Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
peterk2020
New Contributor

Weird issue after replacing Fortigate

I'm having a weird issue with access public facing website after replacing my old Fortigate 200D with 200F.

I have multiple VDOMs that have few public facing websites.   Vdom A has a website and vdom B has two websites.  After replacing the Fortigate, I can't seem to access the two websites on a vdom B.  I have no issue accessing the website on vdom A from outside.  The main difference between two vdoms is that they have a different DIA to Internet.  I'm not sure what causing the issue.  I thought the issue is my switch that is sitting in between the Fortigate and the Internet provider.  I don't see anything strange in there.  It is doing L2.  Any suggestions?  I had to back out and put the old 200D in there to have the network back.      

5 REPLIES 5
kvimaladevi
Staff
Staff

Hi peterk2020,

 

I hope the configuration migration has been done using the Forticonverter tool. We need to check if the request for websites in VDOM B from external network is reaching the firewall and if the firewall is dropping it.

You can use the below command to check if the traffic is reaching the firewall first:

diag sniffer packet any 'host x.x.x.x and host y.y.y.y' 4 0 a  ---  >you can replace x.x.x.x with the client public IP and y.y.y.y with the server IP

If the traffic comes in and if it is not forwarded, we can cross check if the traffic if getting dropped.

Regards,

Vimala

peterk2020

Thanks for your reply.  I'll do the packet capture when I have the next maintenance scheduled.  

gfleming
Staff
Staff

Can you post the VDOM B interface configs (WAN and LAN) from the 200F, VIP config for the two websites, and the Firewall Policy(ies) allowing the traffic?

Cheers,
Graham
peterk2020
New Contributor

In case anyone need to know what happened, the issue was resolved after issuing failover status set command to force change over.  I'm not sure the reason why.  I'm afraid to change back to the other unit.  

alif

Interesting. May be there was an existing session on the former Fortigate, only debug/sniffer can provide more information.

Regards,
SFA
Labels
Top Kudoed Authors