   

Fortinet GURU About Me Where Fortinet Is Messing Up Fortinet GURU Forums Consulting Services FortinetGURU @ YouTube

How to run ping and traceroute Search … 

How to run ping and traceroute

Ping and traceroute are useful tools in network troubleshooting. Alone, either one can determine network
connectivity between two points. However, ping can be used to generate simple network tra c to view with
diagnose commands on the FortiGate unit. This combination can be very powerful when locating network LATEST VIDEOS
problems.

In addition to their normal uses, ping and traceroute can tell you if your computer or network device has
access to a domain name server (DNS). While both tools can use IP addresses alone, they can also use
domain names for devices. This is an added troubleshooting feature that can be useful in determining why
particular services, such as email or web browsing, may not be working properly.

If ping does not work, you likely have it disabled on at least one of the interface set- tings, and security
policies for that interface.
FortiOS 7 Features I am Excited About
Both ping and traceroute require particular ports to be open on rewalls, or else they cannot function. Since
you typically use these tools to troubleshoot, you can allow them in the security policies and on interfaces
only when you need them, and otherwise keep the ports disabled for added security.


Ping

The ping command sends a very small packet to the destination, and waits for a response. The response has
a timer that may expire, indicating the destination is unreachable. The behavior of ping is very much like a
sonar ping from a submarine, where the command gets its name.
FortiOS 7 Features I am Excited About
Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control Message Protocol (ICMP)
“echo request” packets to the destination, and listens for “echo response” packets in reply. However, many
public networks block ICMP packets because ping can be used in a denial of service (DoS) attack (such as
Ping of Death or a smurf attack), or by an attacker to nd active locations on the network. By default,
FortiGate units have ping enabled while broadcast-forward is disabled on the external interface.

What ping can tell you

Beyond the basic connectivity information, ping can tell you the amount of packet loss (if any), how long it One Way VOIP Audio Quick Fix
takes the packet to make the round trip, and the variation in that time from packet to packet.

If there is some packet loss detected, you should investigate the following:

Possible ECMP, split horizon, or network loops.

Cabling to ensure no loose connections.
Verify which security policy was used (use the packet count column on the Policy & Objects > Policy
page). If there is total packet loss, you should investigate the following:
Hardware — ensure cabling is correct, and all equipment between the two locations is accounted for.
Addresses and routes — ensure all IP addresses and routing information along the route is SD-WAN and Use Cases
con gured as expected.
Firewalls — ensure all rewalls, including FortiGate unit security policies allow PING to pass through.

How to use ping

Ping syntax is the same for nearly every type of system on a network.

To ping from a FortiGate unit Importing Policy to FortiManager

1. Connect to the CLI either through telnet or through the CLI widget on the web-based manager dashboard.

2. Enter exec ping 11.101.101 to send 5 ping packets to the destination IP address. There are no options for
this command.

Sample output:

Head_O ce_620b # exec ping 10.11.101.101

Importing Policy to FortiManager
PING 10.11.101.101 (10.11.101.101): 56 data bytes

64 bytes from 10.11.101.101: icmp_seq=0 ttl=255 time=0.3 ms

64 bytes from 10.11.101.101: icmp_seq=1 ttl=255 time=0.2 ms

64 bytes from 10.11.101.101: icmp_seq=2 ttl=255 time=0.2 ms

64 bytes from 10.11.101.101: icmp_seq=3 ttl=255 time=0.2 ms

64 bytes from 10.11.101.101: icmp_seq=4 ttl=255 time=0.2 ms

Importing Policy to FortiManager
— 10.11.101.101 ping statistics —

5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.3 ms

To ping from an MS Windows PC

1. Open a command window.

In Windows XP, select Start > Run, enter cmd, and select OK.
In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from the list. Don't Use FortiOS 6.2.4

2. Enter ping 11.101.100 to ping the default internal interface of the FortiGate unit with four packets.

Other options include:

-t to send packets until you press “Control-C”

-a to resolve addresses to domain names where possible
-n X to send X ping packets and stop

Sample output:
FortiGate Application Control
C:\>ping 10.11.101.101

Pinging 10.11.101.101 with 32 bytes of data:

Reply from 10.11.101.101: bytes=32 time=10ms TTL=255

Reply from 10.11.101.101: bytes=32 time<1ms TTL=255

Reply from 10.11.101.101: bytes=32 time=1ms TTL=255

Reply from 10.11.101.101: bytes=32 time=1ms TTL=255

Free Fortinet Training!
Ping statistics for 10.11.101.101:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 10ms, Average = 3ms

  STRAIGHT FROM THE GURU

To ping from a Linux PC Before and Afters

Businesss Suggestions
1. Go to a shell prompt.
Buy Fortinet Hardware
2. Enter “ping 11.101.101”. Consulting Stories
Fortinet GURU
  FortinetGURU Videos
How To
Traceroute
Network Photos
Where ping will only tell you if it reached its destination and came back successfully, traceroute will show Personal Network
each step of its journey to its destination and how long each step takes. If ping nds an outage between two Questions
points, traceroute can be used to locate exactly where the problem is. Tips and Tricks

What is traceroute

Traceroute works by sending ICMP packets to test each hop along the route. It will send out three packets, FORTINET DOCUMENTATION
and then increase the time to live (TTL) setting by one each time. This e ectively allows the packets to go one
hop farther along the route. This is the reason why most traceroute commands display their maximum hop Administration Guides
count before they start tracing the route — that is the maximum number of steps it will take before declaring FortiAnalyzer
the destination unreachable. Also, the TTL setting may result in steps along the route timing out due to slow FortiAP
responses. There are many possible reasons for this to occur. FortiAuthenticator
FortiBalancer
By default, traceroute uses UDP datagrams with destination ports numbered from 33434 to 33534. The FortiBridge
traceroute utility usually has an option to specify use of ICMP echo request (type 8) instead, as used by the FortiCache
Windows tracert utility. If you have a rewall and if you want traceroute to work from both machines (Unix- FortiCamera
like systems and Windows) you will need to allow both protocols inbound through your FortiGate security FortiCarrier
policies (UDP with ports from 33434 to 33534 and ICMP type 8). FortiClient
FortiCloud
You can also use the packet count column of the Policy & Objects > Policy page to track traceroute packets.
FortiConverter
This allows you to verify the connection, but also con rm which security policy the traceroute packets are
FortiCore
using.
FortiExplorer
  FortiExtender
FortiGate
What traceroute can tell you FortiGuard
FortiGuard News
Ping and traceroute have similar functions—to verify connectivity between two points. The big di erence is
FortiHypervisor
that traceroute shows you each step of the way, where ping does not. Also, ping and traceroute use di erent
FortiMail
protocols and ports, so one may succeed where the other fails.
FortiManager
You can verify your DNS connection using traceroute. If you enter an FQDN instead of an IP address for the Fortinet
traceroute, DNS will try to resolve that domain name. If the name does not get resolved, you know you have Fortinet Datasheets
DNS issues. Fortinet Videos
FortiOS
 
FortiOS 5.2 Best Practices
How to use traceroute FortiOS 5.4 Best Practices
FortiOS 5.4 Handbook
The traceroute command varies slightly between operating systems. Note that in MS Windows the command FortiOS 5.6
name is shortened to “tracert”. Also, your output will list di erent domain names and IP addresses along FortiPlanner
your route. FortiPresence
FortiRecorder
 
FortiSandbox
To use traceroute on an MS Windows PC FortiSIEM
FortiSwitch
1. Open a command window. FortiToken
FortiView
In Windows XP, select Start > Run, enter cmd, and select OK.
Fortivoice
In Windows 7, select the Start icon, enter cmd in the search box, and select cmd.exe from the list.
FortiWAN
2. Enter “tracert com” to trace the route from the PC to the Fortinet web site. FortiWeb
Product Info
Sample output:
Release Notes
C:\>tracert fortinet.com Third Party Reports
Vulnerabilities
Tracing route to fortinet.com [208.70.202.225]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 172.20.120.2

IMPORTANT LINKS
2 66 ms 24 ms 31 ms 209-87-254-xxx.storm.ca [209.87.254.221]
FortinetGuru @ Youtube
3 52 ms 22 ms 18 ms core-2-g0-0-1104.storm.ca [209.87.239.129]
Buy Fortinet Hardware
4 43 ms 36 ms 27 ms core-3-g0-0-1185.storm.ca [209.87.239.222] Fortinet GURU Forums
Fortinet Cookbook
5 46 ms 21 ms 16 ms te3-x.1156.mpd01.cogentco.com [38.104.158.69] O ce of The CISO

6 25 ms 45 ms 53 ms te8-7.mpd01.cogentco.com [154.54.27.249]

7 89 ms 70 ms 36 ms te3-x.mpd01.cogentco.com [154.54.6.206]

8 55 ms 77 ms 58 ms sl-st30-chi-.sprintlink.net [144.232.9.69]
RECENT POSTS
9 53 ms 58 ms 46 ms sl-0-3-3-x.sprintlink.net [144.232.19.181]
What Features Do You Want In FortiOS?

10 82 ms 90 ms 75 ms sl-x-12-0-1.sprintlink.net [144.232.20.61]
FortiOS 7 Features I am Excited About
11 122 ms 123 ms 132 ms sl-0-x-0-3.sprintlink.net [144.232.18.150]
FortiOS 6.6 Brings LTS and Mike Got Fat!
12 129 ms 119 ms 139 ms 144.232.20.7
Collectors and Analyzers – FortiAnalyzer –
FortiOS 6.2.3
13 172 ms 164 ms 243 ms sl-321313-0.sprintlink.net [144.223.243.58]
High Availability – FortiAnalyzer – FortiOS 6.2.3
14 99 ms 94 ms 93 ms 203.78.181.18
Two-factor authentication – FortiAnalyzer –
15 108 ms 102 ms 89 ms 203.78.176.2 FortiOS 6.2.3

16 98 ms 95 ms 97 ms 208.70.202.225
Global Admin – GUI Language – Idle Timeout –
FortiAnalyzer – FortiOS 6.2.3
Trace complete.
Global Admin – Password Policy – FortiAnalyzer
  – FortiOS 6.2.3

The rst, or the left column, is the hop count, which cannot go over 30 hops. When that number is reached, Global administration settings – FortiAnalyzer –
the traceroute ends. FortiOS 6.2.3

The second, third, and fourth columns display how much time each of the three packets takes to reach this SAML admin authentication – FortiAnalyzer –
stage of the route. These values are in milliseconds and normally vary quite a bit. Typically a value of <1ms FortiOS 6.2.3
indicates a local connection.

The fth, or the column farthest to the right, is the domain name of that device and its IP address or possibly
just the IP address.

To perform a traceroute on a Linux PC

1. Go to a command line prompt.

2. Enter “traceroute com”.

The Linux traceroute output is very similar to the MS Windows tracert output.

To perform a traceroute from the FortiGate

1. Connect to the CLI either through telnet or through the CLI widget on the web-based manager dashboard.

2. Enter exec traceroute fortinet.com to trace the route to the destination IP address. There are no options
for this command.

Output appears as follows:

# execute traceroute www.fortinet.com

traceroute to www.fortinet.com (66.171.121.34), 32 hops max, 84 byte packets

1 172.20.120.2 0.637 ms 0.653 ms 0.279 ms

2 209.87.254.221 <static-209-87-254-221.storm.ca> 2.448 ms 2.519 ms 2.458 ms

3 209.87.239.129 <core-2-g0-2.storm.ca> 2.917 ms 2.828 ms 9.324 ms

4 209.87.239.199 <core-3-bdi1739.storm.ca> 13.248 ms 12.401 ms 13.009 ms

5 216.66.41.113 <v502.core1.tor1.he.net> 17.181 ms 12.422 ms 12.268 ms

6 184.105.80.9 <100ge1-2.core1.nyc4.he.net> 21.355 ms 21.518 ms 21.597 ms

7 198.32.118.41 <ny-paix-gni.twgate.net> 83.297 ms 84.416 ms 83.782 ms

8 203.160.228.217 <217-228-160-203.TWGATE-IP.twgate.net> 82.579 ms 82.187 ms 82.066 ms

9 203.160.228.229 <229-228-160-203.TWGATE-IP.twgate.net> 82.055 ms 82.455 ms 81.808 ms

10 203.78.181.2 82.262 ms 81.572 ms 82.015 ms

11 203.78.186.70 83.283 ms 83.243 ms 83.293 ms

12 66.171.127.177 84.030 ms 84.229 ms 83.550 ms

13 66.171.121.34 <www.fortinet.com> 84.023 ms 83.903 ms 84.032 ms

14 66.171.121.34 <www.fortinet.com> 83.874 ms 84.084 ms 83.810 ms

Share this:

    
Having trouble con guring your Fortinet hardware or have some questions you need answered?
Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some
consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question /
Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

 January 5, 2017  FortiOS , FortiOS 5.4 Handbook , How To  No Comments

 fortigate How to run ping and traceroute , fortinet How to run ping and traceroute

Mike (2844 Posts)

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of
vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or
con guration being deployed is a major pet peeve of Michael's. This site was started in an e ort to spread
information while providing the option of quality consulting services at a much lower price than Fortinet
Professional Services.

View all author’s posts 

 How to check modem status How to check the logs 

LEAVE A REPLY

Your comment *

Your Name *

Your Email *

Your Website

Save my name, email, and website in this browser for the next time I comment.

Notify me of follow-up comments by email.

Notify me of new posts by email.

POST COMMENT

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Fortinet GURU is not owned by or a liated with Fortinet. | IT Services are provided by Plaric IT, LLC | Subscribe To The YouTube Channel!.
If you are in Montgomery Alabama there is always someone to talk to in relation to Montgomery Psychiatry.