Sending RST to LB / VIP clients?

Forum|Forum|6 years ago
January 21, 2020
1 reply
5143 views

Good day,

Regular firewall policies has an option to send TCP RST packets to clients, when policy's action is set to "deny": [style="background-color: #888888;"]# set send-deny-packet enable[/style]

But as far as I see, if the policy's destination is a VIP or virtual-server (load balancer), this option doesn't work. I configure "set action deny", "set send-deny-packet enable" - but still clients get nothing, their connection attempts are just silently discarded.

Is there any option to make FortiGate to return RST in these cases as well? Or maybe it's possible to make an LB to return RST in case action is set to "allow", but none of its realservers pass health checks?

Thanks, Vladimir.

Best answer by tanr

I'm not sure whether send-deny-packet works for VIPs, but just want to confirm that you have the policy's "match-vip" set to "enable"?

tanrAnswer

New Member

I'm not sure whether send-deny-packet works for VIPs, but just want to confirm that you have the policy's "match-vip" set to "enable"?

Vladimir_OstrovskyAuthor

New Member

Honestly, I didn't know about this option - thanks, tanr!

But now I've set it, and it still didn't help - the clients' SYN packets are just discarded:

config firewall policy edit 0 set name "World_to_webserver" set srcintf "Internet_zone" set dstintf "Webserver_zone" set srcaddr "all" set dstaddr "webserver" set schedule "always" set service "HTTPS" set logtraffic disable set fsso disable set action deny set send-deny-packet enable set match-vip enable next end

Maybe I'm missing something?

tanr

New Member

Have you turned on logging for the policy to make sure it's actually getting hit? Beyond that, sounds like time to call TAC and have them step through it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded