I have deployed Fortigate-VM and I am able to access the GUI.
The firewall can access the internet but as a users I can reach the firewall but no internet connection.
I would like some help if there is any configuration needed on the ESXI or the switch where its connected.
1 port connected for LAN and another port connected for WAN.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53524 1 port1
Command fail. Return code -16
Forti-VM #
Forti-VM # diagnose firewall iprope list 00100004
policy index=2 uuid_idx=311 action=accept
flag (8050100): nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 12 -> zone(1): 10
source(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
policy index=1 uuid_idx=312 action=accept
flag (8050100): nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 4 -> zone(1): 5
source(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=294,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
policy index=0 uuid_idx=1 action=drop
flag (8010800): d_rm master pol_stats
flag2 (4000): resolve_sso
flag3 (100): last-deny
schedule()
cos_fwd=0 cos_rev=0
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
service(1):
[0:0x0:0/(0,0)->(0,0)] flags:0 helper:auto
Looks like the command is not working for ICMP, can you run the same for DNS
diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
also "show firewall policy"
Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
<src [10.10.100.1-59618] dst [8.8.8.8-53] proto 17 dev port1> matches policy id: 1
Forti-VM # show firewall policy
config firewall policy
edit 1
set name "Internet"
set uuid 25faa5e8-ea6d-51ed-ff7a-43add162c322
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end
This output shows there is only one policy (policy ID 1), but as per " diagnose firewall iprope list 00100004", there is an additional policy "polic id 2", not sure if this is causing the issue.
can you restart the device (simple step) and run "diagnose firewall iprope list 00100004" and test the behavior again?
Created on 05-04-2023 05:33 AM Edited on 05-04-2023 05:41 AM
i did restart the VM and retested
Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
<src [10.10.100.1-59618] dst [8.8.8.8-53] proto 17 dev port1> matches policy id: 1
Forti-VM # diagnose firewall iprope lookup 10.10.100.1 59618 8.8.8.8 53 17 port1
<src [10.10.100.1-59618] dst [8.8.8.8-53] proto 17 dev port1> matches policy id: 1
Forti-VM # show firewall policy
config firewall policy
edit 1
set name "Internet"
set uuid 25faa5e8-ea6d-51ed-ff7a-43add162c322
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
end
Did you set up the LAN subnet as a VLAN?
On the second screenshot, I see LAN having VLAN ID of 100, but on fortigate you don't have the vlan configured on the LAN interface.
Can you also run these commands on fortigate:
exec ping-options source 10.10.100.254
exec ping 8.8.8.8
Created on 05-03-2023 06:21 AM Edited on 05-03-2023 06:24 AM
WAN ports has VLAN ID as well, its for the VM to tag it on the switch to communicate with the modem which has the same VLAN ID
am not getting reply with the interface as a source
Can you run the sniffer in a different CLI window and then do the ping commands again. So run this command:
diagnose sniffer packet any 'host 10.10.100.254 and icmp' 4 0 a
and after that run these in a new cli window:
exec ping-options source 10.10.100.254
exec ping 8.8.8.8
Forti-VM # diagnose sniffer packet any 'host 10.10.100.254 and icmp' 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.10.100.254 and icmp]
2023-05-04 11:38:38.857417 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:39.857481 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:40.857618 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:41.857766 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
2023-05-04 11:38:42.857837 port2 out 10.10.100.254 -> 8.8.8.8: icmp: echo request
Forti-VM # exec ping-options source 10.10.100.254
Forti-VM # exec ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Forti-VM #
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.