#Troubleshooting# Troubleshoot Sangfor NSF site-to-site with Fortinet device
  

Sangfor Jojo Lv5Posted 2024-Sep-02 15:46

  
*Product: NSF
  
*Version: 8.0.85
  
*1. Introduction

1.1 User Scenario
  
Building site-to-site with different firewall solutions at both ends can be complicated due to the different encryptions and parameters supported.
  
1.2 Requirements
  
Sangfor NSF updated on the latest version
  
*2. Troubleshoot Guide
  
In this troubleshooting guide, we’ll see what to check when configuring a site-to-site from two companies with Sangfor NSF and Fortinet.
  
2.1 Check firewall rules on both sides
  
First, you must check the rules on both companies’ firewalls to ensure that all the protocols you want are allowed on the network segment defined on tunnels.
  
Remember that ping works with a specific protocol ICMP.
  
So, if you need to ping resources on the tunnels, I suggest creating an appropriate allow rule on both firewalls first.
  
2.2 Check Fortinet’s settings about allowed protocols
  
Now, you need to check on the Fortinet firewall if the ping is allowed on his LAN interface.
  
By default, you must enable ping on this LAN interface if you want to perform it even from the local network.
  
You can check by editing the Fortinet’s LAN interface and check ping as allowed protocol.
  
2.3  Perform precise traffic analysis on Sangfor NGAF
  
At this point, you can go to Sangfor NSF’s web UI navigate to System > Troubleshooting section and perform a precise traffic analysis specifying the IP of the client that you perform the ping test as source and Fortinet’s firewall IP as the destination.
  
Keep in mind to pick allow traffic to see on precise traffic analysis the permitted traffic.
  
2.4  Perform troubleshooting from Sangfor NGAF’s web console
  
If the issue persists, you can navigate to Sangfor NSF’s web console section and perform a traceroute to Fortinet’s firewall IP to see if the traffic is routed correctly to the IPSEC tunnel.
  
*3. Precaution
   
Please check with your ISP that no filter on their router denies some protocols.


This article is written by Enrico Vanzetto who is a technical engineer and has much experience and a better understanding of Sangfor network secure (NGAF), HCI, Endpoint Secure, VDI, and Cyber Command products. If you want to know more about him, you can follow him.


If you enjoyed this article, don’t forget to give it a thumbs up or leave a comment!
Your support helps authors know their work is appreciated.



This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

vesogi7900 Lv2Posted 2024-Sep-02 17:52
  
Thanks to share
Sangfor Jojo Lv5Posted 2024-Sep-02 15:54
  
Congratulations on getting 3000 coins.

If you want to share articles like troubleshooting cases or configuration guides, please click the link below to register for this event.

This topic contains more resources

You must log in to download or view the file. Not registered yet? Register

x