FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hrahuman_FTNT
Article Id 339766
Description This article discusses FortiGate-VM probe traffic behavior when VIP is enabled.
Scope FortiGate-VM.
Solution

In the Azure or AWS load balancer, if the FortiGate-VM probe is enabled, the Azure or AWS load balancer sends out a probe to a TCP/UDP port to verify if the VM is up and running.

 

In case the VIP is enabled for the probe interface, the probe traffic will be sent to the VIP and it will be denied if no policy or no response.

 

To avoid this, specify the port forwarding or service in the VIP object as below. For example, port1 interface enabled probe traffic with the following VIP.

 

config firewall VIP
    edit "VIP-TEST"
        set extip 192.168.0.28
        set mappedip "172.30.1.80"
        set extintf "port1"
    next
end

 

To allow the probe traffic, enable the service or port forwards as below:

 

config firewall VIP
    edit "VIP-TEST"
        set service "HTTP" "HTTPS"
        set extip 192.168.0.28
        set mappedip "172.30.1.40"
        set extintf "port1"
    next

end

 

Or:

 

config firewall VIP
    edit "VIP-TEST"
        set extip 192.168.0.28
        set mappedip "172.30.1.80"
        set extintf "port1"
        set portforward enable
        set extport 443 <----- Specify the VIP for the allowed port.
        set mappedport 443 <----- Specify the VIP for the allowed port.
    end