Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎05-12-2025 08:52 AM Edited on ‎05-12-2025 08:53 AM

What is wrong with my policy?

Hello everybody, 

I'm working on a Fortigate 70G v7.2.11

I defined an interface: 

 

Screenshot 2025-05-12 alle 17.41.59.png

and a policy to allow the traffic:

 

Screenshot 2025-05-12 alle 17.43.18.png

 With this policy, I want to say: wherever I call you, you have to allow the traffic.

If I connect to any 70G interface (wifi, wired lan etc.), it works. I can ping 10.0.0.2.

There is only one interface for which this policy does not work:

Screenshot 2025-05-12 alle 17.46.25.png

It's the admin_tunnel (or the ipsec interface), an ipsec interface. I've already tested this ipsec tunnel for other scopes and it works fine. In fact, I already defined one policy:

 

Screenshot 2025-05-12 alle 17.47.50.png

Screenshot 2025-05-12 alle 17.51.10.png

The problem is that if I'm connected to this tunnel I can't ping 10.0.0.2 anymore.

Why is that? 

shouldn't the traffic I send out the tunnel just fall under any -> 70Gto60F (port5) the policy?

 

 

 

RDP
RDP
Labels:
440
0 Kudos
1 Solution
raffaeledp
Contributor

Created on ‎05-13-2025 06:59 AM

Hello,

thanks everybody for the answers.

The solution was a lot easier than I thought.

During the sniffing process, I couldn't see any packet on that interface.

The problem was simply that the accesibile network segment defined for the ipsec tunnels didn't contain the 10.0.0.2 address.

 

RDP

View solution in original post

RDP
355
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎05-12-2025 11:39 AM

Hi Rafael

In traffic log, do you see any related traffic that is denied? (you need to enable logs for the implicit deny).

You may also try with this command and share the output.

diag sniffer packet any "icmp and host 10.0.0.2" 4
AEK
AEK
412
dingjerry_FTNT
Staff
Staff

Created on ‎05-12-2025 01:10 PM

Hi @raffaeledp ,

 

You need to run debug flow commands to see why the traffic was not working as expected.

 

Also, it's better to provide your FGT config and/or the routing table info as well.

 

BTW, why do you configure the IP on port5 as 10.0.0.2/30?  This is not normal for an internal interface.

Regards,

Jerry
404
raffaeledp
Contributor

Created on ‎05-13-2025 06:59 AM

Hello,

thanks everybody for the answers.

The solution was a lot easier than I thought.

During the sniffing process, I couldn't see any packet on that interface.

The problem was simply that the accesibile network segment defined for the ipsec tunnels didn't contain the 10.0.0.2 address.

 

RDP
RDP
356
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.