Friday, February 13, 2015

Problems with ping/ssh allowaccess secondary-ip fortigate

I was doing some investigations with a FGT110C and why  allowaccess is broken. The device is out of contract and runs the 4.3.18 build. Check this  out;

Port2 is configured with a secondary address only;

FGT110C # show sys interface port2
config system interface
    edit "port2"
        set vdom "root"
        set type physical
        set secondary-IP enable
            config secondaryip
                edit 1
                    set ip
                    set allowaccess ping ssh

We can ping out of this interface with no problems.

But inbound pings or ssh access is broke. Take a look at  this diagnostic  flow for icmp and ssh;

FGT110C # get sys status | grep Vers
Version: Fortigate-110C v4.0,build0689,140731 (MR3 Patch 18)
Release Version Information: MR3 Patch 18

So I tried the same setup under FortIOS5.2.2  running under a  FGT60D;

Interesting so it seems like a problem in 4.3.18.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  $  #  )=
       /  \

No comments:

Post a Comment