Fortigate: Cannot Ping an Interface?

KB ID 0001718

Problem

With other firewall vendors (i.e. Cisco) you can ping any interface you are ‘directly connected to‘. With Fortigate however you cannot (by default). That’s not the end of the world you can check connectivity using ARP (see below) which is what really cool network techs do instead! But if you want to be able to ping an interface (even for a short period of time). Here’s how to do it.

Solution

Fundamentally, the reason you can’t ping a Fortigate interface, is because ‘ping’ isn’t listed in the ‘allowaccess‘ section for that interface.

Fortigate allow ping

Let’s fix that;

config system interface
edit {port-name}
set allowances {Existing settings i.e. https http etc.} ping
end

Fortigate cannot ping an interface

Using ARP to check connectivity

A lot of people assume that if you can’t ping something, you are not connected to it, that’s not the case at all.  If you ‘think’ something is on the same layer 2 network segment as you, and you can’t ping it, then look in the ARP cache on your machine, (for Windows and Linux the command is arp -a).

Below: Shows you can see the MAC address of that IP address, even if you cannot receive a ping response!

Just Because you cant ping

However once ping is enabled, your ICMP responses will work fine.

Fortigate enable ping on an interface

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *