Skip to main content

Fortigate guide for Beginner - 5

It is not the end after only you can do installation , setup and configure the Fortigate unit as you wish.
Troubleshooting is also essential task you will need to perform one day.
So, let's assume you was configured Fortigate unit as NAT/Route mode to operate for your network.
But the the Internet access was unable to connect from your network and need to find out what is it caused.
How to troubleshoot???

Use the following steps to find and fix the problem.1) Check the physical network connections between the PC and the FortiGate unit, as well as between the FortiGate unit and your ISP’s
equipment. The Unit Operation dashboard widget indicates the connection status of FortiGate network
interfaces (System > Dashboard > Status).



2) Check the ISP-supplied equipment such as Modem/Router to make sure it is operating correctly.
3) Verify that you can connect to the internal IP address of the FortiGate unit. (For exampe: ping test to Fortigate)
4) Check the configuration of the FortiGate interface connected to the Internal network.
5) Check the configuration of the FortiGate interface that connects to the Internet to make sure it includes the proper addressing mode such as Static IP Address mode or DHCP IP Address mode.
    And also check each Address mode was configured proper IP address or netmask.
6) To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address or domain name
    on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet.

Connected

FW_TEST # execute ping google.com

PING google.com (173.194.38.160): 56 data bytes

64 bytes from 173.194.38.160: icmp_seq=0 ttl=54 time=2.8 ms

64 bytes from 173.194.38.160: icmp_seq=1 ttl=54 time=2.7 ms

64 bytes from 173.194.38.160: icmp_seq=2 ttl=54 time=2.7 ms

64 bytes from 173.194.38.160: icmp_seq=3 ttl=54 time=2.6 ms

64 bytes from 173.194.38.160: icmp_seq=4 ttl=54 time=2.6 ms


--- google.com ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 2.6/2.6/2.8 ms

Connected

FW_TEST # execute traceroute google.com

traceroute to google.com (173.194.38.160), 32 hops max, 72 byte packets

 1  58.185.137.217  0 ms  0 ms  0 ms

 2  58.185.243.245  0 ms  0 ms  0 ms

 3  165.21.255.37  1 ms  1 ms  1 ms

 4  165.21.12.68  1 ms  1 ms  1 ms

 5  203.208.192.105  1 ms  1 ms  1 ms

 6  72.14.215.214  1 ms  5 ms  1 ms

 7  66.249.95.122  2 ms  2 ms  2 ms

 8  72.14.233.105  3 ms  2 ms  2 ms

 9  173.194.38.160   2 ms  2 ms  2 ms

7) Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the
    name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example:
 
    ping www.google.com
    ping: cannot resolve www.google.com: Unknown host

8) Verify the security policy configuration.
    Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic.
    Check the configuration of the policy to make sure it is similar to the following and that Enable NAT and Use Destination Interface Address is selected:



9) Verify the static routing configuration.
    Go to Router > Static > Static Route and verify that the default route is correct. Go to Router > Monitor > Router Monitor and take a look at the routing monitor and verify that
    the default route appears in the list as a static route. Along with the default route, you should see at least two connected routes, one for each connected FortiGate interface.
  
10) Disable web filtering.
      If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. This can happen for a number of reasons.
      A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced
      Filter and enable the Allow Websites When a Rating Error Occurs option.
    

That's all. I hope you will be able to troubleshoot your Fortigate unit with above steps.

May you all happy.
(Be knowledgeable, pass it on then)

Comments

Popular posts from this blog

Fortigate guide for Begineer - 6

I would like to explaine how to troubleshoot the Fortigate Unit configured by Transparent Mode in step by step this time. Let's assume, you have one Fortigate Unit that configured as Transparent Mode. But devices from Internal/Private Network unable to access Internet/Public Network through your Fortigate Unit. OK. Let's troubleshoot with following steps, 1) Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. 2) Check the router and ISP-supplied equipment to make sure it is operating correctly. 3) Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on a...

Why do we need network virtualization?

We need to think about Server Virtualization first if we want to talk about Network Virtualization. In the era of cloud computing, servers are virtualized and used in Data Centers. We are facing a lot of problem when we virtualized our Servers, 1) Routing and Switching Problem Routing become the issue when we create Virtual Switch and VLANs according to production requirement. Network Team might need some time to change on their end to meet with Server Virtualization Team changes on their end. ၂) Firewall Services Physical Firewall are difficult to manage due to the large number of rules needed to satisfy business requirements. New applications, new projects, and new networks all come with potential security requirements, which impact centralized firewall management. ၃) Load Balancing Let's say your company deploys a new physical load balancer for each tenant, resulting in increased capital expenditures. Once a tenant reaches their maximum capacity, it ca...

Link Aggregating with Synology NAS and Cisco Switch

I’d like to share how to setup Link Aggregating between Synology NAS and Cisco Switch. I’ve got one Synology NAS with 4 Network Ports and I’m going to use 2 of them. Both Network Port to be as one Logical Link, Fault Tolerance and Load Balancing. To do that, I need to configure Link Aggregating on Synology NAS and EtherChannel with LACP on Cisco Switch. Below is brief steps to do to meet with my requirements. - Get connected Synology NAS and Cisco Switch as shown in picture. - Bonding two Network Ports of Synology NAS and assign IP Address - Configure EtherChannel with LACP in Cisco Switch and add two physical ports as Member. OK. Let’s begin from Synology NAS. - Login to the Synology and go to Control Panel>Network>Create>Create Bond - Select IEEE 802.3ad to get Fault Tolerance and Load Balancing Featureyou’re your switch not support 802.3ad you can only select Fault Tolerance only feature). After that click “Next”. - Choose the network port f...