AnsweredHot!Allowing ping

Author
R1chou
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/17 02:32:25
  • Status: offline
2020/11/17 02:42:05 (permalink)
0

Allowing ping

Hello,
 
I have an internal IIS server with one site configured with the following address (for example) : https://toto.test.fr
The IP server is for example : 10.0.10.1
The public ip address is for example : 1.1.1.1
 
I created the following virtual IP
name : test
external ip : 1.1.1.1
internal ip : 10.0.10.1
Port forwarding TCP : 443 to 443
 
Then I created my policy enabling all from external to access to test on service HTTPS.
 
It's working but I would like to know how to enable the ping to toto.test.fr because currently it's not working.
I tried to add a new virtual ip by selecting port forwarding ICMP and added ICMP+Ping  to my policy but it doesn't work.
 
Regards,
#1
ede_pfau
Expert Member
  • Total Posts : 6383
  • Scores: 547
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Allowing ping 2020/11/17 05:47:37 (permalink) ☼ Best Answerby R1chou 2020/11/19 06:56:19
0
hi,
 
and welcome to the forums.
 
As ICMP / ping does not use ports, a port-forwarding VIP will not forward it. Make the VIP non-portforwarding, and limit the incoming services in the policy.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
R1chou
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/17 02:32:25
  • Status: offline
Re: Allowing ping 2020/11/17 06:05:23 (permalink)
0
Hi,
 
Thank you, the public ip address used in my VIP "test" is already used by another VIP forwarding port 88 to another server.
I suppose that I can't use your solution, correct ?
 
Regards,
#3
Markus
Expert Member
  • Total Posts : 276
  • Scores: 49
  • Reward points: 0
  • Joined: 2015/03/19 07:30:23
  • Location: Switzerland
  • Status: offline
Re: Allowing ping 2020/11/17 07:48:39 (permalink)
0
Did you have only one IP?
If so, you can allow ping on your wan interface...
#4
rwpatterson
Expert Member
  • Total Posts : 8521
  • Scores: 207
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Allowing ping 2020/11/17 08:12:23 (permalink)
0
That is correct. Unfortunately it is one or the other (port forwarding multiples or only non-port forwarding).

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com


-5.0.14-b0323
FWF81CM (1)
 
-4.3.19-b0694
FWF80CM (2)
FWF81CM (2)
 
#5
ede_pfau
Expert Member
  • Total Posts : 6383
  • Scores: 547
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Allowing ping 2020/11/19 06:49:05 (permalink) ☄ Helpfulby R1chou 2020/11/19 06:55:54
0
Yep, either use multiple port-forwarding VIPs on the same public address, or several public addresses for multiple non-portforwarding VIPs to different internal servers. You cannot combine one pf-VIP with one non-pf-VIP on the same public address.
 
Pinging the interface will tell you about the state of the firewall or WAN line, not about the internal server.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#6
R1chou
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/17 02:32:25
  • Status: offline
Re: Allowing ping 2020/11/19 06:57:02 (permalink)
0
Thanks everyone !
 
 
#7
Jump to:
© 2020 APG vNext Commercial Version 5.5