- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- WAN to WAN Connection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
WAN to WAN Connection
Hello,
We share the same public subnet with 2 other entities. All 3 entities use the same gateway.
For example (please assume that the IPs belong to a public block):
A: 10.1.1.11/24
B: 10.1.1.12/24
C: Has the rest of the subnet IPs except the ISP IP
ISP: 10.1.1.1
I created a VIP and a firewall policy and made sure that those are working (did tests from home, made a successful connection). My issue is: I cannot make the same connection when I try to connect from any other entities' private subnets (Let's say, the packet originates from entity B's WAN IP (10.1.1.12) and arrives to my firewall's WAN 10.1.1.11). On my firewall (FortiGate 100F, v7.0.1) I see that the packet arrives but it is not directed anywhere (simply dropped, checked it using cli "diagnose sniffer packet any..."). I tried to add a WAN to WAN any any accept rule for test and that did not work either. The other interesting thing is, I did not see a log for this blocking activity. Though I should say that I might have configured the logging settings wrong.
I am currently replacing our old Palo Alto firewall with the FortiGate. I had the same rules/NATs on that Palo Alto firewall and I never had any issues (I am just trying to say that there is no other entity firewall rule that is blocking this kind of connection).
Can you please help me with this problem of mine? I believe I am missing something simple. Thank you in advance.
Regards,
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you apply SNAT on the B Firewall, for this traffic? Also 7.0.1 is the first patch of the new 7.0 stream, my experience, tells me to not run this in production yet. I always wait until the 4th patch.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you apply SNAT on the B Firewall, for this traffic?
I have no access to Firewall B configuration but I can tell that they have that in place. I took my laptop and get into their network (got a private IP in a subnet behind Firewall B) and tried to access my firewall (Firewall A). I was able to see the public IP of Firewall B on Firewall A sniffer.
Also 7.0.1 is the first patch of the new 7.0 stream, my experience, tells me to not run this in production yet. I always wait until the 4th patch.
Well, I agree to that to some extent and I am ready to deal with some minor problems that will show up in these versions but this does not seem to be a minor issue to me (that is why I really think it is my fault or I am missing something along the way).
I also tried this with version 7.0.0 and it did not work either.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"was able to see the public IP of Firewall B on Firewall A sniffer. "
Ok, that’s checked. You tested it from a different public Source IP and it worked? In that case, VIP and Firewall rule is correct. Only thing different seems to be the Firewall A and B are in the same Public subnet. The ISP is not blocking, because it worked on you Palo. Very change problem then. Logs, don’t show any drop reason? You could test with 6.4.6. Or log a case with Fortinet support.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You tested it from a different public Source IP and it worked?
True
Only thing different seems to be the Firewall A and B are in the same Public subnet.
True
Very change problem then. Logs, don’t show any drop reason?
I will check this again. I will go through my log settings and double check everything. After that I will update this post.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...OK
I had a synchronization issue in Firewall A cluster. I got a synchronization error (or some similar message) and that stayed about 30 minutes. I restarted the cluster and then the NAT simply worked. I sometimes get this sync error messages but those only stay for a minute and then disappear. This time it did not.
The other thing is. I tried restarting this firewall cluster before and the NAT problem was still there. There is something going on here that I cannot explain at this very moment and I will be looking into this in more depth. Maybe I should factory reset the firewalls again and start from scratch...
Related Posts
- connect fortigate to 2 sophos at... 25 Views
- ZTNA not working. Help please. 45 Views
- Forward traffic from Fortigate not showing... 90 Views
- User Getting The server you want... 123 Views
- FortiClient IPSec VPN keeps connecting to... 75 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.