| Description | This article describes the behavior of the FortiGate when traffic is permitted by the policy, which is configured to log all sessions, as well as in instances when there is no route to the destination, and explains why no logs are generated for such traffic. One of the common scenarios that may occur is when the default route is injected via BGP from the ISP and that route is removed, or the BGP neighbor relationship goes down. |
| Scope | FortiGate. |
| Solution |
Topology:
When running flow debug for the destination IP for which the firewall does not have a route, the following output will be displayed:
FW-01 (root) #
2025-03-13 21:51:00 id=65308 trace_id=14 func=print_pkt_detail line=5811 msg="vd-root:0 received a packet(proto=6, 10.1.1.11:45922->34.223.124.45:80) tun_id=0.0.0.0 from internal. flag [S], seq 1051492295, ack 0, win 64240"
2025-03-13 21:51:00 id=65308 trace_id=14 func=init_ip_session_common line=5995 msg="allocate a new session-001a72d0"
2025-03-13 21:51:00 id=65308 trace_id=14 func=iprope_dnat_check line=5276 msg="in-[internal], out-[]"
2025-03-13 21:51:00 id=65308 trace_id=14 func=iprope_dnat_tree_check line=834 msg="len=0"
2025-03-13 21:51:00 id=65308 trace_id=14 func=iprope_dnat_check line=5288 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2025-03-13 21:51:00 id=65308 trace_id=14 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-34.223.124.45 via root"
According to the flow debug the firewall has allocated a new session and is attempting to find a route to the destination. As there is no route the debug flow will cease to produce any further output and the SYN packet will be silently dropped.
No allow or deny log will be generated as FortiGate never performed a policy lookup for an SYN packet since it could not pass route validation. This is the expected behavior. Packet flow ingress and egress: FortiGates without network processor offloading |
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Behavior of the FortiGate when ther...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.