Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Communication between subnets
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Communication between subnets
Been working on this for awhile and no luck. I have two subnets that I need to allow communication between, 10.1.2.0 and 192.168.1.0. This seems simple but I am missing something somewhere.
- FortiOS 7.2.5 on FortiGate 60F.
- Each subnet a physical hardware port on the FortiGate
- I do have Firewall Policy allowing communication between the two with no NAT.
Do I need to add a static route?
Thanks for any help.
KH
KH
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to add static route.
Check forward traffic logs to see if the traffic is reaching the firewall and if it is being blocked.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Being blocked by the local-in-policy. How do I go about allowing this through.
KH
KH
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The local-in-policy wouldn't block traffic between interfaces. It can block only traffic destined to the FGT itself, like admin access, incoming VPNs, FortiGuard traffic, etc.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure you are configuring the right gateways on your hosts. Then please share port configuration and policy configuration.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the policy:
edit 27
set status enable
set name "Internal_Communitcation"
set uuid 352dc698-72ec-51ec-2074-a13ec13cf71b
set srcintf "internal" "Wireless-user"
set dstintf "Wireless-user" "internal"
set action accept
set nat64 disable
set nat46 disable
set ztna-status disable
set srcaddr "all"
set dstaddr "all"
set internet-service disable
set internet-service-src disable
unset reputation-minimum
set internet-service6 disable
set internet-service6-src disable
unset reputation-minimum6
set rtp-nat disable
set schedule "always"
set schedule-timeout disable
set policy-expiry disable
set service "ALL"
set tos-mask 0x00
set anti-replay enable
set dynamic-shaping disable
set passive-wan-health-measurement disable
set utm-status disable
set inspection-mode flow
set profile-protocol-options "default"
set ssl-ssh-profile "no-inspection"
set logtraffic all
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set np-acceleration enable
set nat disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set fec disable
set wccp disable
set disclaimer disable
set email-collect disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set srcaddr6-negate disable
set dstaddr-negate disable
set dstaddr6-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
next
end
KH
KH
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what I am seeing in the log. I am able to ping the Gateway.
Action
Action deny
Policy ID0
Application
Application PING
Application Category unscanned
Protocol1
Service PING
Data
Duration 0
Received Packets0
Sent Packets 0
0.0 KB/0.0 KB
Type
Sub Type local
Type traffic
Others
Date2023-06-26
Date/Time15:11:52
Device Time2023-06-26 15:11:41
Event Time1687806702194263105
Identifier 1
Policy Type local-in-policy
Time15:11:41
Time Zone-0400
logflag3
logver702051517
KH
KH
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional information. I am not seeing the denies in the Forward Traffic logs but I am seeing them in the Local Traffic logs.
KH
KH
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That means the FGT is not blocking. If you sniff ping packets on "Wireless-user" interface while you're pinging from "internal" inteface side, you would see them going out. That policy should be allowing them. But my guess is ping replies are not coming back from the AP side.
Toshi
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then you are somehow pinging FGT, not your hosts.
Check if the IP you are pinging is on the FGT as well. Can you also share interface configuration?
AEK
AEK
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGuard updates using a proxy server 270 Views
- How to query BGP Community information... 155 Views
- Issues with FortiClient EMS on macOS 254 Views
- ZTNA Rules interfere while on VPN 130 Views
- certificate for FGFM protocol - Error... 382 Views
Labels
-
FortiGate
8,407 -
FortiClient
1,700 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
403 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
FortiWeb
197 -
5.0
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
83 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.