Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
FortiArt
Staff
Staff

Created on ‎11-23-2023 08:30 AM Edited on ‎11-27-2023 12:56 PM

Article Id 285775

Technical Tip: How the effect of pinging a Virtual IP (VIP) from the FortiGate CLI changes after a firmware upgrade from FortiOS 7.0.12 to FortiOS 7.0.13

Description This article describes the effect pinging a VIP from FortiGate CLI has after upgrading from FortiOS firmware versions from case 2 to case 3 as per this article.
Scope FortiGate models with FortiOS Firmware Versions 6.4.15 and later, 7.0.13 and later, 7.2.6 and later, 7.4.1 and later
Solution

Introduction:

 

Some customers experience hidden issues relevant to virtual IPs (VIPs) upon performing a firmware upgrade. In this article, the focus will be on pinging a VIP from the Fortigate CLI after a firmware upgrade from FortiOS 7.0.12 to FortiOS 7.0.13.

 

Since VIPs in FortiOS 7.0.12 are not considered local addresses, FortiGate relies on the routing-table to forward relevant traffic. For those objects to function properly, they must therefore be used in firewall policies i.e. they must be referenced. Since the VIPs in FortiOS 7.0.13 are considered local addresses, FortiGate will not rely on the routing-table unless those objects are referenced in firewall policies. However, if they are not referenced, FortiGate still replies to ARP requests: this will likely cause connectivity or reachability issues.

 

Ping Scenarios from FortiGate CLI and Effects on Upgrade from FortiOS 7.0.12 to FortiOS 7.0.13:

 

Note that the following scenarios assume the default settings are in place on the VIPs:

 

set arp-reply enable

 

FortiOS 7.0.12 case:

 

Ping a non-referenced VIP (i.e. not attached to a firewall policy):

  • When the mapped IP address is a local FortiGate IP address, ping does not work.
  • When the mapped IP address is a device connected to Fortigate local interface, ping does not work.

Ping a referenced VIP (i.e. attached to a firewall policy):

  • When the mapped IP address is a local FortiGate IP address, ping does work.
  • When the mapped IP address is a device connected to Fortigate local interface, ping does work.

 

FortiOS 7.0.13 case:

 

Ping a non-referenced VIP (i.e. not attached to a firewall policy):

  • When the mapped IP address is a local FortiGate IP address, ping does work.
  • When the mapped IP address is a device connected to FortiGate local interface, ping does work

Ping a referenced VIP (i.e. attached to a firewall policy):

  • When the mapped IP address is a local FortiGate IP address, ping does work.
  • When the mapped IP address is a device connected to FortiGate local interface, ping does not work.

 

In conclusion, pinging in FortiOS 7.0.12 only works when used in a firewall policy. In FortiOS 7.0.13, this is not the case and the ping works without any reference. The only case where pinging does not work in FortiOS 7.0.13 is when it is referenced in a firewall policy and the mapped IP address is a device reachable from FortiGate local interface. This means that, for the ping to work, the ping has to initiate from the external source; NOT from the FortiGate CLI.

 

Note that the above is applicable to all FortiGate firmware versions after upgrading from case 2 to case 3 as per the article referenced in the description.
2989
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.