FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how local out traffic is handled when policy-based IPsec is configured.
Scope
FortiGate.
Solution
In FortiOS documentations, it is possible to find that self-originating traffic from the firewall (such as license validation, FortiGuardconnections etc..) is normally not checked against regular Firewall policies. This is generally true, except for traffic subject to policy-based IPsec. In this case local out traffic can also match a firewall policy with action 'ipsec' and the flow is as follows:
FIB lookup is done to find an egress interface, for this example assume port1 is selected based on the routing table default route.
A policy lookup for the destination into port1 is executed to check if the traffic should be encrypted or not inside a policy-based IPsec.
if an 'ipsec' policy is matched, traffic is sent inside the tunnel.
Traffic is checked against the corresponding tunnel phase2 selectors. If they do not match, the traffic is dropped.
if no 'ipsec' policy is matched, traffic is forwarded via port1 without IPsec encryption.
Note:
Because of this, extra care should be taken when configuring policies for policy-based IPsec. Avoid using destination 'all' in the destination address and destination interface fields, or if necessary, consider the possibility that the traffic might match an IPsec policy and get dropped by phase2 selectors mismatch.
