Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-04-2024 04:54 AM
07-05-2024 08:17 AM
Hi @f.niam Why you have both directions NAT configured? Do you want it to be available from Internet also?
During issue time, did you check the traffic logs to understand what's happening? Is it matching NAT statement when issue is present ?
07-05-2024 11:57 AM
Hello,
Disable the policy NAT 85 in your picture as it is not required. Also I hope this external IP is used only for the Fortimail, if yes, set the Bi-Directional to yes.
Regards,
07-05-2024 01:25 PM
yes, i need fortimail to get internet, because during issue my fortimail can't send email to outbond and while i trace from fortimail packet stop at palo alto, and while i disable and re-enable nat policy no.86 my fortimail is back to normal and can send email to outbond, while in my palo alto traffci log it show application incomplete
07-05-2024 01:27 PM
unfortunately, my external ip public is used by two ip address, and here is my detail issue, my fortimail can't send email to outbond and while i trace from fortimail packet stop at palo alto, and while i disable and re-enable nat policy no.86 my fortimail is back to normal and can send email to outbond
07-06-2024 06:39 AM - edited 07-06-2024 06:41 AM
Your policy names are confusingly reversed (regarding what is in/out) but that's not relevant here. I don't see anything specifically wrong here and as you're saying - it is an intermittent/runtime issue, it works and then it does not work - meaning as if the configuration is fine, just that something happens in the data plane.
This tells me that some in-depth debugging of the sessions and packets is required, you can take packet captures, trace down and investigate sessions, etc., but it may also be basis for a support case. If you get lucky, they may find something in the tech support file or it may be a known issue.
I understand you can't initiate this situation to reproduce it, but once it happens, you can keep if for some time so that it can be investigated. E-mail servers usually try to re-send an e-mail for 4 to 8 hours so if you keep it broken for a few hours, there should only be a delay but no actual data loss for the users.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
