Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sean3
New Contributor

Created on ‎01-11-2024 03:15 AM

connection error if passing through fortigate for Microsoft Autopilot enrollment

hi team,

really a big headache here.

We are delivering desktops to users using Microsoft SCCM + Autopilot. during the autopilot task sequences, it's very likely to give the error "Oops, you've lost internet connection" though I can call the CMD to ping Internet and ping works.

To eliminate our LAN infrastructure , I created a VLAN type interface on fortigate firewall, and trunk the VLAN to our coreswitch, then trunk to the access switch. Also, I set up a DHCP server under that VLAN type interface so it can assign IP address to the desktop during the enrollment. So the topology is like:

ISP <-> Fortigate <-> Coreswitch <-> ACCESS switch.

The VLAN type interface on FW is the gateway of the VLAN for Autopilot enrollment.

Also, to get rid of the firewall policy impact to the traffic, I created a policy accepting all from that VLAN subnet, applied no security profile on it, and I do see the traffic from that VLAN hit the policy as expected.

 

policy.PNG

The VLAN interface configuration in GUI is basically as below. One thing I am not sure is the NTP and timezone, if I leave it blank, will it follow the FW's date and time? If i manually change it, will the change impact something?

interface conf1.PNGinterface conf2.PNGinterface conf3.PNG

and here is the FW basic information

status.PNG

 

to compare, we tried using a physical port 1 directly from FW, connecting the laptop to the physical port, and the Autopilot task sequence runs very well, and I put the physical port and the VLAN type interface to the same firewall policy actually.

 

Can anyone give any suggestions..

Labels:
569
0 Kudos
3 REPLIES 3
hbac
Staff
Staff

Created on ‎01-11-2024 06:36 AM

Hi @sean3,

 

Please check the logs on FortiGate to see if the traffic is being dropped. 

 

Regards, 

544
0 Kudos
mle2802
Staff
Staff

Created on ‎01-11-2024 06:40 AM

Hi @sean3,
So if you connect directly from physical interface and policy without any security profiles, it is working but if with vlan and switch it is not working even without security profile?

542
0 Kudos
sean3
New Contributor
In response to mle2802

Created on ‎01-11-2024 04:31 PM

exactly. but the traffic from switch hit the same policy as the traffic directly from the physical port on FW, and there is no drop as I checked traffic logs from ForitiAnalyzer

530
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.