Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nithishkumar
New Contributor II

Created on ‎07-13-2024 05:41 AM

firewall not forward the traffic to other interface policy not lookup

 

Hi Team,

The customer is experiencing communication issues between the BAN LAN and CHE LAN. After reviewing the policy and routing for both firewalls, it appears that the BAN FW is not forwarding traffic to the Chennai FW.

Issue Summary:

Source: port 10
Destination: port 7
Source IP: 10.80.151.185
Destination IP: 10.44.6.31
Findings:

Debug Logs:

Traffic is incoming on port 10 (LAN).
No outgoing traffic on port 7 (MPLS).
Sniffer Logs:

Requests are captured on port 10.
No output seen on port 7.
Session Traffic:

No traffic is seen in the session.
Attached are the debug logs, sniffer logs, session information, routing information, kernel logs, and configuration files for your reference.




 

Team Kindly share any idea about this issue.

 

@nithish.k@snsin.com

 

FortiGate 

Nithishkumar S
Nithishkumar S
Labels:
362
0 Kudos
6 REPLIES 6
amrit
Staff
Staff

Created on ‎07-13-2024 06:11 AM

I do not see any traffic logs. Please provide the following output 

1. get router info routing-table details 10.80.151.185

2. get router info routing-table details 10.44.6.31

3. di de flow filter addr 10.44.6.31

di de flow show function-name en

di de flow trace start 100

di de flow filter prot 1

di de en 

and ping the destination IP from the source 

Amritpal Singh
342
nithishkumar
New Contributor II

Created on ‎07-13-2024 07:49 AM

SSP-600E-FORTIGATE # config vdom

SSP-600E-FORTIGATE (vdom) # edit MPLS
current vf=MPLS:1

SSP-600E-FORTIGATE (MPLS) # config firewall policy

SSP-600E-FORTIGATE (policy) # edit 24

SSP-600E-FORTIGATE (24) # show
config firewall policy
edit 24
set name "Test_"
set uuid 3d97c1e8-4103-51ef-9abf-99950fe90b01
set srcintf "port10"
set dstintf "MPLS-WAN"
set action accept
set srcaddr "10.80.151.185"
set dstaddr "10.44.6.31"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

SSP-600E-FORTIGATE (24) # set auto-asic-offload disable

SSP-600E-FORTIGATE (24) # end

SSP-600E-FORTIGATE (MPLS) # diag de en

SSP-600E-FORTIGATE (MPLS) # 2024-07-13 16:12:07 id=65308 trace_id=827 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.
6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19063."
2024-07-13 16:12:07 id=65308 trace_id=827 func=init_ip_session_common line=6009 msg="allocate a new session-7db6d6d8, tun_id=0.0.0.0"
2024-07-13 16:12:07 id=65308 trace_id=827 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:12:07 id=65308 trace_id=827 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:12:07 id=65308 trace_id=827 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:12:07 id=65308 trace_id=827 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:12:07 id=65308 trace_id=827 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:12:12 id=65308 trace_id=828 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19069."
2024-07-13 16:12:12 id=65308 trace_id=828 func=init_ip_session_common line=6009 msg="allocate a new session-7db6dd33, tun_id=0.0.0.0"
2024-07-13 16:12:12 id=65308 trace_id=828 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:12:12 id=65308 trace_id=828 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:12:12 id=65308 trace_id=828 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:12:12 id=65308 trace_id=828 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:12:12 id=65308 trace_id=828 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:12:17 id=65308 trace_id=829 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19075."
2024-07-13 16:12:17 id=65308 trace_id=829 func=init_ip_session_common line=6009 msg="allocate a new session-7db6e2f9, tun_id=0.0.0.0"
2024-07-13 16:12:17 id=65308 trace_id=829 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:12:17 id=65308 trace_id=829 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:12:17 id=65308 trace_id=829 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:12:17 id=65308 trace_id=829 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:12:17 id=65308 trace_id=829 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:12:22 id=65308 trace_id=830 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19081."
2024-07-13 16:12:22 id=65308 trace_id=830 func=init_ip_session_common line=6009 msg="allocate a new session-7db6e94c, tun_id=0.0.0.0"
2024-07-13 16:12:22 id=65308 trace_id=830 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:12:22 id=65308 trace_id=830 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:12:22 id=65308 trace_id=830 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:12:22 id=65308 trace_id=830 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:12:22 id=65308 trace_id=830 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
di de did

command parse error before 'did'
Command fail. Return code -61

SSP-600E-FORTIGATE (MPLS) # 2024-07-13 16:12:27 id=65308 trace_id=831 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.
6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19087."
2024-07-13 16:12:27 id=65308 trace_id=831 func=init_ip_session_common line=6009 msg="allocate a new session-7db6ef16, tun_id=0.0.0.0"
2024-07-13 16:12:27 id=65308 trace_id=831 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:12:27 id=65308 trace_id=831 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:12:27 id=65308 trace_id=831 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:12:27 id=65308 trace_id=831 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:12:27 id=65308 trace_id=831 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
di de di

SSP-600E-FORTIGATE (MPLS) # diag de en

SSP-600E-FORTIGATE (MPLS) # 2024-07-13 16:15:37 id=65308 trace_id=869 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.
6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19312."
2024-07-13 16:15:37 id=65308 trace_id=869 func=init_ip_session_common line=6009 msg="allocate a new session-7db7c93c, tun_id=0.0.0.0"
2024-07-13 16:15:37 id=65308 trace_id=869 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:15:37 id=65308 trace_id=869 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:15:37 id=65308 trace_id=869 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:15:37 id=65308 trace_id=869 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:15:37 id=65308 trace_id=869 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:15:42 id=65308 trace_id=870 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19318."
2024-07-13 16:15:42 id=65308 trace_id=870 func=init_ip_session_common line=6009 msg="allocate a new session-7db7cf1b, tun_id=0.0.0.0"
2024-07-13 16:15:42 id=65308 trace_id=870 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:15:42 id=65308 trace_id=870 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:15:42 id=65308 trace_id=870 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:15:42 id=65308 trace_id=870 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:15:42 id=65308 trace_id=870 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:15:47 id=65308 trace_id=871 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19324."
2024-07-13 16:15:47 id=65308 trace_id=871 func=init_ip_session_common line=6009 msg="allocate a new session-7db7d455, tun_id=0.0.0.0"
2024-07-13 16:15:47 id=65308 trace_id=871 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:15:47 id=65308 trace_id=871 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:15:47 id=65308 trace_id=871 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:15:47 id=65308 trace_id=871 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:15:47 id=65308 trace_id=871 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"

SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) # di de di

SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) # diag sys session filter src 10.80.151.185

SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) # diag sys session clear

SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) # diag sys session clear

SSP-600E-FORTIGATE (MPLS) # di de en

SSP-600E-FORTIGATE (MPLS) # 2024-07-13 16:16:42 id=65308 trace_id=882 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.
6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19389."
2024-07-13 16:16:42 id=65308 trace_id=882 func=init_ip_session_common line=6009 msg="allocate a new session-7db8138a, tun_id=0.0.0.0"
2024-07-13 16:16:42 id=65308 trace_id=882 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:16:42 id=65308 trace_id=882 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:16:42 id=65308 trace_id=882 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:16:42 id=65308 trace_id=882 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:16:42 id=65308 trace_id=882 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:16:47 id=65308 trace_id=883 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19395."
2024-07-13 16:16:47 id=65308 trace_id=883 func=init_ip_session_common line=6009 msg="allocate a new session-7db819a8, tun_id=0.0.0.0"
2024-07-13 16:16:47 id=65308 trace_id=883 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:16:47 id=65308 trace_id=883 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:16:47 id=65308 trace_id=883 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:16:47 id=65308 trace_id=883 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:16:47 id=65308 trace_id=883 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"

SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) # id de di
Unknown action 0

SSP-600E-FORTIGATE (MPLS) # di de 2024-07-13 16:16:52 id=65308 trace_id=884 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->
10.44.6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19401."
2024-07-13 16:16:52 id=65308 trace_id=884 func=init_ip_session_common line=6009 msg="allocate a new session-7db81fb7, tun_id=0.0.0.0"
2024-07-13 16:16:52 id=65308 trace_id=884 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:16:52 id=65308 trace_id=884 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:16:52 id=65308 trace_id=884 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:16:52 id=65308 trace_id=884 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:16:52 id=65308 trace_id=884 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
di

SSP-600E-FORTIGATE (MPLS) # di de en

SSP-600E-FORTIGATE (MPLS) # 2024-07-13 16:18:46 id=65308 trace_id=906 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.
6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19535."
2024-07-13 16:18:46 id=65308 trace_id=906 func=init_ip_session_common line=6009 msg="allocate a new session-7db8a487, tun_id=0.0.0.0"
2024-07-13 16:18:46 id=65308 trace_id=906 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:18:46 id=65308 trace_id=906 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:18:46 id=65308 trace_id=906 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:18:46 id=65308 trace_id=906 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:18:46 id=65308 trace_id=906 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:18:51 id=65308 trace_id=907 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19541."
2024-07-13 16:18:51 id=65308 trace_id=907 func=init_ip_session_common line=6009 msg="allocate a new session-7db8aa1a, tun_id=0.0.0.0"
2024-07-13 16:18:51 id=65308 trace_id=907 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:18:51 id=65308 trace_id=907 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:18:51 id=65308 trace_id=907 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:18:51 id=65308 trace_id=907 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:18:51 id=65308 trace_id=907 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"
2024-07-13 16:18:56 id=65308 trace_id=908 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.6.31:2048) tun_id=0.0.0.0 fr
om port10. type=8, code=0, id=1, seq=19546."
2024-07-13 16:18:56 id=65308 trace_id=908 func=init_ip_session_common line=6009 msg="allocate a new session-7db8afb8, tun_id=0.0.0.0"
2024-07-13 16:18:56 id=65308 trace_id=908 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:18:56 id=65308 trace_id=908 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:18:56 id=65308 trace_id=908 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:18:56 id=65308 trace_id=908 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:18:56 id=65308 trace_id=908 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"

SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) #
SSP-600E-FORTIGATE (MPLS) # di de di

SSP-600E-FORTIGATE (MPLS) #

 

 

 

 

Nithishkumar S
Nithishkumar S
283
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎07-14-2024 10:54 AM

OK, in order to forward traffic, the FGT needs to have a route AND needs to have a policy allowing it.

You do not mention that this traffic is forwarded by a policy route. A policy route (PR) alone will not forward traffic. It sends packets to interfaces based on values other than the destination address - regular routes only look at the destination address to select the outbound interface.

In other words, for every PR you additionally need a regular route, so that if a packet arrives at the designated interface, the FGT knows how to forward it.

Same on the receiving end. As the FGT is a firewall in addition to being a router, it needs to know a route to the source network for each and every packet it receives. If it doesn't have such a route, it will discard the packet silently. This is called the Reverse Path Check.

 

From the logs you supplied, I can see that a policy route is hit. I cannot see the routes which are in place, nor the policies allowing such traffic.

Please check these points and if necessary, amend the infos as mentioned.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
276
amrit
Staff
Staff

Created on ‎07-14-2024 11:18 AM

From the below logs 

SSP-600E-FORTIGATE (MPLS) # 2024-07-13 16:12:07 id=65308 trace_id=827 func=print_pkt_detail line=5824 msg="vd-MPLS:0 received a packet(proto=1, 10.80.151.185:1->10.44.
6.31:2048) tun_id=0.0.0.0 from port10. type=8, code=0, id=1, seq=19063."
2024-07-13 16:12:07 id=65308 trace_id=827 func=init_ip_session_common line=6009 msg="allocate a new session-7db6d6d8, tun_id=0.0.0.0"
2024-07-13 16:12:07 id=65308 trace_id=827 func=iprope_dnat_check line=5276 msg="in-[port10], out-[]"
2024-07-13 16:12:07 id=65308 trace_id=827 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-07-13 16:12:07 id=65308 trace_id=827 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-07-13 16:12:07 id=65308 trace_id=827 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2138832907: to 10.44.6.31 via ifindex-15"
2024-07-13 16:12:07 id=65308 trace_id=827 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-10.206.244.161 via port7"

 

The policy routing ID is higher than 65536, So I assume you are using SD-WAN for this traffic. SD wan is nothing but a policy route and it doesn't have precedence over the normal policy routes. As per these logs, the traffic is being forwarded to port7 gateway IP 10.206.244.161 by the sdwan rule. 

Additionally, check which interface is associated with this  ifindex-15

di netlink interface list | grep index=15

You can also check the session information

di sys session filter src 10.80.151.185

di sys session filter dst  10.44.6.31

di sys session list 

you should be able to see this traffic by running a sniffer on port7. Make sure you shouldn't have any DOS policy to restrict the ICMP traffic

Amritpal Singh
267
nithishkumar
New Contributor II
In response to amrit

Created on ‎07-14-2024 09:27 PM

i will check the above commands and let you know 

Nithishkumar S
Nithishkumar S
229
0 Kudos
nithishkumar
New Contributor II
In response to nithishkumar

Created on ‎07-14-2024 09:29 PM

 

@ede_pfau ,


I am writing to seek assistance with an issue we are currently experiencing with our firewall configuration. Despite configuring static routes and policies, we have observed that the firewall is not applying these configurations as expected. Based on our debug logs, it appears that the static route and policy are not being processed by the firewall.

The main points of concern are as follows:

Our firewall does not have any policy routes configured.
We have set up static routes and policies according to standard procedures.
Debug logs indicate that the firewall policy route.
Given this situation, we are looking for guidance on how to resolve this issue. Any insights, recommendations, or troubleshooting steps you could provide would be greatly appreciated.

Thank you in advance for your support and assistance.

 

Nithishkumar S
Nithishkumar S
227
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.