What is missing - Routing, NAT or Policy

Matie · ‎08-09-2022

Hello, I am beginner in Fortigate and I would like to know what should I do to get this working. I have port 1 configured as a management port. Its a DHCP and address is 192.168.76.130. Client is configured as DHCP client and his address is in that network 192.168.76.0/24 (before .129 now actually .135). On a Fortigate I have configured dhcp server on port 8. Current IP address is 192.168.21.1/24. And DHCP Client has 192.168.21.100/24. Please check pictures. What should I configure if I want to ping from one site to the other end? From 192.168.76.135 to 192.168.21.100. I dont know whether I have to set default route, or NAT that or configure some kind of policy. Can you help? Take management port as a internet and DHCP client as a private network. I hope its clear. Thank You

zhiqiang · ‎08-09-2022

Can you share policy for Fortigate

Matie · ‎08-09-2022

Hi, I didnt create policy. I have tried to create that, but it didn't work, therefore I deleted that and now is there only implicit deny. I am waiting for someone suggest how the policy should look. Everything is blank. There is no route, no NAT and no Policy. How should I configure policy? Thanks

Zhuo · ‎08-09-2022

Hi Matie.
please check firewall policy

The problem should be in fortigate's ipv4 policy.

best regards。

Matie · ‎08-09-2022

Hi, I didnt create policy. I have tried to create that, but it didn't work, therefore I deleted that and now is there only implicit deny. I am waiting for someone suggest how the policy should look. Everything is blank. There is no route, no NAT and no Policy. How should I configure policy? Thanks

Zhuo · ‎08-09-2022

Hi Matie.
fortigate ipv4 policy rules are 2

Article 1: port8 to port1
Article 2: port1 to port8

This allows for interoperability

Zhuo · ‎08-09-2022

No need to enable nat

Matie · ‎08-09-2022

Hi Zhuo

I actually tried that. I was able to reach and ping from 192.168.21.100 to 192.168.76.135 (port 8 - port 1 worked) but not vice versa. I have set source and destination as ALL and also service on ALL. Now I am at work. Once I will be at home I will share pictures of policies and results of these policies.

Zhuo · ‎08-10-2022

Good Matie.
Notice,
is to open two ipv4 policy
Article 1: port8 to port1
Article 2: port1 to port8

Matie · ‎08-10-2022

Hi Zhuo. I have set the policies as you told me. However I cannot ping from Net to Private. Please check pictures. Notice that address range has changed because of DHCP on Net site. I can ping from private that means from 192.168.21.100 to Net 192.168.76.129 but I cannot ping vice versa although Policies are in place. It looks like all traffic is denied by implicit deny. I dont know why. NAT is enabled, but that is not a problem. I have tried also without NAT.