- Products
- Learn
- Local User Groups
- Partners
-
More
-------
17/2/2020
-------
Add screen capture on the below reply for further troubleshooting.
-------
16/2/2020
-------
HI all,
I just have a Checkpoint as bridge mode and have a scanning over the Trunk link.
Both Fortigate and H3C has a Trunk link up already before. Vlan 10 is tagged with untagged VLAN 1.
All my users are in Vlan 10.
They need to have both CP and FG scanning while visiting the internet.
Then we set up port 3 and 4 as br1 on the Check point.
FortiGate connects to p3 while h3c switch uplink to p4.
Both p3 and p4 are in the Internal zone with anti-spoofing disabled.
CP Firewall policy just has the clean up one with any to any accepted.
From the debug flow on FortiGate, I can not find the traffic to the internet, let says the dst. is "1.1.1.1"
Nevertheless, both 192.168.100.1 and 172.16.10.101 can ping mutually and have the debug log result from Fortigate.
I think this proves the CP policy working well?
Interestingly, both Firewall traffic Logging reveal the traffic is accepted if to the internet.
Only no outcome from the debug log result from Fortigate if the dst. is to internet or "1.1.1.1"
I swear to god that FortiGate original settings are good.
As we use it before and everything just normal.
Please someone helps.
Below is the lab topology after the deployment.
Screen for your referencing:
No output from fw ctl zdebug drop.
And Ping result if to 9.9.9.9:
Take a quick look at it:
I try to rebuild the Br1 into Port1 and 2, downgrade to R80.10 and replace the H3C to Cisco 2960 now.
Still no luck.
Per Val's comment, please double check the NAT options/settings on the Gateway object itself.
