FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiKoala
Staff
Staff
Article Id 197105
Description
This article describes how to troubleshoot internal FortiGate connectivity issues when FortiGates have the VDOM feature enabled, e.g. FortiGuard, Syslog, SNMP, etc.

VDOMs change how the FortiGate system settings are structured and how the FortiGate (and individual VDOMs) communicate with other Fortinet devices and services.

Solution
There are two categories for FortiGate global communications:

- FortiGuard updates: FortiManager, globally configured FortiAnalyzer, FortiCloud, Syslog, FortiGate clustering, system traffic (NTP, system DNS)
- VDOM communications: Per-vdom logging, user-initiated traffic inside a VDOM (ping, traceroute, telnet etc)

For global communications, FortiGate uses the management VDOM and interfaces in the management VDOM:

-    The management VDOM is root by default, but can be changed manually
-    Connectivity issues to other Fortinet devices and services often need troubleshooting from the management VDOM
-    If a source-ip is set for any global communications (e.g. system DNS or FortiAnalyzer logging), it must be the IP of an interface in the management VDOM
-    Always ensure there is a default route (route to 0.0.0.0/0) in the management VDOM
-    The management VDOM needs to be able to reach Internet or a FortiManager used for FortiGuard updates

If the management VDOM has no interface configured and cannot be assigned one the following needs to be configured:
-    Create an inter-vdom link to another VDOM on the FortiGate
-    The other VDOM should be able to reach any connecting Fortinet device or service
-    Configure routes and policies in the transit VDOM to allow management VDOM access to the required resources from the inter-vdom-link

FortiGate will only use interfaces within a VDOM :

-    Per-vdom logging (fortianalyzer/syslogd override-setting in CLI) will use an interface in the specific VDOM based on the VDOM ’s routing table
-    Source IPs can only be set to IPs on interfaces in that VDOM
-    Ensure the VDOM itself can reach the required resources

How to test connectivity with specific source IPs:

1.    Connect to to FortiGate via SSH

2.    Enter the specific VDOM (management VDOM for global communications, or relevant VDOM for VDOM  specific traffic)
config vdom
edit <vdom-name>
3.    Try a ping to the desired destination:
execute ping-options source <specific IP, must be in vdom>
execute ping <destination IP>

4.    To reset the ping source to default selection based on routing table, use this command:
execute ping-options source auto






Contributors