Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsubramanian
Staff
Staff

Created on ‎08-23-2019 01:47 AM Edited on ‎10-08-2023 09:31 PM By Community Manager

Article Id 197132

Troubleshooting Tip: Unable to Ping interface IP / FortiGate IP from local subnets

Description


This article explains how to resolve the fact that is it not possible to Ping interface IP / FortiGate IP from local subnets.

 

Scope

 

FortiGate.

Solution


Step 1: Check if the PING option is enabled in the Administrative Access of Network > Interface section on the GUI.

 

Configuration CLI:

 

config system interface
    edit "port2"
        set vdom "root"
        set ip 172.168.2.1 255.255.255.0
        set allowaccess ping https <----- 'ping' allowed.
        set type physical
        set alias "FAZ"
        set device-identification enable
        set snmp-index 2
    next
end

 

Configuration GUI:

 

Network-Interfaces.png


Step 2: Check if 'Trusted Hosts' is configured for the admin user. Check this via GUI by navigating to System -> Admin / Administrators -> 'Restrict login to Trusted hosts'.

Here if the option is enabled, a set of IP or IP Ranges or Subnets will be added.

If enabled, check if the IP used to ping is added to the list or not. If it is not added, add it either as a single IP (/32) or allow a complete range (/24).

Configure the same for IPv4 as well as IPv6.

Configuration CLI:

 

config system admin
    edit "xxxxx"   <----- Desired Admin Name.
        set remote-auth disable
        set peer-auth disable
        set trusthost1 0.0.0.0 0.0.0.0
        set trusthost2 0.0.0.0 0.0.0.0
        set trusthost3 0.0.0.0 0.0.0.0
        set trusthost4 0.0.0.0 0.0.0.0
        set trusthost5 0.0.0.0 0.0.0.0
        set trusthost6 0.0.0.0 0.0.0.0
        set trusthost7 0.0.0.0 0.0.0.0
        set trusthost8 0.0.0.0 0.0.0.0
        set trusthost9 0.0.0.0 0.0.0.0
        set trusthost10 0.0.0.0 0.0.0.0
        set ip6-trusthost1 ::/0
        set ip6-trusthost2 ::/0
        set ip6-trusthost3 ::/0
        set ip6-trusthost4 ::/0
        set ip6-trusthost5 ::/0
        set ip6-trusthost6 ::/0
        set ip6-trusthost7 ::/0
        set ip6-trusthost8 ::/0
        set ip6-trusthost9 ::/0
        set ip6-trusthost10 ::/0
        set accprofile "super_admin"
        set comments ''
        set vdom "root"
        unset ssh-public-key1
        unset ssh-public-key2
        unset ssh-public-key3
        set ssh-certificate ''
        set schedule ''
        set two-factor disable
        set email-to ''
        set sms-server fortiguard
        set sms-phone ''
        set guest-auth disable
        set password ENC SH27OrKehKne+v+QY/N7np1BXbm/o4llqeqZagoIS3YUDj11Boj0NttcQNHaZg=
        set allow-remove-admin-session enable
    next
end

 

Configuration GUI:

 
Step 3: Run the below diagnostics and check the issue on the packet and debug level:
 
Sniffer capture:
 
diag sniffer packet any 'host <interface IP> and icmp' 4 0 l
 
Flow debugs:
 
di de disable
diag debug reset
diag debug flow filter clear
diag debug flow filter addr <interface IP>
diag debug flow filter proto 1
diag debug flow show iprope enable
diag debug console timestamp enable
di de flow show function-name enable
diag debug flow trace start 100
diag debug enable
Labels:
22820
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.