FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to fix issues with GRE passthrough traffic matching implicit deny for return traffic in 90G devices.
Scope
FortiGate.
Solution
After upgrading from the v7.2 branch to v7.4.8, there might be issues with GRE passthrough traffic between Aruba APs and Aruba WLC.
For traffic that was working initially before the upgrade, now, for the return traffic from WLC towards the Aruba APs, traffic is seen matching the implicit deny rule on the FortiGate, causing the APs not to register and authenticate correctly.
The denies can be seen either in the Forward Logs of the FortiGate, or when running the below debug flow:
This is being investigated internally and is expected to be resolved in future versions. Currently, there is no timeline for the fix.
In the meantime, the workaround below can be used to resolve the issue: Create a firewall policy for the return traffic with service set to 'GRE':
config firewall policy edit <id> set name "ALLOW_GRE" set uuid 8f26d19c-7c2c-51f0-e0cd-b5d7df6e7f1a set srcintf "<incoming_port>" set dstintf "<outgoing_port>" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "GRE" set logtraffic all set auto-asic-offload disable next end
The source group can be filtered even more by adding only the WLC IPs as the source. This example is using source and destination set to 'all' for simplicity purposes.
Note: The issue seems to impact the G series 90/120G, and it does not seem to persist on F-series devices.
