FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Subha_FTNT
Staff
Staff
Description
This article provides an introduction to traceroute behaviour in NP2/NP4 ASIC based FortiGate devices.

Scope
FortiOS with NP2/NP4.

Solution
When performed the multiple traceroute from same source to destination, the FortiGate will show up as the first hop in the first traceroute, then it will start timing out when it did the traceroute again.

This is expected using a Windows computer as it uses the ICMP protocol for the traceroute. In the first traceroute command output it can be seen that the FortiGate IP is shown as a hop, while in the later traceroute command the FortiGate IP is not seen as hop. The reason is that once the session is off-loaded onto the ASIC card, the ASIC card cannot generate the TTL exceeded msg back to source because ASIC cards are not programmed like that, so the client reports a time out. This is not an issue at all.

If you clear the existing session or let the session expire after 1 minute (for ICMP), then again perform the traceroute, the FortiGate will appear as a hop, then the next traceroute will not show the FortiGate as a hop until the session is active/present.

If you perform the traceroute using the Linux/Unix which uses the  UDP port (destination port 33434-33464), every traceroute command will show the FortiGate as a hop, the reason is that every traceroute command will have different source and destination ports thus requiring the kernel to process the packets with ttl of 1.

This feature can be tested by enabling the 'set auto-asic offload enable' command in the firewall policy then all traceroute attempts will show the FortiGate as a hop.

Contributors