Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smenendez
Staff
Staff

Created on ‎09-14-2015 06:03 AM Edited on ‎04-07-2022 01:08 PM By Anonymous

Article Id 189411

Technical Note: VIP/IPPool behavior change from 5.0.12 & 5.2

Description

The aim of this article is to provide a practical workaround when IPPool is overlapping with the VIP (Meaning, the IPPool configured has the same IP address as the define VIP) the VIP will be tied to the interface where the originated request come from.

The issue is only observed when the internal users are attempting to connect to the external IP address of the define VIP.


Scope

FortiOS v5.2 and v5.0.12.


Solution

Workaround solutions

This workaround is valid only until v 5.2.4, meaning from 5.0.12 to 5.2.4.   This issue has been patched in version 5.2.5 but not in 5.0.x.

1) If IPPool is not used, remove it.

2) Specify arp-reply on IPPool.

Example:
config firewall ippool
edit "10.108.16.252"
set startip 10.108.16.252
set endip 10.108.16.252
set arp-intf "wan1" <-------
next
end
3) Disable arp-reply on IPPool.
config firewall ippool
edit "10.108.16.252"
set startip 10.108.16.252
set endip 10.108.16.252
set arp-reply disable <--------
next
end



 

 

5323
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.