I have deployed Fortigate-VM and I am able to access the GUI.
The firewall can access the internet but as a users I can reach the firewall but no internet connection.
I would like some help if there is any configuration needed on the ESXI or the switch where its connected.
1 port connected for LAN and another port connected for WAN.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
the output
Now we really need to run some debug.
Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing...
diagnose debug reset
diagnose debug flow filter saddr 10.10.100.1
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow filter proto 1
diagnose debug console timestamp enable
diagnose debug flow trace start 10
diagnose debug enable
Can you ping 192.168.100.1 from the user PC and collect the debug with additional information.
diagnose debug reset
diagnose debug flow filter saddr 10.10.100.1
diagnose debug flow filter daddr 192.168.100.1
diagnose debug flow filter proto 1
diagnose debug console timestamp enable
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 10
diagnose debug enable
Hello,
As per the sniffer logs, we can see the "in" traffic on Port1 from source 10.10.100.1 but no "out" traffic, and as per the flow filter route lookup is happening and for every packet from 192.168.100.1 new session is allocating so it seems the traffic is getting denied due to some reason, To verify it we will need to collect the flow filter with iprope.
please take the below debug and share the output
diag debug disable
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr 8.8.8.8
diag debug flow filter proto 1
diag debug flow show iprop en
diag debug flow show fun en
diag debug flow trace start 1000
diag debug enable
Here x.x.x.x is the source machine IP, once the flow filter is in place initiate the ping from the machine to 8.8.8.8, collect the output and share.
Have you configured any DDOS policy on the Fortigate? because it's not doing any policy lookup after the route check.
Please verify the Anomaly logs in Logs & Report - > Security Event
i havent configured any thing beside route and a policy for the internet access, everything else is default
This is getting interesting .
diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53524 1 port1
diagnose firewall iprope list 00100004
Can you share these 2 outputs
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.