FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smenendez
Staff
Staff
Article Id 189411

Description

The aim of this article is to provide a practical workaround when IPPool is overlapping with the VIP (Meaning, the IPPool configured has the same IP address as the define VIP) the VIP will be tied to the interface where the originated request come from.

The issue is only observed when the internal users are attempting to connect to the external IP address of the define VIP.


Scope

FortiOS v5.2 and v5.0.12.


Solution

Workaround solutions

This workaround is valid only until v 5.2.4, meaning from 5.0.12 to 5.2.4.   This issue has been patched in version 5.2.5 but not in 5.0.x.

1) If IPPool is not used, remove it.

2) Specify arp-reply on IPPool.

Example:
config firewall ippool
edit "10.108.16.252"
set startip 10.108.16.252
set endip 10.108.16.252
set arp-intf "wan1" <-------
next
end
3) Disable arp-reply on IPPool.
config firewall ippool
edit "10.108.16.252"
set startip 10.108.16.252
set endip 10.108.16.252
set arp-reply disable <--------
next
end



 

 

Contributors