Skip to main content

Fortigate guide for Beginner - 5

By
It is not the end after only you can do installation , setup and configure the Fortigate unit as you wish.
Troubleshooting is also essential task you will need to perform one day.
So, let's assume you was configured Fortigate unit as NAT/Route mode to operate for your network.
But the the Internet access was unable to connect from your network and need to find out what is it caused.
How to troubleshoot???

Use the following steps to find and fix the problem.1) Check the physical network connections between the PC and the FortiGate unit, as well as between the FortiGate unit and your ISP’s
equipment. The Unit Operation dashboard widget indicates the connection status of FortiGate network
interfaces (System > Dashboard > Status).



2) Check the ISP-supplied equipment such as Modem/Router to make sure it is operating correctly.
3) Verify that you can connect to the internal IP address of the FortiGate unit. (For exampe: ping test to Fortigate)
4) Check the configuration of the FortiGate interface connected to the Internal network.
5) Check the configuration of the FortiGate interface that connects to the Internet to make sure it includes the proper addressing mode such as Static IP Address mode or DHCP IP Address mode.
    And also check each Address mode was configured proper IP address or netmask.
6) To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address or domain name
    on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet.

Connected

FW_TEST # execute ping google.com

PING google.com (173.194.38.160): 56 data bytes

64 bytes from 173.194.38.160: icmp_seq=0 ttl=54 time=2.8 ms

64 bytes from 173.194.38.160: icmp_seq=1 ttl=54 time=2.7 ms

64 bytes from 173.194.38.160: icmp_seq=2 ttl=54 time=2.7 ms

64 bytes from 173.194.38.160: icmp_seq=3 ttl=54 time=2.6 ms

64 bytes from 173.194.38.160: icmp_seq=4 ttl=54 time=2.6 ms


--- google.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 2.6/2.6/2.8 ms

Connected

FW_TEST # execute traceroute google.com

traceroute to google.com (173.194.38.160), 32 hops max, 72 byte packets

 1  58.185.137.217  0 ms  0 ms  0 ms

 2  58.185.243.245  0 ms  0 ms  0 ms

 3  165.21.255.37  1 ms  1 ms  1 ms

 4  165.21.12.68  1 ms  1 ms  1 ms

 5  203.208.192.105  1 ms  1 ms  1 ms

 6  72.14.215.214  1 ms  5 ms  1 ms

 7  66.249.95.122  2 ms  2 ms  2 ms

 8  72.14.233.105  3 ms  2 ms  2 ms

 9  173.194.38.160   2 ms  2 ms  2 ms

7) Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the
    name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example:
 
    ping www.google.com
    ping: cannot resolve www.google.com: Unknown host

8) Verify the security policy configuration.
    Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic.
    Check the configuration of the policy to make sure it is similar to the following and that Enable NAT and Use Destination Interface Address is selected:



9) Verify the static routing configuration.
    Go to Router > Static > Static Route and verify that the default route is correct. Go to Router > Monitor > Router Monitor and take a look at the routing monitor and verify that
    the default route appears in the list as a static route. Along with the default route, you should see at least two connected routes, one for each connected FortiGate interface.
  
10) Disable web filtering.
      If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. This can happen for a number of reasons.
      A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced
      Filter and enable the Allow Websites When a Rating Error Occurs option.
    

That's all. I hope you will be able to troubleshoot your Fortigate unit with above steps.

May you all happy.
(Be knowledgeable, pass it on then)
Labels:

Comments

Post a Comment

Popular posts from this blog

Fortigate guide for Begineer - 6

By
I would like to explaine how to troubleshoot the Fortigate Unit configured by Transparent Mode in step by step this time. Let's assume, you have one Fortigate Unit that configured as Transparent Mode. But devices from Internal/Private Network unable to access Internet/Public Network through your Fortigate Unit. OK. Let's troubleshoot with following steps, 1) Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. 2) Check the router and ISP-supplied equipment to make sure it is operating correctly. 3) Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on a
Post a Comment
Read more

Why do we need network virtualization?

By
We need to think about Server Virtualization first if we want to talk about Network Virtualization. In the era of cloud computing, servers are virtualized and used in Data Centers. We are facing a lot of problem when we virtualized our Servers, 1) Routing and Switching Problem Routing become the issue when we create Virtual Switch and VLANs according to production requirement. Network Team might need some time to change on their end to meet with Server Virtualization Team changes on their end. ၂) Firewall Services Physical Firewall are difficult to manage due to the large number of rules needed to satisfy business requirements. New applications, new projects, and new networks all come with potential security requirements, which impact centralized firewall management. ၃) Load Balancing Let's say your company deploys a new physical load balancer for each tenant, resulting in increased capital expenditures. Once a tenant reaches their maximum capacity, it ca
146 comments
Read more

Solving "WSUS administration console was unable to connect to the WSUS Server via the remote API" error

By
Today, I've got below when I try to connect my WSUS Server via WSUS Console. Below logs are display in Event Logs too. The WSUS administration console was unable to connect to the WSUS Server via the remote API.  Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service. The WSUS administration console was unable to connect to the WSUS Server via the remote API. Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service. System.Net.Sockets.SocketException -- No connection could be made because the target machine actively refused it 172.16.99.98:80 Source System Stack Trace:    at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)    at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, S
7 comments
Read more