The same applies with a fortigate firewall. Here's a few tips on that order;
1: Validate the Routing table
Yes, sounds stupid but a lot of person fail to do just this. You can use any of the following;
ping ( not ideal due to they could be blocked )
traceroute ( more ideal but any path on the trace could fail to respond )
NOTE: This also validates the interfaces and next-hop gateways are up.
2: Conduct a packet sniffer ( diag sniffer packet )
Simple do you see traffic matching the 2 objects ( SRC & DST address )? You can do this from the command line on most fortigates and depending on OS version from the WebGUI.
3: diag debug flow
Almost always you want to conduct a simple diagnostic debug flow. This will validate the fwpolicy and traffic matching the policy ID
reference one of my earlier posts; http://socpuppet.blogspot.com/2013/03/flow-diagnostic-fortigate.html
The above 3 tips, will save a lot of time and provide a quicker resolution imho.
Ken Felix
Freelance Network & Security Engineer
kfelix -a--t- socpuppets ---d--o--t--- com
^ ^
=( ! ! )=
o
/ \
No comments:
Post a Comment