|
After upgrading FortiGate to v7.4.2, and v7.4.3, Virtual IPs do not work when UTM is enabled in the firewall policy with proxy-based Inspection mode. The problem can be verified by examining the logs as outlined below.
Packet sniffers will show that the FortiGate responds to the client-initiated traffic, but it is routed via a different interface than the original incoming interface. Thus, the reply traffic does not arrive on the client machine.
Sniffer output from non-working scenario:
diagnose sniffer packet any "port 443 and host 94.X.X.X" 4 0 l
interfaces=[any]
filters=[port 443 and host 94.X.X.X]
2024-01-17 10:36:14.787881 wan2 in 94.X.X.X.20293 -> 83.X.X.X.443: syn 1673605026 <-----SYN on wan2
2024-01-17 10:36:14.788181 wan1 out 83.X.X.X.443 -> 94.X.X.X.20293: syn 2273180168 ack 1673605027 <---- SYN+ACK on wan1
Sniffer output from the working scenario when UTM is disabled in the firewall policy or when the firewall policy is in flow-based Inspection mode:
2024-01-17 10:44:19.068794 wan2 in 94.X.X.X.20082 -> 83.X.X.X.443: syn 3957980771
2024-01-17 10:44:19.069248 wan2 out 83.X.X.X.443 -> 94.X.X.X.20082: syn 1675486524 ack 3957980772
This issue has been resolved in v7.4.4
Workaround:
- Switch to a flow-based inspection profile.
OR.
- Disable UTM/security profiles in the firewall policy.
|
