Any router policy configured?No Policy Routes are defined on the FG
In short, this policy route fixes the problem. My question now is, why does the policy route work when a static route did not!?From what I can tell I don' t think there is anything wrong; you have enabled ECMP Weighted Load Balance, so the fgt should route traffic out port 13,14 and 15. Assuming you have all three port interfaces merged into a Zone, you could test to see if the fortigate routes traffic out port 15 by either disabling or unplugging port 13 and 14. (I wouldn' t do this during work/offic hours though.)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
From what I can tell I don' t think there is anything wrong; you have enabled ECMP Weighted Load Balance, so the fgt should route traffic out port 13,14 and 15. Assuming you have all three port interfaces merged into a Zone, you could test to see if the fortigate routes traffic out port 15 by either disabling or unplugging port 13 and 14. (I wouldn' t do this during work/offic hours though.)I am restricting traffic to port 15 with firewall policies that limit 1 subnet to communicating over port 15. I have also tried moving the connection from port 15 to another port (11) and reconfiguring 11. Same issues. I have opened a support ticket on this issue, and will post the results to this forum for everyone’s edification. Tier 1 support couldn’t see anything wrong with the configuration either, and has upgraded the ticket’s priority and forwarded to tier 2. During the support call I learned a series of new commands including the ping trace and sniffer commands that EMNOC was talking about. We also took a look at the routing tables and routing table database. The trace and sniffer show that my testing laptop on the Intranet was successfully able to communicate with the Internet as long as the policy route was in place. Take the policy route away and the traffic from the testing laptop goes nowhere. We checked the routing tables and there is no default gateway listed for port 15 (so no wonder it doesn’t know how to get out). We checked the database and there is a static entry showing that there should be a default gateway, but it is not listed in the tables or in the kernel’s routing information. One interesting note about the kernel’s routing information though is that it shows the IPs of the network and broadcast addresses for port 15 in addition to the static IP of the port itself and the network address for that port. All entries are missing the default gateway configuration. See below:
IASLC-FW01 # get router info kernel tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->207.225.112.6/32 pref=63.231.68.142 gwy=0.0.0.0 dev=57(ppp1) tab=254 vf=0 scope=0 type=1 proto=14 prio=0 216.160.163.168/255.255.255.255/0->4.2.2.2/32 pref=0.0.0.0 gwy=207.225.112.2 dev=56(ppp2) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->207.225.112.2/32 pref=216.160.163.168 gwy=0.0.0.0 dev=56(ppp2) tab=254 vf=0 scope=0 type=1 proto=14 prio=0 63.231.68.142/255.255.255.255/0->4.2.2.1/32 pref=0.0.0.0 gwy=207.225.112.6 dev=57(ppp1) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->63.232.194.112/29 pref=63.232.194.114 gwy=0.0.0.0 dev=8(port15) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.20.0/24 pref=192.168.20.1 gwy=0.0.0.0 dev=25(IASLC-WIFI) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->10.254.254.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=12(ssl.root) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/24 pref=192.168.1.1 gwy=0.0.0.0 dev=9(port16) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.30.0/24 pref=192.168.30.1 gwy=0.0.0.0 dev=24(IASLC-WIFIguest) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.11.0/24 pref=192.168.11.1 gwy=0.0.0.0 dev=9(port16) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.10.0/24 pref=192.168.10.1 gwy=0.0.0.0 dev=9(port16) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=207.225.112.2 flag=04 hops=0 oif=56(ppp2) gwy=207.225.112.6 flag=04 hops=0 oif=57(ppp1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.1/32 pref=192.168.1.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.0/32 pref=192.168.1.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->63.232.194.114/32 pref=63.232.194.114 gwy=0.0.0.0 dev=8(port15) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=11(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.11.1/32 pref=192.168.11.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.11.0/32 pref=192.168.11.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->63.232.194.112/32 pref=63.232.194.114 gwy=0.0.0.0 dev=8(port15) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.10.255/32 pref=192.168.10.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->63.232.194.119/32 pref=63.232.194.114 gwy=0.0.0.0 dev=8(port15) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->63.231.68.142/32 pref=63.231.68.142 gwy=0.0.0.0 dev=57(ppp1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.20.255/32 pref=192.168.20.1 gwy=0.0.0.0 dev=25(IASLC-WIFI) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.30.255/32 pref=192.168.30.1 gwy=0.0.0.0 dev=24(IASLC-WIFIguest) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->216.160.163.168/32 pref=216.160.163.168 gwy=0.0.0.0 dev=56(ppp2) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.1.255/32 pref=192.168.1.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.10.1/32 pref=192.168.10.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.10.0/32 pref=192.168.10.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.11.255/32 pref=192.168.11.1 gwy=0.0.0.0 dev=9(port16) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.20.0/32 pref=192.168.20.1 gwy=0.0.0.0 dev=25(IASLC-WIFI) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.20.1/32 pref=192.168.20.1 gwy=0.0.0.0 dev=25(IASLC-WIFI) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=11(root) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.30.0/32 pref=192.168.30.1 gwy=0.0.0.0 dev=24(IASLC-WIFIguest) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=11(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.30.1/32 pref=192.168.30.1 gwy=0.0.0.0 dev=24(IASLC-WIFIguest) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=11(root) S* 0.0.0.0/0 [5/0] via 207.225.112.2, ppp2 [5/0] via 207.225.112.6, ppp1 S 10.254.254.0/24 [10/0] is directly connected, ssl.root C 63.231.68.142/32 is directly connected, ppp1 C 63.232.194.112/29 is directly connected, port15 C 192.168.1.0/24 is directly connected, port16 C 192.168.10.0/24 is directly connected, port16 C 192.168.11.0/24 is directly connected, port16 C 192.168.20.0/24 is directly connected, IASLC-WIFI C 192.168.30.0/24 is directly connected, IASLC-WIFIguest C 207.225.112.2/32 is directly connected, ppp2 C 207.225.112.6/32 is directly connected, ppp1 C 216.160.163.168/32 is directly connected, ppp2 IASLC-FW01 # get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area > - selected route, * - FIB route, p - stale info S *> 0.0.0.0/0 [5/0] via 207.225.112.2, ppp2 *> [5/0] via 207.225.112.6, ppp1 S 0.0.0.0/0 [10/0] is directly connected, port13 inactive, [5/0] [10/0] is directly connected, port14, [5/0] [10/0] via 63.232.194.113, port15, [5/0] S *> 10.254.254.0/24 [10/0] is directly connected, ssl.root C *> 63.231.68.142/32 is directly connected, ppp1 C *> 63.232.194.112/29 is directly connected, port15 C *> 192.168.1.0/24 is directly connected, port16 C *> 192.168.10.0/24 is directly connected, port16 C *> 192.168.11.0/24 is directly connected, port16 C *> 192.168.20.0/24 is directly connected, IASLC-WIFI C *> 192.168.30.0/24 is directly connected, IASLC-WIFIguest C *> 207.225.112.2/32 is directly connected, ppp2 C *> 207.225.112.6/32 is directly connected, ppp1 C *> 216.160.163.168/32 is directly connected, ppp2
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.