Hi,
Can someone help me on this? my server reach gw, traceroute result not showing any hops.. Policy is open to all
note: Server (10.3.131.150) is directly connected to FW with int ip 10.3.131.1
PS C:\Users\Administrator> ping 10.2.203.10
Pinging 10.2.203.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.2.203.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PS C:\Users\Administrator> tracert 10.2.203.10
Tracing route to 10.2.203.10 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
----firewall---
fwmalaz # execute ping-options source 10.3.131.1
fwmalaz # execute ping 10.2.203.10
PING 10.2.203.10 (10.2.203.10): 56 data bytes
64 bytes from 10.2.203.10: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.2.203.10: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=4 ttl=255 time=0.1 ms
--- 10.2.203.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
So if source and destination are :
Source IP: 10.3.131.150
Destination IP: 10.2.203.10
On FG next for destination is wan1 according to provided output:
fwmalaz # get router info routing-table details 10.2.203.10
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 3, metric 0
*******, via port3
Routing entry for 0.0.0.0/0
Known via "static", distance 4, metric 0
********, via wan2
Routing entry for 0.0.0.0/0
Known via "static", distance 2, metric 0, best <----lower distance thus more preferable than wan2 or port3
* ******, via wan1
But there is also another output :
fwmalaz # get router info routing-table details 10.2.203.10
Routing table for VRF=0
Routing entry for 10.2.203.10/32
Known via "static", distance 1, metric 0, best
* 10.50.1.1, via port1 <------
so which of provided outputs is correct?
If the route with exit interface port1 is used, then policy should be like this :
source interface : port4
source : 10.3.131.150
destination interface: port1
destination :10.2.203.10/32
If the latest policy you have is :
edit 26
set name "dmz_ser"
set uuid f809eafa-77ce-51ee-dab6-501fdc9dfb27
set srcintf "port4"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
Then run again the sniffer and debug flow + output for routing table:
##### Debug flow ######
# diagnose debug reset
# diagnose debug flow filter saddr 10.3.131.150
# diagnose debug flow filter daddr 10.2.203.10
# diag debug flow show function-name enable
# diag debug flow show iprope enable
# diagnose debug console timestamp enable
# diagnose debug flow trace start 9999
# diagnose debug enable
###### routing table ####
# get router info routing-table details 10.3.131.150
# get router info routing-table details 10.2.203.10
Best regards,
Fortinet
Hi,
4753 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check line=2272 msg="g num-10000f, check-3f028b24"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check_one_policy line= 2243 msg="policy-4294967295 is matched, act-drop"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=__iprope_check line=2291 msg="g num-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=iprope_policy_group_check line= 4753 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"
2023-11-01 13:04:30 id=20085 trace_id=10003 func=fw_local_in_handler line=500 ms g="iprope_in_check() check failed on policy 0, drop"
17.828898 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
--------------------------------------
Routing entry for 10.3.131.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4
fwmalaz # get router info routing-table details 10.2.203.10
Routing table for VRF=0
Routing entry for 10.2.203.10/32
Known via "static", distance 1, metric 0, best
* 10.50.1.1, via port1
issue still not yet resolve - please note that this is working before and suddenly stop working. No idea if this is a bug or something. Any help would be much appreciated.
Hello,
Please open a ticket to TAC and do not forget to mention the link for this forum post.
Best regards,
Fortinet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.