- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FG100F LAN interface traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FG100F LAN interface traffic
i have one new FG100F running on FortiOS 7.2.5.
i noticed that there is some issues using the firewall LAN IP, 172.32.xx.1.
i can ping the LAN IP from same subnets or other subnets but i cannot ping from the LAN IP of the firewall to other IP address.
i also tried adding this firewall to my log Analyzer for syslog logging but no traffic from the firewall to the syslog server.
all the polices are already created to and from the firewall LAN IP.
Labels:
- Labels:
-
FortiGate
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yeowkm99
Based on the update, I understand that from Firewall Lan IP as a source your not able to ping other network.
Also when you mentioned that from Lan to Lan reachability is fine, Was this validated from both direction? Is Nat enabled on these firewall policy ?
The other subnet is connected network or remote subnet ?
Regards,
Patterson
Regards,
Patterson
Patterson
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
both direction is working. only firewall LAN IP cannot ping to others.
port 3 is my firewall LAN connection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run a diag sniffer from CLI while you initiate a ping towards the syslog server?
diagnose sniffer packet any "host 172.32.xx.1" 4 100
This will help us to confirm if the packet is leaving or not, also if it is taking the right source address or not
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
interfaces=[any]
filters=[host 172.32.0.1]
0.066329 lan in arp who-has 172.32.0.1 tell 172.32.0.5
0.066356 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
0.077448 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914144
1.059736 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914144 ack 3578922795
1.059820 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914256 ack 3578922795
1.074030 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914448
2.069649 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914448 ack 3578922795
2.145546 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914752
3.079601 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914752 ack 3578922795
3.149677 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831914976
3.369339 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708298 ack 4118253871
3.369384 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708383
3.377076 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118253871 ack 697708383
3.380025 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118254459 ack 697708383
3.405730 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708383 ack 4118254459
3.439436 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708418
3.456619 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: ack 4118254490
4.089792 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831914976 ack 3578922795
4.158045 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831915776
5.099699 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831915776 ack 3578922795
5.157274 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831916000
6.119631 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916000 ack 3578922795
6.140275 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: psh 3578922795 ack 831916224
6.140416 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916224 ack 3578922955
6.195527 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831916272
6.286312 lan in arp who-has 172.32.0.1 (84:39:8f:a7:60:2f) tell 172.32.0.57
6.286335 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
7.129690 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916272 ack 3578922955
7.194823 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831916800
8.139669 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831916800 ack 3578922955
8.206527 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831917024
8.529382 lan out arp who-has 172.32.0.30 tell 172.32.0.1
8.529502 lan in arp reply 172.32.0.30 is-at 4c:d9:8f:91:7d:4a
9.129226 lan in arp who-has 172.32.0.1 (84:39:8f:a7:60:2f) tell 172.32.0.30
9.129248 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
9.129522 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917024 ack 3578922955
9.129599 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917296 ack 3578922955
9.142283 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831917424
9.366546 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708418 ack 4118254490
9.366583 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708503
9.374221 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118254490 ack 697708503
9.374989 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: psh 4118255078 ack 697708503
9.387284 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: ack 4118255109
9.392013 To_TMC in 172.20.0.124.60573 -> 172.32.0.1.443: psh 697708503 ack 4118255109
9.429381 To_TMC out 172.32.0.1.443 -> 172.20.0.124.60573: ack 697708538
10.139593 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917424 ack 3578922955
10.139679 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917616 ack 3578922955
10.139737 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831917856 ack 3578922955
10.139794 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831918320 ack 3578922955
10.139845 To_TMC out 172.32.0.1.22 -> 172.20.0.124.60372: psh 831918544 ack 3578922955
10.150096 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831917856
10.150135 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831918544
10.189253 To_TMC in 172.20.0.124.60372 -> 172.32.0.1.22: ack 831918672
^C
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see ARP request/reply,were you pinging 172.32.0.30? do you have any local-in policies in place?
8.529382 lan out arp who-has 172.32.0.30 tell 172.32.0.1
8.529502 lan in arp reply 172.32.0.30 is-at 4c:d9:8f:91:7d:4a
9.129226 lan in arp who-has 172.32.0.1 (84:39:8f:a7:60:2f) tell 172.32.0.30
9.129248 lan out arp reply 172.32.0.1 is-at 84:39:8f:a7:60:2f
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
172.32.0.30 is one of the servers in the subnet.
how do i check for local-in policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
show firewall local-in-policy
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nothing configured here.
show firewall local-in-policy
config firewall local-in-policy
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yeowkm99,
Could you cross check if there is a IP duplicacy, you may verify the ARP entry on the user/lan machine for the firewall ip, are you seeing the firewall MAC address?
You can get the mac address of the firewall using below command:
di hardware deviceinfo nic <port>
Thank you!
Related Posts
- L2 Traffic Forwarding 62 Views
- how fortigate SD-WAN ensure both sites... 183 Views
- Persistent One Way Audio Issues, no... 50 Views
- NAT after server migration 137 Views
- FortiGate FGT200F MTU 7.v7.4.3 build2573 (Feature) 104 Views
Labels
-
FortiGate
6,652 -
FortiClient
1,326 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
341 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
fortilink
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.