Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarcusI
New Contributor

Change Fortigate 80C to Fortigate 80E and now we can't go out to internet

Hi all, I need help with this issue:

 

We have a fortigate 80C and we acquire a fortigate 80E and we charge it all configuration on this last one. When we change the connection of our ISP to WAN1 in the Fortigate 80E, the fortigate can acces to internet but any computer from our red can't acces to the internet. We reset the Fortigate 80E again to erase any configuration and we setting only the basic to acces to internet but even with this we can't acces to internet. This is what we have setting in the router 80E: config system interface     edit "wan1"         set vdom "root"         set ip xxx.xxx.xxx.xxx 255.255.255.252         set allowaccess ping https http fgfm         set type physical         set role wan         set snmp-index 1     next By default DNS’s of Fortigate config system dns     set primary 208.91.112.53     set secondary 208.91.112.52 end config firewall policy     edit 1         set name "INTERNET"         set uuid 61394098-8487-51e8-f1de-1075f1a12a3a         set srcintf "lan"         set dstintf "wan1"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"         set logtraffic all         set nat enable     next config router static     edit 1         set gateway xxx.xxx.xxx.xxx         set device "wan1"     next end config router policy     edit 1         set input-device "lan"         set src "192.168.X.X/255.255.255.0"         set output-device "wan1"     next

 

With this settings if we put in a PC the DNS's of google , this PC can access to the Internet. The problem sould be DNS but with the fortigate 80C works fine.

 

Thanks in advance.

 

7 REPLIES 7
ede_pfau
Esteemed Contributor III

The config for testing is not that complicated, it looks OK.

Except for the policy route - why do you think you would need it? Leave it out while testing.

For system DNS, you can use 9.9.9.9 and 9.9.9.10. They work independent of any licence status.

 

If you get tired of guessing you could just look at the traffic: diag debug flow is your friend.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Toshi_Esumi
Esteemed Contributor III

I would suggest removing the policy route "config router policy", then check DHCP server config for "lan" interface and what DNS server IPs each device has/gets.

emnoc
Esteemed Contributor III

You need to do more diagnostic

 

(cli cmd tips )

 

diag arp list

diag debug flow

  { set the filter options}

 

diag sniffer packet wan1 "any"  might help also to see what's going out to the wan

 

But I have to agree  with  observation, your config is not complex by any means and you  don't need the   PBR

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MarcusI
New Contributor

Hi, Thanks all for your answers, we're going to apply your advices and we let you know the results. Thanks again

MarcusI

Updating...

 

Sorry for the delay, after many tries to setting the Fortigate 80E we format the S.O.  because in a moment was impossible connecting to him. After this we configure the mentioned before and tested with two diferents ISP and one PC/Laptop conected directly to the fortigate, all worked fine. The PC/Laptop used the DNS of Fortigate and the DNS of the ISP when we change the setting about this. When we took the Fortigate, and connecting it to our network, it failed . When I saw the settings in a PC she took the setting correctly. The IP given by our dhcp server, the fortigate as gateway and the DNS primary our domain server  and secondary dns the fortigate too. This issue could be something with the firmware? The firmware on the fortigate 80E is 5.6.4. I mention this because we have a Fortigate 80C 5.2.11 and with the same basic configuration and many rules IPv4 and another stuff its working fine.

 

If you need another information please let me know. We're going to keep trying. Thanks in advance again.

Toshi_Esumi
Esteemed Contributor III

Still not enough information. Did you mean "failed" because the users couldn't browse the internet, or what?

First thing I would test is:

- if a device can send/receive IP packet to/from the internet (ex. ping 8.8.8.8)

- if DNS is resolving URLs to IPs (ex. ping www.google.com)

- if routing table has a default route(s) toward the internet (get router info routing-t all)

if these are normal, I would run "diag sniffer packet any 'host [DEVICE_IP]' 4" and/then the flow debug [http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-toubleshooting-54/troubleshooting_too...]. All other troubleshooting tools are listed in the same doc.

 

MarcusI

Hi Toshi Esumi, thanks for answer.

 

Yes, when I said "failed" was because the users couldn't browse the internet, sorry if I can't explain it better.

- Ping to 8.8.8.8, yes it work.

- Ping to www.goolge.com and others URLs, yes it work.

if routing table has a default route(s) toward the internet (get router info routing-t all) if these are normal, I would run "diag sniffer packet any 'host [DEVICE_IP]' 4" and/then the flow debug [http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-toubleshooting-54/troubleshooting_too...]. All other troubleshooting tools are listed in the same doc. I'm going to check this and let you know.

 

My apologize [&o] for the lack of information, I'm not expert on this subject.

 

Thanks.

 

Regards.

 

Labels
Top Kudoed Authors