Thursday, August 7, 2014

fortigate connectivity diagnostic steps

A doctor who looks at a patient has to perform some diagnostics and probably in a certain order.

The same applies with a fortigate firewall.  Here's a  few tips on that order;

1: Validate the Routing table 

Yes, sounds stupid but a lot of person fail to do just this. You can use any of the following;

ping ( not ideal due to they could be blocked )
traceroute ( more ideal but any path on the trace could fail to respond )

NOTE: This also validates the interfaces and next-hop gateways are up.

2:  Conduct a packet sniffer  ( diag sniffer packet )

Simple do you see traffic matching the 2 objects ( SRC & DST address )? You can do this from the command line on most fortigates and depending on OS version  from  the WebGUI.
3: diag debug flow

Almost always you want to conduct a simple diagnostic debug flow. This will validate the fwpolicy and traffic matching the policy ID
reference one of my earlier posts;
  The above 3 tips, will save a lot of time and provide a quicker resolution imho.

 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( !   ! )=
      /  \

No comments:

Post a Comment