Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎06-10-2025 10:12 PM Edited on ‎06-11-2025 06:54 AM By Moderator

Article Id 395793

Technical Tip: FortiOS responds to VRF 0 local traffic using a different VRF

 

Description This article describes the expected FortiOS behavior when management traffic is received on VRF 0.
Scope FortiGate v7.4.1 and later.
Solution

After upgrading to v7.4.1 or later, FortiOS may respond to management traffic received on VRF 0 using a different VRF and different interface, if a more specific route exists in a different VRF. This can cause the firewall to not be accessible using HTTPS and SSH after the upgrade.

 

VRF 0 is a special VRF that includes routes from multiple VRFs. See this document: Virtual routing and forwarding.

 

After the upgrade, the most specific route is used to forward replies for management traffic received in VRF 0 if the most specific route is in a different VRF.

 

Example configuration:

 

config system interface

    edit "port1"

        set vdom "root"

        set vrf 0 <-- Default configuration.

        set ip 10.255.4.31 255.255.252.0

        set allowaccess ping https ssh

    next

end

 

Routing Table:

 

get router info routing-table all

 

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.255.7.254, port1, [1/0]
C 10.255.4.0/22 is directly connected, port1

 

Routing table for VRF=2
S* 0.0.0.0/0 [10/0] via 10.255.11.254, port1.0003, [1/0]
S 10.0.0.0/8 [10/0] via 10.255.11.254, port1.0003, [1/0]
C 10.255.8.0/22 is directly connected, port1.0003

 

Packet sniffer showing different interfaces used to forward replies:


FortiGate-A # diagnose sniffer packet any 'port 22' 4 1000 l
interfaces=[any]
filters=[port 22]
2025-05-26 12:33:15.822250 port1 in 10.254.200.200.50937 -> 10.255.4.31.22: syn 4106311737
2025-05-26 12:33:15.822283 port1.0003 out 10.255.4.31.22 -> 10.254.200.200.50937: syn 1240260999 ack 4106311738

 

Because the most specific route to the IP address 10.254.200.200 is over port1.0003, this interface is used to forward the reply for management traffic, causing asymmetric routing and possible packet loss.

 

Resolution:

A related issue, 952543, that affects single VRF deployments was resolved in v7.4.2, see FortiOS v7.4.2 Resolved Issues.

 

The multiple VRF case is expected behavior with several available workarounds and is not anticipated to be fixed.

 

Workarounds:

  • Change the interface VRF to a non-zero value during a maintenance window following this document: Implementing VRF. It is strongly recommended to review the change beforehand to ensure that other traffic will not be affected.
  • Identify which route in the other VRF is unexpectedly matching the traffic, and create a static route with the same prefix length and the intended exit VRF 0 interface. The route could be any administrative distance and priority.

config router static

    edit <index>

        set dst 10.0.0.0 255.0.0.0

        set gateway 10.255.7.254
        set device port1

    next

end

 

  • Use a dedicated VDOM for management, see VDOM overview. Each VDOM maintains an independent routing table.
  • If an HA reserved management interface is configured, the reserved management interface has a dedicated hidden VDOM and is not affected. See this article: Technical Tip: HA Reserved Management Interface.

 

411
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.