i have 100E with polcibased routing enabled for servers network
i configured static natting for a server using virtual IP,
the server is going out with the mapped external IP i provided but when i try to establish any kind of connection to that server using the external IP it doesnt work, like rdp or ssh etc
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The PBR seems to be configured for Internal to external traffic. This does not assure that when the traffic is initiated from outside, the FortiGate will allow the traffic as RPF ( Reverse Path Forwarding) check will be done initially by the FortiGate and if FortiGate does not find the route of the source associated with the incoming interface, then FortiGate will drop the packets from that source
To see if the FortiGate is blocking the connection due to RPF check or not, you can run the below commands:
diag debug flow filter addr <source IP>
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug flow trace start 1000
diag debug enable
Then initiate the traffic and see if you see any rpf check failed messages or not. Also, it will show how FortiGate is processing the packets.
Also, you can take the packet captures in the first place to see if the traffic is arriving on the FortiGate or not
diag sniffer packet any "host <source ip>" 4 0 l
If RPF check is failing then you can disable RPF check on the incoming interface
config system interface
edit <interface>
set src-check disable
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1641 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.