Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Bob_Shaw
New Contributor

FortiAP 421E Blocked by local-in-policy

I'm trying to setup a couple of AP. I got the AP setup in the FortiGate unit but its being blocked by the local-in-policy. Am I even looking at the correct local-in-policy? I even tried setting the deny to accept on the 2nd and 4th policies. Only wan1 is active wan2 is disabled, these are configured for SD-Wan. We stopped using the 2nd wan some time ago, I just haven't reconfigured the fortigate unit. Any advice on getting the AP connecting would be greatly appreciated.

 

Devices:

FortiAP 421E - v6.0.5 - 192.168.1.178

FOrtiGate 200D - v6.0.5 - 192.168.1.100

 

 

config firewall local-in-policy edit 1 set intf "wan1" set srcaddr "usa" set dstaddr "all" set action accept set service "ALL" set schedule "always" next edit 2 set intf "wan1" set srcaddr "all" set dstaddr "all" set service "ALL" set schedule "always" next edit 3 set intf "wan2" set srcaddr "usa2" set dstaddr "all" set action accept set service "ALL" set schedule "always" next edit 4 set intf "wan2" set srcaddr "all" set dstaddr "all" set service "ALL" set schedule "always" next end

 

 

Local Traffic log entry looks like this:

General Date 2019/06/11 Time 09:17:18 Duration 0s Session ID 1121662 Virtual Domain root

Source IP 192.168.1.178 Source Port 35246 Country/Region Reserved Primary MAC 70:4c:a5:52:98:40 Source Interface lan Host Name FP421E3X17006836 Device Type Fortinet Device OS Name FortiAP

Destination IP 192.168.1.100 Port 5246 Country/Region Reserved Destination Interface root

Application Application Name Local Wireless Controller Category unscanned Protocol udp Service udp/5246

Data Received Bytes 0 B Sent Bytes 0 B Sent Packets 0

Action Action deny Threat 262144 Policy 0 Policy Type local-in-policy

Security Level Threat Level low Threat Score 5

Other Device Category Fortinet Device Source Interface Role lan Log ID 14 byod_name FP421E3X17006836 Protocol Number 17 roll 63521 byod_device fortinet-device Log event original timestamp 1560259037 Destination Interface Role undefined Source Server 0 Sub Type local

2 REPLIES 2
Dave_Hall
Honored Contributor

Have you checked CAPWAP on the internal interface?  Has the AP been authorized?

 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Bob_Shaw

I did not have the CAPWAP enabled on the FortiGate internal interface. Enabled it and a minute or two later the unit status is now showing Online. Thank you very much!

 

Now to cancel the ticket. I tried Support Chat first and they forwarded it to support.

Labels
Top Kudoed Authors