OSPF distribute-list-in default route only

Hi,

I'm running an HA cluster of 2x FGT-300D. The cluster is talking OSPF towards 2 Nexus 5000 devices.

Once I apply an access-list/prefix-list via distribute-list-in to only install the default route on the cluster, all remote communication is impossible... Through debugging I still see traffic (icmp/https) entering the fortigate cluster.

Once I remove the distribute-list-in statement traffic restores (as more routes enter the routing table). All other (more specific) routes are pointing towards the same 2 Nexus 5000 devices. The default routes are also pointing to these 2 Nexus devices.

I was checking RPF documentation which states that anti-spoofing kicks in once there is no locally attached subnet or any other route. But having only a default route shouldn't trigger anti-spoofing, right?

Any clue?

regards,

Jeroen

cluster is 2x 300D active/passive

5.2.4 build 688