Hi,
like you can see from image attached i've two different servers connected to my fortigate 100D on two different internal port. So i've 192.168.3.0/24 on port 3 and on port 4 i've defined many VLAN and there is a VLAN called VLAN 70 that has 172.16.70.0/24 subnet. Now i've to communicate using their private ip, it's possible? i've try to add a policy like that :
config firewall policyBut that policy isn't matched. I've try also to debug connection but i've no trace. It's possible to do that? Thanks
edit 114
set name "lan port3 to VLAN 70"
set uuid 6a55395a-b017-51e8-f2b8-e066fb5ec046
set srcintf "port3"
set dstintf "VLAN70"
set srcaddr "192.168.3.190/32"
set dstaddr "172.16.70.100/32"
set action accept
set schedule "always"
set service "ALL_ICMP"
next
end
I think that looks right. You're just trying to ping the host on VLAN70 from the host on port3 and it fails?
Is it possible you're hitting another security policy before this one and the ping is getting handled/blocked by that?
What do the logs say for which policy handled this ping?
tanr wrote:i don't see anything from debug flow, that's strange.I think that looks right. You're just trying to ping the host on VLAN70 from the host on port3 and it fails?
Is it possible you're hitting another security policy before this one and the ping is getting handled/blocked by that?
What do the logs say for which policy handled this ping?
for debug i do these command on console :
diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug flow show console enable
diag debug flow filter saddr 192.168.3.190
diag debug flow filter daddr 172.16.70.100
diag debug flow trace start 100
but i don't see anything when i ping from 192.168.3.190 to 172.16.70.100
If you enable ping on port3 lan interface itself, can you ping the interface from the host?
Any situation like this, I would always start my debugging with:
config firewall policy
edit 114
set auto-asic-offload disable
next
end
then,
diag sniffer packet any 'host 192.168.3.190' 4
to see if the ping packets are arriving at port3. This would also show you what interface the same packets are going out. But I assume they don't going out and are dropped. At that time, I start run the debug flow.
The asic offload might be hiding them from your flow debug if they're arriving.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.