Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
afarouk
New Contributor

cant access internet using Fortigate VM

I have deployed Fortigate-VM and I am able to access the GUI.

The firewall can access the internet but as a users I can reach the firewall but no internet connection.

I would like some help if there is any configuration needed on the ESXI or the switch where its connected.

 

1 port connected for LAN and another port connected for WAN.

 

1.jpg2.jpg3.jpg4.jpg5.jpg6.jpg7.jpg

33 REPLIES 33
afarouk

the output 

13.jpg14.jpg

srajeswaran

Now we really need to run some debug.
Ref: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-filters-to-review-traffic-traversing...

diagnose debug reset

diagnose debug flow filter saddr 10.10.100.1

diagnose debug flow filter daddr 8.8.8.8

diagnose debug flow filter proto 1

diagnose debug console timestamp enable

diagnose debug flow trace start 10

diagnose debug enable

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
afarouk

15.jpg

srajeswaran

Can you ping 192.168.100.1 from the user PC and collect the debug with additional information.

 

diagnose debug reset

diagnose debug flow filter saddr 10.10.100.1

diagnose debug flow filter daddr 192.168.100.1

diagnose debug flow filter proto 1

diagnose debug console timestamp enable

diagnose debug flow show function-name enable

diagnose debug flow show iprope enable

diagnose debug flow trace start 10

diagnose debug enable

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
vsahu

Hello,

As per the sniffer logs, we can see the "in" traffic on Port1 from source 10.10.100.1 but no "out" traffic, and as per the flow filter route lookup is happening and for every packet from 192.168.100.1  new session is allocating so it seems the traffic is getting denied due to some reason, To verify it we will need to collect the flow filter with iprope.

please take the below debug and share the output 

diag debug disable
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr x.x.x.x
diag debug flow filter daddr 8.8.8.8
diag debug flow filter proto 1
diag debug flow show iprop en
diag debug flow show fun en
diag debug flow trace start 1000
diag debug enable

Here x.x.x.x is the source machine IP, once the flow filter is in place initiate the ping from the machine to 8.8.8.8, collect the output and share.

Regards,
Vishal
afarouk
New Contributor

16.jpg

afarouk

17.jpg

vsahu

Have you configured any DDOS policy on the Fortigate? because it's not doing any policy lookup after the route check.

Please verify the Anomaly logs in Logs & Report - > Security Event

Regards,
Vishal
afarouk
New Contributor

i havent configured any thing beside route and a policy for the internet access, everything else is default

18.jpg

srajeswaran

This is getting interesting .

 

diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53524 1 port1

diagnose firewall iprope list 00100004


Can you share these 2 outputs

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors