Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fearangel
New Contributor

Created on ‎06-13-2023 03:39 AM Edited on ‎06-13-2023 03:42 AM

Authorize access by other IP ranges on interface 16

Hello everybody. I have a FortiGate 101E.

 

My interface 16 makes traffic to the VPN. On my 10.68.88.0 network everything works correctly. I have other networks but I can't get port 16 to accept requests. can I not ping. How do I authorize port 16 to authorize requests from other networks? 

 

the routes are working well because I can communicate on the various networks. Port 16 is denying me requests from other networks on fortigate

 

Thanks

IPS.png

 

Labels:
995
0 Kudos
7 REPLIES 7
abarushka
Staff
Staff

Created on ‎06-13-2023 03:42 AM

Hello,

 

I would recommend to collect traffic sniffer and debug flow while pinging.

FortiGate
990
fearangel
New Contributor
In response to abarushka

Created on ‎06-13-2023 04:37 AM

pacotes.png

any ideias?

975
0 Kudos
Debbie_FTNT
Staff
Staff
In response to fearangel

Created on ‎06-13-2023 07:23 AM

Hey fearangel,

the ping request comes from IP 10.68.82.67, which is not in the same /24 subnet as 10.68.88.254.
Does FortiGate have a route to 10.68.82.0/24 subnet via that port16 interface? If not, the ping would be dropped due to reverse path check failure; the reply path is NOT the same as the original request, and FGT will drop any traffic where the reply does not go the same path as original request if asymmetric routing is disabled (and it is by default).

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
947
abarushka
Staff
Staff

Created on ‎06-13-2023 05:30 AM

Hello,

 

There is one way communication. I would recommend to sniff traffic and collect debug flow on FortiGate side:

 

Sniffer:

 

diagnose sniffer packet any 'host 10.68.88.254' 4 0 a

 

Debug flow:

 

and then collect debug flow traces and try to reproduce the issue:

diagnose debug flow filter daddr 10.68.88.254
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable

FortiGate
966
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎06-14-2023 12:53 AM

IF the other networks are defined on other local ports of the same Fortigate, then there are routes in place automatically. If not, you need to set up static routes.

Apart from that, if you want to reach one network from one other, you need a policy to allow this. I guess there are no policies in place between the interfaces you mention.


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
927
0 Kudos
gossi123
New Contributor II

Created on ‎09-07-2023 05:41 AM

Hello! It sounds like you're having some issues with your FortiGate 101E and port 16. It's great that you're looking to authorize port 16 to accept requests from other networks. To do this, you'll need to configure the firewall rules on your FortiGate to allow incoming traffic on port 16 from the other networks.

One way to do this is by creating a new firewall policy that allows incoming traffic on port 16 from the IP addresses of the other networks. You can do this by navigating to the Firewall > Policy section of the FortiOS web interface, clicking on the "Create New Policy" button, selecting "IPv4" as the protocol, setting the source address to the IP addresses of the other networks, setting the destination port to 16, and enabling the policy.

Another option is to create a custom service definition for port 16 that allows incoming traffic from the other networks. You can do this by navigating to the Firewall > Service Definition section of the FortiOS web interface, clicking on the "Create New Service Definition" button, selecting "Custom" as the type, entering a name for the service definition (e.g., "Port 16"), setting the protocol to TCP, setting the source port to 16, setting the destination port to 16, and enabling the service definition.

Once you've created either the firewall policy or custom service definition, you should be able to access port 16 from the other networks. It's important to note that you may also need to configure additional firewall rules or service definitions to ensure that only authorized traffic is allowed through port 16.

I hope this helps! Let me know if you have any questions or need further assistance. And remember, when it comes to networking, it's always a good idea to double-check your configurations and use a rangefinder to ensure that everything is set up properly. Good luck!

683
0 Kudos
mle2802
Staff
Staff

Created on ‎09-07-2023 05:56 AM

Hi there,

The source IP where the ping is out of range with interface IP. Can you please verify the routing by using the command "get router info routing-table details 10.68.82.67". If there is no route to this network via port 16, FGT will drop traffic due to RPF. Please refer to this document for more information "https://community.fortinet.com/t5/FortiGate/Technical-Note-Details-about-FortiOS-RPF-Reverse-Path-Fo...

Regards,

678
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.