Technical Tip: Disable link-down-access on FortiGate interfaces

This article describes how FortiGate allows access (by default) to an interface IP address even if the interface link is DOWN, as long as requests are permitted by policy.

FortiGate v6.4.

FortiGate v7.0.

FortiGate allows access (by default) to an interface IP address even if the interface link is DOWN, as long as requests are permitted by policy:

For example:

config system interface

    edit "port1"

        set vdom "root"

        set ip 10.1.1.1 255.255.255.0

        set allowaccess ping https fgfm

        set type physical

        set snmp-index 3

    next

end

diagnose hardware deviceinfo nic port1

Description     :FortiASIC NP6 Adapter

Driver Name     :FortiASIC Unified NPU Driver

Name            :np6_0

PCI Slot        :0000:01:00.0

irq             :16

Board           :FGT400d

SN              :FGT4HD3915800380

Major ID        :6

Minor ID        :0

lif id          :14

lif oid         :144

netdev oid      :144

netdev flags    :1003

Current_HWaddr   90:6c:ac:0a:7f:1c

Permanent_HWaddr 90:6c:ac:0a:7f:1c

phy name        :port1

bank_id         :1

phy_addr        :0x1a

lane            :14

flags           :220

sw_port         :0

sw_np_port      :0

vid_phy[6]      :[  16,   0,   0,   0,   0,   0]

eid_phy[6]      :[   0,   0,   0,   0,   0,   0]

========== Link Status ==========

Admin           :up

netdev status   :down

link_autonego   :1

link_setting    :1

link_speed      :1000

link_duplex     :0

link_fec        :0

Speed           :N/A

Duplex          :N/A

link_status     :Down

Pings to 10.1.1.1 would still work, though port1 link is DOWN:

# id=20085 trace_id=131 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.5.25.22:1792->10.1.1.1:2048) from mgmt1. type=8, code=0, id=1792, seq=0."   >> Request received on mgmt1 for port1 interface IP

# id=20085 trace_id=131 func=init_ip_session_common line=5913 msg="allocate a new session-002008c8"

id=20085 trace_id=131 func=vf_ip_route_input_common line=2621 msg="find a route: flag=84000000 gw-10.1.1.1 via root"

# id=20085 trace_id=132 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.1.1.1:1792->10.5.25.22:0) from local. type=0, code=0, id=1792, seq=0."   >> Reply sent though port1 is link down

# id=20085 trace_id=132 func=resolve_ip_tuple_fast line=5823 msg="Find an existing session, id-002008c8, reply direction"

# id=20085 trace_id=132 func=ipd_post_route_handler line=490 msg="out mgmt1 vwl_zone_id 0, state2 0x0, quality 0.

This can be disabled by using the below setting:

config system settings

    set link-down-access disable   <-- By default, enabled.

end

Pings to 10.1.1.1 would not work if the interface link is DOWN with the below debugs:

# id=20085 trace_id=141 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.5.25.22:2048->10.1.1.1:2048) from mgmt1. type=8, code=0, id=2048, seq=0."

# id=20085 trace_id=141 func=init_ip_session_common line=5913 msg="allocate a new session-00200998"

# id=20085 trace_id=141 func=vf_ip_route_input_common line=2621 msg="find a route: flag=84000000 gw-10.1.1.1 via root"

# id=20085 trace_id=141 func=fw_local_in_handler line=402 msg="'port1' is link down, drop"