Fortinet white logo
Fortinet white logo

Cookbook

Checking FortiOS network settings

Checking FortiOS network settings

Check the FortiOS network settings if you have problems connecting to the management interface. FortiOS network settings include, interface settings, DNS Settings, and DHCP settings.

Interface settings

If you can access the FortiGate with the management cable only, you can view the interface settings in the GUI.

To view the interface settings in the GUI:
  1. Go to Network > Interfaces.
  2. Select an interface and click Edit.
  3. Check the following interfaces to ensure they are not blocking traffic.

    Setting

    Description

    Link Status

    The status is Up when a valid cable is plugged in. The status is Down when an invalid cable is plugged in.

    The Link Status is shown physically by the connection LED for the interface. If the LED is green, the connection is good. If Link Status is Down, the interface does not work.

    Link status also appears in the Network > Interfaces page by default.

    Addressing mode

    Do not use DHCP if you do not have a DHCP server. You will not be able to log into an interface in DHCP mode as it will not have an IP address.

    IP/Network Mask

    An interface requires an IP address to connect to other devices. Ensure there is a valid IP address in this field. The one exception is when DHCP is enabled for this interface to get its IP address from an external DHCP server.

    IPv6 address

    The same protocol must be used by both ends to complete the connection. Ensure this interface and the remote connection are both using IPv4 or both are using IPv6 addresses.

    Administrative access

    If no protocols are selected, you will have to use the local management cable to connect to the unit. If you are using IPv6, configure the IPv6 administrative access protocols.

    Status

    Ensure the status is set to Up or the interface will not work.

To display the internal interface settings in the CLI:

FGT# show system interface <interface_name>

To view the list of possible interface settings:

config system interface

edit <interface_name>

get

end

DNS settings

To view DNS settings in the GUI:

Go to Network > DNS.

You can trace many networking problems back to DNS issues. Check the following items:

  1. Are there values for both the Primary DNS server and Secondary DNS server fields.
  2. Is the Local Domain Name correct?
  3. Are you using IPv6 addressing? If so, are the IPv6 DNS settings correct?
  4. Are you using Dynamic DNS (DDNS)? If so, is it using the correct server, credentials, and interface?
  5. Can you contact both DNS servers to verify the servers are operational?
  6. If an interface addressing mode is set to DHCP and is set to override the internal DNS, is that interface receiving a valid DNS entry from the DHCP server? Is it a reasonable address and can it be contacted to verify it is operational?
  7. Are there any DENY security policies that need to allow DNS?
  8. Can any internal device perform a successful traceroute to a location using the FQDN?

DHCP server settings

DHCP servers are common on internal and wireless networks. The DHCP server will cause problems if it is not configured correctly.

To view DHCP server settings in the GUI:
  1. Go to Network > Interfaces.
  2. Select an interface, and click Edit.
Check the following items:
  1. Is the DHCP server enabled?
  2. Is the DHCP server entry set to Relay? If so, verify there is another DHCP server to which requests can be relayed. Otherwise, set it to Server.
  3. Does the DHCP server use a valid IP address range? Are other devices using the addresses? If one or more devices are using IP addresses in this range, you can use the IP reservation feature to ensure the DHCP server does not use these addresses. See DHCP server
  4. Is there a gateway entry? If not, add a gateway entry to ensure that the server's clients have a default route.
  5. Is the system DNS setting being used? A best practice is to avoid confusion by using the system DNS whenever possible. However, you can specify up to three custom DNS servers, and you should use all three entries for redundancy.

caution icon

There are some situations, such as a new wireless interface, or during the initial FortiGate configuration, where interfaces override the system DNS entries. When this happens, it often shows up as intermittent Internet connectivity.

To fix the problem, go to Network > DNS, and enable Use FortiGuard Servers.

Checking FortiOS network settings

Checking FortiOS network settings

Check the FortiOS network settings if you have problems connecting to the management interface. FortiOS network settings include, interface settings, DNS Settings, and DHCP settings.

Interface settings

If you can access the FortiGate with the management cable only, you can view the interface settings in the GUI.

To view the interface settings in the GUI:
  1. Go to Network > Interfaces.
  2. Select an interface and click Edit.
  3. Check the following interfaces to ensure they are not blocking traffic.

    Setting

    Description

    Link Status

    The status is Up when a valid cable is plugged in. The status is Down when an invalid cable is plugged in.

    The Link Status is shown physically by the connection LED for the interface. If the LED is green, the connection is good. If Link Status is Down, the interface does not work.

    Link status also appears in the Network > Interfaces page by default.

    Addressing mode

    Do not use DHCP if you do not have a DHCP server. You will not be able to log into an interface in DHCP mode as it will not have an IP address.

    IP/Network Mask

    An interface requires an IP address to connect to other devices. Ensure there is a valid IP address in this field. The one exception is when DHCP is enabled for this interface to get its IP address from an external DHCP server.

    IPv6 address

    The same protocol must be used by both ends to complete the connection. Ensure this interface and the remote connection are both using IPv4 or both are using IPv6 addresses.

    Administrative access

    If no protocols are selected, you will have to use the local management cable to connect to the unit. If you are using IPv6, configure the IPv6 administrative access protocols.

    Status

    Ensure the status is set to Up or the interface will not work.

To display the internal interface settings in the CLI:

FGT# show system interface <interface_name>

To view the list of possible interface settings:

config system interface

edit <interface_name>

get

end

DNS settings

To view DNS settings in the GUI:

Go to Network > DNS.

You can trace many networking problems back to DNS issues. Check the following items:

  1. Are there values for both the Primary DNS server and Secondary DNS server fields.
  2. Is the Local Domain Name correct?
  3. Are you using IPv6 addressing? If so, are the IPv6 DNS settings correct?
  4. Are you using Dynamic DNS (DDNS)? If so, is it using the correct server, credentials, and interface?
  5. Can you contact both DNS servers to verify the servers are operational?
  6. If an interface addressing mode is set to DHCP and is set to override the internal DNS, is that interface receiving a valid DNS entry from the DHCP server? Is it a reasonable address and can it be contacted to verify it is operational?
  7. Are there any DENY security policies that need to allow DNS?
  8. Can any internal device perform a successful traceroute to a location using the FQDN?

DHCP server settings

DHCP servers are common on internal and wireless networks. The DHCP server will cause problems if it is not configured correctly.

To view DHCP server settings in the GUI:
  1. Go to Network > Interfaces.
  2. Select an interface, and click Edit.
Check the following items:
  1. Is the DHCP server enabled?
  2. Is the DHCP server entry set to Relay? If so, verify there is another DHCP server to which requests can be relayed. Otherwise, set it to Server.
  3. Does the DHCP server use a valid IP address range? Are other devices using the addresses? If one or more devices are using IP addresses in this range, you can use the IP reservation feature to ensure the DHCP server does not use these addresses. See DHCP server
  4. Is there a gateway entry? If not, add a gateway entry to ensure that the server's clients have a default route.
  5. Is the system DNS setting being used? A best practice is to avoid confusion by using the system DNS whenever possible. However, you can specify up to three custom DNS servers, and you should use all three entries for redundancy.

caution icon

There are some situations, such as a new wireless interface, or during the initial FortiGate configuration, where interfaces override the system DNS entries. When this happens, it often shows up as intermittent Internet connectivity.

To fix the problem, go to Network > DNS, and enable Use FortiGuard Servers.