Technical Tip: Firewall Policy behavior for FortiGate in One-Arm mode

syao · ‎05-19-2024

Description

This article describes how the firewall policy can take effect when FortiGate is in One-Arm mode in a different firmware version.

Scope

FortiGate v6.4.X, v7.0.X, v7.2.X, v7.4.X.

Solution

In the following diagram, PC1 is trying to ping PC2. Both PCs are using the FortiGate as their gateway.

FortiGate Port3 has a primary IP address and a secondary IP address.

secondary address routing.png
For v6.4.15 and below, v7.0.13 and below, and v7.2.4 and below, a firewall policy is required for both PCs to communicate.

config firewall policy
edit 1
set name "INTRALAN"
set srcintf "port3"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end

For firmware v7.0.14 and above, v7.2.5 and above, and v7.4.0 and above, a firewall policy is no longer required for the PCs to communicate with each other. To use the firewall policy to restrict traffic, then 'icmp-send-redirect' must be disabled on port3.

config system interface

edit port3

set icmp-send-redirect disable

end

Related article:

Technical Tip: Traffic handled by FortiGate for packets with ingress & egress as same interface

Technical Tip: Firewall Policy behavior for FortiGate in One-Arm mode

You are leaving our website