Technical Tip: Response traffic of a Virtual IP Session Egresses through a Different Interface than the Original Incoming interface

After upgrading FortiGate to v7.4.2, and v7.4.3, Virtual IPs do not work when UTM is enabled in the firewall policy with proxy-based Inspection mode. The problem can be verified by examining the logs as outlined below.

Packet sniffers will show that the FortiGate responds to the client-initiated traffic, but it is routed via a different interface than the original incoming interface. Thus, the reply traffic does not arrive on the client machine.

Sniffer output from non-working scenario:

diagnose sniffer packet any "port 443 and host 94.X.X.X" 4 0 l
interfaces=[any]
filters=[port 443 and host 94.X.X.X]
2024-01-17 10:36:14.787881 wan2 in 94.X.X.X.20293 -> 83.X.X.X.443: syn 1673605026 <-----SYN on wan2
2024-01-17 10:36:14.788181 wan1 out 83.X.X.X.443 -> 94.X.X.X.20293: syn 2273180168 ack 1673605027 <---- SYN+ACK on wan1

Sniffer output from the working scenario when UTM is disabled in the firewall policy or when the firewall policy is in flow-based Inspection mode:

2024-01-17 10:44:19.068794 wan2 in 94.X.X.X.20082 -> 83.X.X.X.443: syn 3957980771
2024-01-17 10:44:19.069248 wan2 out 83.X.X.X.443 -> 94.X.X.X.20082: syn 1675486524 ack 3957980772

This issue has been resolved in v7.4.4

Workaround:

• Switch to a flow-based inspection profile.

OR.

• Disable UTM/security profiles in the firewall policy.