FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 277430
Description This article describes the required configuration for GRE egress traffic on chassis-based FortiGate.
Scope FortiGate 6k and 7k.

Step 1:

To make sure the chassis is processing the GRE traffic as an endpoint, a flow rule has to be added:


config load-balance flow-rule

    edit 0

        set status enable

        set vlan 0

        set ether-type ip

        set protocol gre

        set action forward

        set forward-slot master

        set priority 3



  • Refer to this documentation:

FortiGate-6000 v6.4.14 special features and limitations


Step 2:

Consider this traffic flow:

  • subnetA -> 6k -> tunnel -> GRE-Endpoint -> subnetB.

The ingress traffic (TCP or UDP) will be load-balanced according to 'config load-balance settings'.
This means it can be distributed among all FPCs. But GRE traffic is only handled by the FPC master.


So it will cause a problem when traffic is not forwarded to the FPC master initially.

To fix that it is necessary to have a flow rule saying if one wants to reach subnetB go to FPC master.


  • It will look like this:

config load-balance flow-rule
    edit 21
        set status enable
        set ether-type ipv4
        set src-addr-ipv4
        set dst-addr-ipv4 (subnetB)
        set protocol any
        set action forward
        set forward-slot master
        set comment "subnetB"


The following network diagram could be one of the use cases of egress GRE traffic:




Here is a table comparing the traffic with and without the flow rule:




Depending on the use case, the traffic discriminant should be selected carefully.