hello there,
need help please.
we use Fortigate FG-30E.
we have 2 subnet in different port.
subnet 192.168.0.0 /24 in port 1
subnet 192.168.100.0/24 in port 2
there is 1 host in port 2 with IP 192.168.100.1 as web server.
We want for all user in port 1 , enter web address 192.168.100.1, it will redirect to host 192.168.100.1 in port 2.
we have configured:
1. add IP Policy from port 1 to port 2:
- SOURCE: SUBNET 192.168.0.0/24
- DESTINATION:SUBNET 192.168.100.0/24
- NAT ON
- SERVICE ALL, time always.
- accept
2. add IP Policy from port 2 to port 1:
- SOURCE: SUBNET 192.168.0.0/24
- DESTINATION:SUBNET 192.168.100.0/24
- NAT ON
- SERVICE ALL, time always.
- accept
3. set Policy route
- incoming : port 1
- destination: subnet 192.168.100.0/24 , address: 192.168.100.1
- action: forward traffic
- outgoing interface: port 2 ; gateway: 192.168.100.1
result failed.
please advice. what we've missed here. thanks in advance
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
The configuration part looks fine, It's better to understand the traffic flow on Fortigate before considering any changes.
But, the gateway IP address configured in policy route "192.168.100.1" is a server itself hosted behind Port2 or an IP address configured on the Interface Port2? (I believe the Policy route isn't required in this case)
Run the below-mentioned commands on Fortigate simultaneously on two different SSH sessions and then initiate the traffic.
SSH1:
get sys status
di ip address list
get router info routing-table all
diagnose debug reset
diagnose debug disable
diagnose debug console timestamp enable
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter addr 192.168.100.1
diagnose debug flow trace start 1000
diagnose debug enable
After connection failed, disable the logs by executing
diagnose debug disable
SSH2:
# diagnose sniffer packet any "host 192.168.100.1" 4 0 a
hi.
gateway in policy route is a server itself.
thanks.
Hello,
Then you may remove the policy route that doesn't appear to be necessary at this moment and gather the debug and sniffer logs.
- Need to change SRC & DEST for policy 2
- Not sure why NAT is required
- Pls share below details
get system arp
get router info routing-table details
show firewall policy
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.