Fortigate Firewall – Unable to Ping Google-AWS Fortigate Firewall – SOLVED

awsfortigatefortinet

Followed this guide:

https://cookbook.fortinet.com/create-routing-table-associate-subnets/

I have EC2 windows instance, also have EC2 FortiGate-FortiGate VM64-AWSONDEMAND
. Fortigate has 2 NIC:
192.168.10.5 (external one)
192.168.30.0 (internal)

In VPC has 2 route tables:

Public and internal

Public route table:

destination:0.0.0.0

target: internet gateway

included subnet:192.168.10.0

Behind FortiGate firewall I have windows instance in 192.168.30.0/24 subnet

Private route table:

destination:0.0.0.0

target: "internal" FortiGate firewall interface

included subnet:192.168.30.0

For all devices on "internal" network default route will be the internal interface of Fortigate FW

Source/destination check disabled on an internal FortiGate interface

I created proxy policy and proxy rule, specified FortiGate internal IP address as a proxy in the browser. I can browse the internet from windows instance, unable to ping 8.8.8.8

I created IPV4 rule to allow all traffic from LAN (192.168.30.0) to any address

enter image description here

static route:

enter image description here

Problem:

If I remove proxy policy and proxy address from the browser I can't search the internet, unable to ping 8.8.8.8

I CAN ping FortiGate internal and external interfaces

but traffic won't pass outside windows machine (192.168.30.49)

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
  0  WIN-0675NFPK57B.eu-west-1.compute.internal [192.168.30.49]
  1     *        *        *
Computing statistics for 0 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           WIN-0675NFPK57B.eu-west-1.compute.internal [192.168.30.49]


PS C:\Users\Administrator> route print
===========================================================================
Interface List
 12...06 db ec 01 23 08 ......AWS PV Network Device #0
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.30.1    192.168.30.49     10

192.168.30.1 is AWS gateway

Best Answer

It was metric !, was same for fortigate and windows (10) as you can see from picture above, just reduced default metric in fortigate for static route and all started working

Related Topic