FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description When configuring trusted hosts for all firewall administrators ping does not reply if the source IP of the ICMP request is not included in the trusted hosts.
This article describes how to troubleshoot this issue.
Solution Configuring trusted hosts for ALL administrators in a FortiGate, the PING feature on the interfaces will only repond if the source address of the PING is included in the configured Trusted Hosts.
For example: If a Load-Balancer has an IP of 10.253.200.4 - 10.253.200.5, the PING from the Load-Balancer will not be replied to if these IPs are not included in the Trusted hosts configured in the administrator settings.
In FortiOS, "ping" is one of the admin accesses subject to the "trusthost[1-10]" settings (up to FOS 5.6, see below). So if we add trusted hosts on all administrators then the FortiGate's IP can be pingable only from those trusted hosts. Trying to ping the FortiGate's IP from any other IP address will fail.
There are two workarounds if you need to configure Trusted hosts under all existing Administrators of the firewall.
Scenario 1: - Create an Admin Access Profile with no rights (none) on the firewall:
# config system accprofile edit "none" next end
- Create an administrator using the above accprofile:
# config system admin edit "bulk_admin" set accprofile "none" set vdom "root" set password **** next end
- If all other administrators have Trusted Hosts configured, having a "Bulk Administrator" with no rights on the firewall, but also with no Trusted Hosts as well, will allow to have the PING working on the FortiGate's interface.
Scenario 2:
Configure the subnets of the equipment pinging the FortiGate's IP into the Trusted Hosts of one admin:
For example:
# config system admin edit "admin" set trusthost1 192.168.0.0 255.255.0.0 set trusthost2 10.253.200.0 255.255.255.248 <== subnet of the unit pinging the FortiGate's IP address set accprofile "super_admin" set vdom "root" next end
This will allow the Load-Balancer to PING the system interfaces, since the IP addresses of the Load-balancer is now included in the trusted hosts of one administrator.
Starting from FortiOS 6.0, Ping works from any source IP address if the service is enabled on the interface, regardless if any trusted hosts are set in the administrator settings. Other services will still be limited by the trusted host settings.
