Fortigate: Cannot Ping an Interface?

KB ID 0001718

Problem

With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to‘. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want to be able to ping an interface (even for a short period of time). Here’s how to do it.

Solution

Fundamentally, the reason you can’t ping a Fortigate interface, is because ‘ping’ isn’t listed in the ‘allowaccess‘ section for that interface.

Let’s fix that;

[box]

config system interface
edit {port-name}
set allowances {Existing settings i.e. https http etc.} ping
end

[/box]

Using ARP to check connectivity

A lot of people assume that if you can’t ping something, you are not connected to it, that’s not the case at all.  If you ‘think’ something is on the same layer 2 network segment as you, and you can’t ping it, then look in the ARP cache on your machine, (for Windows and Linux the command is arp -a).

Below: Shows you can see the MAC address of that IP address, even if you cannot receive a ping response!

However once ping is enabled, your ICMP responses will work fine.

Related Articles, References, Credits, or External Links

NA