Thursday, August 7, 2014

fortigate connectivity diagnostic steps

A doctor who looks at a patient has to perform some diagnostics and probably in a certain order.


The same applies with a fortigate firewall.  Here's a  few tips on that order;


1: Validate the Routing table 


Yes, sounds stupid but a lot of person fail to do just this. You can use any of the following;

ping ( not ideal due to they could be blocked )
traceroute ( more ideal but any path on the trace could fail to respond )

NOTE: This also validates the interfaces and next-hop gateways are up.

2:  Conduct a packet sniffer  ( diag sniffer packet )


Simple do you see traffic matching the 2 objects ( SRC & DST address )? You can do this from the command line on most fortigates and depending on OS version  from  the WebGUI.
 
3: diag debug flow


Almost always you want to conduct a simple diagnostic debug flow. This will validate the fwpolicy and traffic matching the policy ID
reference one of my earlier posts; http://socpuppet.blogspot.com/2013/03/flow-diagnostic-fortigate.html
  The above 3 tips, will save a lot of time and provide a quicker resolution imho.


 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( !   ! )=
       o 
      /  \

No comments:

Post a Comment