Friday, February 13, 2015

Problems with ping/ssh allowaccess secondary-ip fortigate

I was doing some investigations with a FGT110C and why  allowaccess is broken. The device is out of contract and runs the 4.3.18 build. Check this  out;

Port2 is configured with a secondary address only;

FGT110C # show sys interface port2
config system interface
    edit "port2"
        set vdom "root"
        set type physical
        set secondary-IP enable
            config secondaryip
                edit 1
                    set ip 1.0.0.1 255.255.255.252
                    set allowaccess ping ssh
                next
            end
    next
end



We can ping out of this interface with no problems.



But inbound pings or ssh access is broke. Take a look at  this diagnostic  flow for icmp and ssh;






FGT110C # get sys status | grep Vers
Version: Fortigate-110C v4.0,build0689,140731 (MR3 Patch 18)
Release Version Information: MR3 Patch 18



So I tried the same setup under FortIOS5.2.2  running under a  FGT60D;




Interesting so it seems like a problem in 4.3.18.


Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  $  #  )=
        o 
       /  \


No comments:

Post a Comment