FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 252235

This article describes that when a traffic flow passes a TP VDOM many times, the firewall creates multiple sessions: one main session and one or many reflect sessions.

By default, the firewall only validates the first path of the traffic against the firewall policy.

With 'fw-session-hairpin' enabled, the firewall can check every path against policies.


FortiGate v6.4, v7.2 and v7.4.








FortiGate is in Transparent mode. VLAN 10 and vlan20 interfaces are configured on port4 which connects to the Router. Shown below is the interface configuration of FortiGate:



Default Behavior:

The user in vlan20 tries to access the Server in Vlan10. The new session will be created when the traffic is received on port3 and 'FGT' will check the Mac table and knows that this traffic should be sent out via interface vl20 to the Router(RTR). SVI for vlan10 and vlan20 is configured on the router and it is responsible to route the traffic between these VLANs.

Show below is the traffic flow when the User tries to access the Server: 
Traffic received on port3 and sent to router via interface vl20.



Traffic(Hairpin) was received from the router on interface vl10 and sent to the server via port2.



Hairpin Traffic from the Router is matched to the original session [000007a6] and since the same packet is received for the second time but on a different interface, a new session called auxiliary session/reflect session will be created. 

This auxiliary session/reflect session is attached to the original session [000007a6].


The default behavior is the hairpin traffic will not be checked against the firewall policy.

This can be changed by enabling 'fw-session-hairpin' command in the system settings as shown below:



When 'fw-session-hairpin' command is enabled, hairpin traffic will be checked against the firewall policy and will be allowed only if the firewall policy permits this traffic flow.



Now the hairpin traffic from the router is checked against firewall policy and in this example, the traffic is matching policy-2 which is allowing the traffic to be sent out via interface port2.