Fortigate uses VIP of down Interface (Bug?)

Forum|Forum|1 year ago
October 31, 2024
1 reply
1645 views

Some weird behavior I saw today. I'm doing NAT for two VLANs on a branch FGT with two VPN tunnels, so four VIPs in total. Two VIPs for the primary tunnel and two for the backup tunnel. In noticed that only the VIPs that reference the backup tunnel have a hit count (which has always been down so far). I attached a screenshot of that:

Only when I reference the backup VIP in a policy, ping to the VIP works, even though it clearly uses a tunnel that isn't even up! How can that be? When I use the primary VIP in the policy, ping doesn't work bc of implicit deny.

In grouped both IPsec interfaces shown here into a zone, maybe that has something to do with that?

FortiGate

pminarik

Staff

Packet to a local IP doesn't have to come through its own interface. So likely there was a packet coming in over <another interface> with dst-ip = <VIP[...]backup>, and it was processed like that.

smxkoAuthor

Visitor III

Ok, so basically I don't need backup VIPs, even when ingress traffic for that VIP can originate from a different interface?

pminarik

Staff

Not necessary, yup.
As a matter of fact, you can just bind the VIPs to "any" interface, and control the access by deciding in which firewall policies you use the VIPs (=> controlling the permitted srcintf). The source tunnel/interface will not matter then, as long as the direction of flow is allowed by a firewall policy.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded