Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎02-02-2024 06:24 AM Edited on ‎06-10-2025 09:41 PM By Staff

Article Id 297349

Technical Tip: Properties of VRF0 inside FortiOS

 

Description This article describes the capabilities of VRF 0.
Scope FortiGate v6.x and v7.x.
Solution

VRF 0 is a special VRF in FortiOS that includes a copy of routes from all VRFs. Because if this, Traffic entering on a VRF 0 interface may be routed to an interface on another VRF.

 

Example:

FortiGate has been configured with one physical interface 'port3', which belongs to the default VRF, and one loopback named 'loopback_Test' on VRF 1.

 

'get router info routing-table all' shows the firewall's active routing table.

 

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.110.80.1, port10 [1/0]
C 10.0.0.0/8 is directly connected, port3

Routing table for VRF=1
C 172.16.10.0/24 is directly connected, loopback_Test


Test 1: A device connected to FortiGate port3 is generating ICMP packets to 8.8.8.8. A packet sniffer on the firewall shows the packets entering port3 and exiting port10. This is expected since a default route exists over port10 in VRF 0.


diagnose sniffer packet any 'host 8.8.8.8 and icmp' 4 10 l

2023-12-12 14:23:06.771674 port3 in 10.0.1.63 -> 8.8.8.8: icmp: echo request
2023-12-12 14:23:06.771834 port10 out 10.0.1.63 -> 8.8.8.8: icmp: echo request

 

Test 2: The device generates ICMP packets to the IP address 172.16.10.1. While this does match the IP address of the Loopback interface configured on VRF 1, if VRF 0 is isolated, the traffic would still match the VRF 0 default route and be forwarded on port10.

This is not the case, and the loopback_Test interface is matched. The firewall does not forward the echo request and instead responds if a firewall policy from port3 to loopback_Test exists and if ping is enabled on the loopback_Test interface.


diagnose sniffer packet any 'host 172.16.10.1 and icmp' 4 10 l

2023-12-12 14:28:22.069203 port3 in 10.0.1.63 -> 172.16.10.1: icmp: echo request
2023-12-12 14:28:22.069291 port3 out 172.16.10.1 -> 10.0.1.63: icmp: echo reply

 

To resolve the issue, existing interfaces with VRF 0 can be moved to an unused VRF by updating the system interface configuration. This is a significant routing change and should only be done during a change window with local access to the device.

 

config system interface

edit port3

set vrf 2

next

edit port10

set vrf 2

next

end

 

Labels:
2477
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.