FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dchan
Staff
Staff
Article Id 192046
Description
The related KB article "Asymmetrical packet forwarding in Transparent mode" explains that the FortiGate unit should forward asymmetrical packets as long as there is a session match. However, it may occur that the session is not created even if packets can be seen being forwarded from vlanXX_inside to vlanXX_outside.

Diagram
PC1 = 1.1.1.10/24
|
DMZ = 1.1.1.1/24
|
FGT1 (NATmode)
|
WAN2
vlanXX = 2.2.2.1/24
vlanYY = 3.3.3.1/24|
|
TRUNK
|
|
DMZ (VLan interfaces, vlanXX_inside, vlanYY_inside)
|
FGT2 (TP mode)
|
WAN2 (Vlan interfaces, vlanXX_outside, vlanYY_outside)
|
Trunk
|
|
Cisco (L3Switch)
vlanXX= 2.2.2.2/24

vlanYY= 3.3.3.3/24
Debug flow
-----------> NEW SESSION CREATED.
id=20085 trace_id=120 func=resolve_ip_tuple_fast line=2832 msg="vd-root received a packet(proto=1, 1.1.1.10:512->2.2.2.2:8) from vlanXX_inside."
id=20085 trace_id=120 func=resolve_ip_tuple line=2931 msg="allocate a new session-006bbf7a"

-----------> PACKET FORWARDED
id=20085 trace_id=120 func=__if_queue_push_xmit line=208 msg="send out via dev-vlanXX_outside, dst-mac-00:1e:f7:42:1d:80"

-----------> PACKET RETURNS ON vlanYY
id=20085 trace_id=121 func=resolve_ip_tuple_fast line=2832 msg="vd-root received a packet(proto=1, 2.2.2.2:512->1.1.1.10:0) from vlanYY_outside."

-----------> PACKET DROPPED.
When this happens the bridging table will only show the source MAC address binding to the "vlanXX_inside" interface but the destination MAC address is not bound to the "vlanXX_outside" interface.

Scope

FortiGate in Transparent Mode.


Solution
Use the interface setting: "set peer-interface"

For example:
config system interface
edit vlanXX_inside
   set peer-interface vlanXX_outside
next
edit vlanXX_outside
   set peer-interface vlanXX_inside
next
This command will allow the FortiGate unit to select an interface to be used when it cannot find the destination MAC address in the local bridge table. A fuller explanation of this command is given in the CLI guide.

The session problem should be resolved once this command has been entered to bind both vlanXX_inside and vlanXX_outside interfaces.

Related Articles

Technical Note : Asymmetrical packet forwarding in Transparent Mode

Contributors