Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
afarouk
New Contributor

cant access internet using Fortigate VM

I have deployed Fortigate-VM and I am able to access the GUI.

The firewall can access the internet but as a users I can reach the firewall but no internet connection.

I would like some help if there is any configuration needed on the ESXI or the switch where its connected.

 

1 port connected for LAN and another port connected for WAN.

 

1.jpg2.jpg3.jpg4.jpg5.jpg6.jpg7.jpg

33 REPLIES 33
afarouk

Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53524 1 port1
Command fail. Return code -16

Forti-VM #
Forti-VM # diagnose firewall iprope list 00100004

policy index=2 uuid_idx=311 action=accept
flag (8050100): nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 12 -> zone(1): 10
source(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

policy index=1 uuid_idx=312 action=accept
flag (8050100): nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 5
source(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

policy index=0 uuid_idx=1 action=drop
flag (8010800): d_rm master pol_stats
flag2 (4000): resolve_sso
flag3 (100): last-deny
schedule()
cos_fwd=0 cos_rev=0
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
service(1):
[0:0x0:0/(0,0)->(0,0)] flags:0 helper:auto

srajeswaran

Looks like the command is not working for ICMP, can you run the same for DNS

 

diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1

 

also "show firewall policy"

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
afarouk

Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
<src [10.10.100.1-59618] dst [8.8.8.8-53] proto 17 dev port1> matches policy id: 1

Forti-VM # show firewall policy
config firewall policy
edit 1
set name "Internet"
set uuid 25faa5e8-ea6d-51ed-ff7a-43add162c322
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

srajeswaran

This output shows there is only one policy (policy ID 1), but as per " diagnose firewall iprope list 00100004", there is an additional policy "polic id 2", not sure if this is causing the issue.

 

can you restart the device (simple step) and run "diagnose firewall iprope list 00100004" and test the behavior again?

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
afarouk

i did restart the VM and retested

 

Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
<src [10.10.100.1-59618] dst [8.8.8.8-53] proto 17 dev port1> matches policy id: 1

Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
<src [10.10.100.1-59618] dst [8.8.8.8-53] proto 17 dev port1> matches policy id: 1

Forti-VM # show firewall policy
config firewall policy
edit 1
set name "Internet"
set uuid 25faa5e8-ea6d-51ed-ff7a-43add162c322
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end

afarouk

19.jpg

vbandha
Staff
Staff

Did you set up the LAN subnet as a VLAN?

On the second screenshot, I see LAN having VLAN ID of 100, but on fortigate you don't have the vlan configured on the LAN interface.

Can you also run these commands on fortigate:
exec ping-options source 10.10.100.254
exec ping 8.8.8.8

afarouk

WAN ports has VLAN ID as well, its for the VM to tag it on the switch to communicate with the modem which has the same VLAN ID

am not getting reply with the interface as a source

12.jpg

vbandha

Can you run the sniffer in a different CLI window and then do the ping commands again. So run this command:
diagnose sniffer packet any 'host 10.10.100.254 and icmp' 4 0 a

and after that run these in a new cli window:
exec ping-options source 10.10.100.254
exec ping 8.8.8.8

afarouk

Forti-VM # diagnose sniffer packet any 'host 10.10.100.254 and icmp' 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.10.100.254 and icmp]
2023-05-04 11:38:38.857417 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:39.857481 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:40.857618 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:41.857766 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:42.857837 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request


Forti-VM # exec ping-options source 10.10.100.254

Forti-VM # exec ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Forti-VM #

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors