Skip to main content
amorales
amorales
New Member
November 12, 2020
Question

Intra-Interface routing behavior

  • November 12, 2020
  • 1 reply
  • 11046 views

Hello, I am curious about the Fortigate behavior when the traffic handled by firewall for packet which ingress and egress same interface. I have found this information:

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36468

 

According to what I have seen in a physical FortiGate, what is described in the Fortinet document is true and the traffic is allowed when the incoming traffic goes out thorugh the same interdace, without any policy check.

 

On the other hand, I also have an Azure firewall where I have multiple subnets connected in the Port2, and the traffic between these subnets is checked and blocked by firewall policies. Do you know what I am missing here and why this behavior is different to the one described in the above Fortinet documentation? Thank you very much for the help.

 

Best regards.

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 12, 2020

    I'm not so famiiar with VM enviroment like Azure, AWS, etc. But are you sure those subnets are NOT separated by VLANs on the FGT side, where are the different/separate "interfaces"? They happen to be on the same physical interface, port2.

    amorales
    amoralesAuthor
    New Member
    November 12, 2020

    No, I have just one physical port with an IP Address. To reach these subnets, I have a static route pointing to the same Azure network device (but there is not internal communication between subnets inside the Azure network device, and traffic pass through FortiGate). 

     

    For example, I have these subnets:

     

    Subnet A: 192.168.1.0/24

    Subnet B: 192.168.2.0/24

     

    In the port2, I have the IP 10.1.1.1/24. To reach subnet Aand B, I have static routes pointing to the IP 10.1.1.2/24 through port2 (the Azure device with IP 10.1.1.2 is not able to perform inter-subnet routing as mentioned before, and the traffic is sent to inter-subnet routing is performed by the FortiGate. When I check the session, it looks in this way:

     

    post dev=5->5/5->5 gwy=10.1.1.2/10.1.1.2   As you can see, the incoming and outgoing interfaces are the same, and same happens for the gateways.

     

    Is possible that the Fortinet documentation is related to traffic inside the same subnet or something else? Thanks

     

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    November 12, 2020

    If that's the case, then yes, your assumption is probably right. Since the source and destination subnets are different, routing/L3 is involved then policy might be necessary.

    Terms & ConditionsAccessibility statement