Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎10-24-2025 01:29 AM

Article Id 416387

Technical Tip: ICMP Responses do not follow the incoming interface for Traffic directed to FortiGate when Virtual-patch is enabled

Description This article describes the behavior when virtual-patch is enabled in a local-in policy, ICMP response packets may egress through a different interface than the one they were received on.
Scope FortiGate running FortiOS version 7.2.9, 7.2.10, or earlier versions.
Solution

Observed Behavior:

In a setup with two WAN connections and two default routes, enabling 'virtual-patch' on a local-in policy causes ICMP responses to exit through a different interface.

 

Configuration Example:

 

config firewall local-in-policy
    edit 1
        set intf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set service "ALL"
        set schedule "always"
        set virtual-patch enable
    next
end

 

After applying the above configuration, ICMP echo requests sent to the 'wan1' interface IP of the FortiGate may generate echo replies that egress from 'wan2'.


Packet Capture Output:

 

2025-11-10 09:15:01 wan1 in 172.16.50.25 -> 10.10.10.1: icmp: echo request
2025-11-10 09:15:01 wan2 out 10.10.10.1 -> 172.16.50.25: icmp: echo reply
2025-11-10 09:15:02 wan1 in 172.16.50.25 -> 10.10.10.1: icmp: echo request
2025-11-10 09:15:02 wan2 out 10.10.10.1 -> 172.16.50.25: icmp: echo reply

 

Session Information:

 

session info: proto=1 proto_state=00 duration=43 expire=17 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty ndr route_preserve
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 2/0 rx speed(Bps/kbps): 2/0
orgin->sink: org pre->in, reply out->post dev=3->15/15->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 172.16.50.25:1->10.10.10.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.10.10.1:1->172.16.50.25:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=547 auth_info=0 chk_client_info=0 vd=0
serial=001f652d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=00000000
no_ofld_reason: local redir-to-ips

 

Workaround:

Disable the 'virtual-patch' option in the local-in policy configuration.

 

Example:

 

config firewall local-in-policy
    edit 1
        unset virtual-patch
    next
end

 

After disabling this option, ICMP response packets will follow the expected path through the same interface they were received on.


It has been resolved in FortiOS v7.2.11, v7.4.8, v7.6.3, or above.


Additional Information: This behavior occurs only when 'virtual-patch' is enabled in local-in policies. The feature affects how the IPS engine handles locally destined traffic only in the affected firmware listed above, which can alter routing decisions for response packets.

 

For more details about virtual patching on the local-in management interface, refer to the article below:

Virtual patching on the local-in management interface 7.2.4
163
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.