Skip to main content
akileshc
Staff
akileshc
Staff
October 24, 2025

Technical Tip: ICMP Responses do not follow the incoming interface for Traffic directed to FortiGate when Virtual-patch is enabled

  • October 24, 2025
  • 0 replies
  • 549 views
Description This article describes the behavior when virtual-patch is enabled in a local-in policy, ICMP response packets may egress through a different interface than the one they were received on.
Scope FortiGate running FortiOS version 7.2.9, 7.2.10, or earlier versions.
Solution

Observed Behavior:

In a setup with two WAN connections and two default routes, enabling 'virtual-patch' on a local-in policy causes ICMP responses to exit through a different interface.

 

Configuration Example:

 

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "ALL"
        set schedule "always"
        set virtual-patch enable
    next
end

 

After applying the above configuration, ICMP echo requests sent to the 'wan1' interface IP of the FortiGate may generate echo replies that egress from 'wan2'.


Packet Capture Output:

 

2025-11-10 09:15:01 wan1 in 172.16.50.25 -> 10.10.10.1: icmp: echo request
2025-11-10 09:15:01 wan2 out 10.10.10.1 -> 172.16.50.25: icmp: echo reply
2025-11-10 09:15:02 wan1 in 172.16.50.25 -> 10.10.10.1: icmp: echo request
2025-11-10 09:15:02 wan2 out 10.10.10.1 -> 172.16.50.25: icmp: echo reply

 

Session Information:

 

session info: proto=1 proto_state=00 duration=43 expire=17 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty ndr route_preserve
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 2/0 rx speed(Bps/kbps): 2/0
orgin->sink: org pre->in, reply out->post dev=3->15/15->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.50.25:1->10.10.10.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.10.10.1:1->172.16.50.25:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=547 auth_info=0 chk_client_info=0 vd=0
serial=001f652d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local redir-to-ips

 

Workaround:

Disable the 'virtual-patch' option in the local-in policy configuration.

 

Example:

 

config firewall local-in-policy
    edit 1
        unset virtual-patch
    next
end

 

After disabling this option, ICMP response packets will follow the expected path through the same interface they were received on.


It has been resolved in FortiOS v7.2.11, v7.4.8, v7.6.3, or above.


Additional Information: This behavior occurs only when 'virtual-patch' is enabled in local-in policies. The feature affects how the IPS engine handles locally destined traffic only in the affected firmware listed above, which can alter routing decisions for response packets.

 

For more details about virtual patching on the local-in management interface, refer to the article below:

Virtual patching on the local-in management interface 7.2.4
    Terms & ConditionsAccessibility statement