I have a FortiGate 200D
On One Interface 2 I have 10.1.0.0/16 and on interface 3 I have a 10.8.0.0/16 Subnet.
There is a rule that allows TFTP from Interface 2 to Interface 3
Also there is a tftp session helper
But while traffic to the tftp server 10.1.1.8 arrives, the answer is blocked by the firewall.
What can I check.
tftp Server is definitely fine in the 10.1.0.0/16 subnet.
On all other Subnets the return traffic is blocked.
Whenever you have what appears to be a weird behavior, check in CLI the flow:
diagnose debug flow filter clear
diagnose debug flow filter daddr <YOURDST>
diagnose debug flow filter dport 69
diagnose debug flow show function-name enable --> if in 5.6, otherwise a tad different
diagnose debug flow show iprope enable --> if in 5.6, otherwise a tad different
diagnose debug flow trace start 50
Then issue a test, you'll for sure find your answer, maybe your session-helper is not well set and so the return packet is dropped by the firewall.
Another simple thing to test: does your tftp server have a gateway set up ? does your tftp server allow connections from other sources ?
Hope it helps
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.