hop(router) right 

abarushka

Hello,

 

ICMP is either filtered or ICMP response is disabled. In current scenario I suspect that ICMP is filtered.

FortiGate
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors