Skip to main content
jfelix09
Staff
jfelix09
Staff
May 21, 2025

Technical Tip: In Fabric Overlay Orchestrator setup traffic is denied when shared interfaces are member of a zone

  • May 21, 2025
  • 0 replies
  • 464 views
Description This article describes the behavior of the Fabric Overlay Orchestrator (FOO) when internal interfaces are part of a zone.
Scope FortiGate v7.4+ and v7.6.0-2.
Solution

In this article, the Fabric Overlay Orchestrator (FOO) (Using the Fabric Overlay Orchestrator) is deployed with a Hub FortiGate configured with the 'Automatic' method for policy creation. When 'shared interfaces' on the spokes are members of a zone, the automatic method will create firewall policies using system interfaces and not the system zone.

 

config system interface
    edit "22"
        set vdom "root"
        set ip 192.168.22.1 255.255.255.255
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 18
        set ip-managed-by-fortiipam disable
        set interface "port2"
        set vlanid 22
    next
end

 

config system zone
    edit "22-zone"
        set interface "22"
    next
end

 

config firewall policy
    edit 2
        set name "fabric_vpn_0_in"
        set srcintf "fabric_vpn_sdwan"
        set dstintf "22"
        set action accept
        set srcaddr "all"
        set dstaddr "fabric_vpn_192.168.22.1_255.255.255.255_1"
        set schedule "always"
        set service "ALL"
        set comments "Fabric VPN automatic policy."
    next
end

 

This behavior will lead to a policy failure until a policy is created using the zone instead of the system interface.

 

id=65308 trace_id=39 func=print_pkt_detail line=5932 msg="vd-root:0 received a packet(proto=1, 10.1.1.1:69->192.168.22.1:2048) tun_id=10.191.19.23 from fabric_vpn_1. type=8, code=0, id=69, seq=0."
id=65308 trace_id=39 func=ipsec_spoofed4 line=243 msg="src ip 10.1.1.1 match selector 0 range 0.0.0.0-255.255.255.255"
id=65308 trace_id=39 func=init_ip_session_common line=6124 msg="allocate a new session-000001f9"
id=65308 trace_id=39 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=39 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=4"
id=65308 trace_id=39 func=fw_local_in_handler line=620 msg="iprope_in_check() check failed on policy 0, drop"

 

This behavior has been changed in FortiOS v7.6.3+, and when an interface is a member of a zone and the interface is selected as 'shared interface', the firewall policies will be created with the zone (known issue ID=1128032 Resolved issues).

 

config firewall policy
    edit 2
        set name "fabric_vpn_0_in"
        set srcintf "fabric_vpn_sdwan"
        set dstintf "22-zone"
        set action accept
        set srcaddr "all"
        set dstaddr "fabric_vpn_192.168.22.1_255.255.255.255_1"
        set schedule "always"
        set service "ALL"
        set comments "Fabric VPN automatic policy."
    next
end

 

To troubleshoot the automatic configuration creation on a FortiGate device, execute the following CLI commands:


diagnose debug cli 8

diagnose debug enable

 

Enable FOO, then stop the debug:

 

diagnose debug reset

 

Related documents:

Using the Fabric Overlay Orchestrator
Resolved issues
    Terms & ConditionsAccessibility statement