Troubleshooting your installation – FortiOS 6.2

Troubleshooting your installation

If your FortiGate does not function as desired after installation, try the following troubleshooting tips:

  1. Check for equipment issues Verify that all network equipment is powered on and operating as expected. Refer to the QuickStart Guide for information about connecting your FortiGate to the network. You will also find detailed information about the FortiGate LED indicators.The FortiGate has multiple LED lights on the faceplate. Verify whether or not the LEDs on your FortiGate indicate a problem. For information on what the LEDs mean, see the LED specifications on page 43
  2. Check the physical network connections Check the cables used for all physical connections to ensure that they are fully connected and do not appear damaged, and make sure that each cable connects to the correct device and the correct Ethernet port on that device.
  3. Verify that you can connect to the internal IP address of the FortiGate Connect to the GUI from the FortiGate’s internal interface by browsing to its IP address. From the PC, try to ping the internal interface IP address; for example, ping 192.168.1.99. If you cannot connect to the internal interface, verify the IP configuration of the PC. If you can ping the interface but can’t connect to the GUI, check the settings for administrative access on that interface. Alternatively, use SSH to connect to the CLI, and then confirm that HTTPS has been enabled for Administrative Access on the interface.
  4. Check the FortiGate interface configurations Check the configuration of the FortiGate interface connected to the internal network (under Network > Interfaces) and check that Addressing mode is set to the correct mode.
  5. Verify the security policy configuration Go to Policy & Objects > IPv4 Policy and verify that the internal interface to Internet-facing interface security policy has been added and is located near the top of the policy list. Check the Active Sessions column to ensure that traffic has been processed (if this column does not appear, right-click on the table header and select Active Sessions). If you are using NAT mode, check the configuration of the policy to make sure that NAT is enabled and that Use Outgoing Interface Address is selected.
  6. Verify the static routing configuration

Go to Network > Static Routes and verify that the default route is correct. Go to Monitor > Routing Monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see two routes shown as Connected, one for each connected FortiGate interface.

  1. Verify that you can connect to the Internet-facing interface’s IP address Ping the IP address of the Internetfacing interface of your FortiGate. If you cannot connect to the interface, the FortiGate is not allowing sessions from the internal interface to Internet-facing interface. Verify that PING has been enabled for Administrative Access on the interface.
  2. Verify that you can connect to the gateway provided by your ISP

Ping the default gateway IP address from a PC on the internal network. If you cannot reach the gateway, contact your ISP to verify that you are using the correct gateway.

  1. Verify that you can communicate from the FortiGate to the Internet

Access the FortiGate CLI and use the command execute ping 8.8.8.8. You can also use the execute traceroute 8.8.8.8 command to troubleshoot connectivity to the Internet.

  1. Verify the DNS configurations of the FortiGate and the PCs

Check for DNS errors by pinging or using traceroute to connect to a domain name; for example: ping www.fortinet.com.

If the name cannot be resolved, the FortiGate or PC cannot connect to a DNS server and you should confirm that the DNS server IP addresses are present and correct.

  1. Confirm that the FortiGate can connect to the FortiGuard network Once the FortiGate is on your network, you should confirm that it can reach the FortiGuard network. First, check the License Information widget to make sure that the status of all FortiGuard services matches the services that you have purchased. Go to System > FortiGuard. Scroll down to Filtering Services Availability and select Check Again. After a minute, the GUI

should indicate a successful connection.Verify that your FortiGate can resolve and reach FortiGuard at service.fortiguard.net by pinging the domain name. If you can reach this service, you can then verify the connection to FortiGuard servers by running the command diagnose debug rating. This displays a list of FortiGuard IP gateways you can connect to, as well as the following information:

  • Weight: Based on the difference in time zone between the FortiGate and this server l RTT: Return trip time l Flags: D (IP returned from DNS), I (Contract server contacted), T (being timed), F (failed) l TZ: Server time zone l Curr Lost: Current number of consecutive lost packets l Total Lost: Total number of lost packets
  1. Consider changing the MAC address of your external interface Some ISPs do not want the MAC address of the device connecting to their network cable to change. If you have added a FortiGate to your network, you may have to change the MAC address of the Internet-facing interface using the following CLI command:

config system interface edit <interface> set macaddr <xx:xx:xx:xx:xx:xx>

end

end

  1. Check the FortiGate bridge table (transparent mode) When a FortiGate is in transparent mode, the unit acts like a bridge sending all incoming traffic out on the other interfaces. The bridge is between interfaces on the FortiGate unit. Each bridge listed is a link between interfaces. Where traffic is flowing between interfaces, you expect to find bridges listed. If you are having connectivity issues and there are no bridges listed, that is a likely cause. Check for the MAC address of the interface or device in question.To list the existing bridge instances on the FortiGate, use the following CLI command:

diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl attributes

3 4 wan1 00:09:0f:cb:c2:77 88

3 4 wan1 00:26:2d:24:b7:d3 0

  • 4 wan1 00:13:72:38:72:21 98
  • 3 internal 00:1a:a0:2f:bc:c6 6

1 6 dmz 00:09:0f:dc:90:69 0 Local Static

3 4 wan1 c4:2c:03:0d:3a:38 81

3 4 wan1 00:09:0f:15:05:46 89

3 4 wan1 c4:2c:03:1d:1b:10 0

2 5 wan2 00:09:0f:dc:90:68 0 Local Static

  1. Use FortiExplorer if you can’t connect to the FortiGate over Ethernet If you can’t connect to the FortiGate

GUI or CLI, you may be able to connect using FortiExplorer. Refer to the QuickStart Guide or see the section on FortiExplorer for more details.

  1. Either reset the FortiGate to factory defaults or contact Fortinet Support for assistance To reset the FortiGate to factory defaults, use the CLI command execute factoryreset. When prompted, type y to confirm the reset.

If you require further assistance, visit the Fortinet Support website.

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.