LAN to LAN Policy not working, not able to ping from port 3 to port4 and ViceVersa.

Hi Subhash Basishtha,

1. Move your LAN2LAN rule to the top of the Firewall rules (Drag & Drop)

2. Ensure that you didnt specify a specific network in the Source LAN or Destination LAN.  Otherwise the ping is possible only one way, and you will require a second LAN2LAN stipulating that the same ping attempt initiated from the other LAN will have access to do so as well.

In the above image, i have LAN2LAN in a Firewall Group called "LAN2LAN" as well, just keeps rules organized, but try setting it as you see here.

Hi Subhash Basishtha,

1. Move your LAN2LAN rule to the top of the Firewall rules (Drag & Drop)

2. Ensure that you didnt specify a specific network in the Source LAN or Destination LAN.  Otherwise the ping is possible only one way, and you will require a second LAN2LAN stipulating that the same ping attempt initiated from the other LAN will have access to do so as well.

In the above image, i have LAN2LAN in a Firewall Group called "LAN2LAN" as well, just keeps rules organized, but try setting it as you see here.

As per your suggestion I have created both LAn 2 LAn group and firewall rule, but still able to get ping from one port to another. Screenshot attached.

Hey Subhash, thanks for the screenshot. Could you post a snapshot of your Interfaces as well, just block out any WAN information from view.

Also, if you go to Administration > Device Access, is "Ping/Ping6" checked off in LAN zone?

Please find the attachments. Ping/Ping6 is also enabled in LAN Zone.

Subhash, did you ping from machines that received DHCP addresses, or were they statically assigned, and were the correct gateways received?  The /16 subnet on Port4, is the same mask on the client your are pinging from?

Are Port 3 and 4 separated by two separate switches, or same switch with two separate Untagged VLANs in Access mode?

I have tested pinging from both machine with DHCP assigned IP and Static Assigned IP.  Gateway 192.168.0.1 is accessible form both port 3 and port 4. Yes client is also having the same subnet 255.255.0.0 as it provides by DHCP.

Port 4 is connected to L2 Switch (Cisco) and then distributed to all the users.

Port 3 is connected to L3 Switch (Cisco) and then connected to Server through Gigabit PoE Switch.

We tried Using Fortinet firewall with the same setup and able to ping form Port 3 to Port 4 and vice versa

What do your tracerts show from the clients? And are there any static route entries? Is your L3 switch running any static routes as well? Perhaps one that was in use when you had a Fortinet in place.  I was trying to recreate this issue on an XG, XGS and Virtual Sophos Firewall, none of which display this symptom.  Would usually happen if there are incorrect routes, subnets or gateways involved on either a client, L3 switch route entry, or worst case scenario, try rebooting the XG firewall and see if it conitnues to do the same or ensure you are running the latest firmwares.

What firmware are you running as well?

The Latest Firmware 18.5.1 MR-1-Build326

How to check the static routes , please guide.

On your Cisco switch, dont know the model, but SSH into the Switch on both LANs and verify:

switch> enable
switch> show ip route brief
**Paste result here**

If it is GUI access, you can login and go to IP Configuration > IPv4 Routes and check if anything exists there that might be throwing it off.

On the XG itself, you click on Routing > Static Routing 
**Snapshot anything there**

When was this firewall installed, and when did you first notice this issue?

Thanks!