Hi,
I am facing very strange issue. We are using Fortigate to protect few servers. Topology is very simple as shown below
Servers <--->Fortigate<---> Users
All servers are in the same VLAN. On firewall I have one policies which allows everything from Users to Servers, this is without NAT. Now Users can access all servers except one (named as Server A), though same servers can be accessed if I replaced Fortigate with a router.
For further testing I created another rule from "Users" to "Server A" but this time I enabled NAT with interface IP. Now server is accessible. It looks like some how fortigate is not allowing me o access that one particular server from another VLAN or subnet. Everything else is working fine.
Can anyone please push me in right direction to troubleshoot this issue?
Regards,
Provide details about the source and destination. You can use arbitrary IP address scheme just to demonstrate/ replicate the scenario.
Check the routes on server A. If it doesn't have a (valid) default route it can only communicate with a host within the same subnet/broadcast domain. The traffic probably is reaching the server but the server's reply traffic isn't making it out.
debug is your friend..
On Fortigate issue the following:
di de en di de flow filter saddr <client IP> di de flow filter daddr <server IP> di de flow show console enable di de flow show function-name enable di de flow trace start 40 Then you will see what happens with the packets. If you don't get any output you should see if the packets really are hitting the Fortigate:
di sniffer packet any 'host <client IP>' 4 0 l
^c to stop
-- Bjørn Tore
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.