Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Somashekara_Hanumant
Staff
Staff

Created on ‎10-18-2024 12:54 AM

Article Id 349731

Technical Tip: Static route destination address is missing after upgrading firmware

Description This article describes the behavior of the Static route destination address missing after upgrading firmware. It explains how the destination address in the static route is assigned after upgrading the firmware.
Scope FortiGate 7.2.x.
Solution

Configuration:

Configure IPSec VPN using Wizard:

 

ipsec_1.JPG

 

From CLI:

 

config vpn ipsec phase1-interface
    edit "ABC-TUNNEL-XYZ"
        set interface "port3"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: ABC-TUNNEL-XYZ (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 10.5.20.106
        set psksecret ENC ehpZslaquEarMvK
    next
end

 

config vpn ipsec phase2-interface
    edit "ABC-TUNNEL-XYZ"
        set phase1name "ABC-TUNNEL-XYZ"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: ABC-TUNNEL-XYZ (Created by VPN wizard)"
        set src-addr-type name
        set dst-addr-type name
        set src-name "ABC-TUNNEL-XYZ_local"
        set dst-name "ABC-TUNNEL-XYZ_remote"
    next
end

 

The destination Address is added automatically to static route as below:

 

config router static

    set device "ABC-TUNNEL-XYZ"
    set comment "VPN: ABC-TUNNEL-XYZ (Created by VPN wizard)"
    set dstaddr "ABC-TUNNEL-XYZ_remote"
    next

end

 

config firewall address

    edit "ABC-TUNNEL-XYZ_remote_subnet_1"
        set uuid 9f593496-8ae8-51ef-b219-f8824328139f
        set allow-routing enable  -->
        set subnet 10.109.0.0 255.255.240.0
    next

end

 

address_3.JPG

 

config firewall addrgrp

    edit "ABC-TUNNEL-XYZ_remote"
        set uuid 9f5b7134-8ae8-51ef-263f-1cb2b5a6a08f
        set member "ABC-TUNNEL-XYZ_remote_subnet_1"
        set comment "VPN: ABC-TUNNEL-XYZ (Created by VPN wizard)"
        set allow-routing enable -->
    next
end

 

addresgr.JPG

 

Add multiple address objects to the same VPN remote group 'ABC-TUNNEL-XYZ_remote', and make sure the 'allow-routing' option is enabled on all the address objects as below, for VPN remote address member/group also 'allow-routing' is enabled by default.

 

config firewall address

    edit "member_1"
        set uuid ce240328-8ae8-51ef-a787-b2ac37e32e17
        set allow-routing enable
        set subnet 10.110.0.0 255.255.240.0
    next

    edit "member_2"

    .

    .

    edit "member_11"

end

 

Include all the above address object members as part of the 'ABC-TUNNEL-XYZ_remote' group.

 

Similarly, create and add some other list of address objects with 'allow-routing' on all address objects and group objects as part of nested-group.

 

configure firewall addrgrp

    edit "nested_group"
        set uuid 515aabb0-8aea-51ef-d7b8-b20dcf9b044c
        set member "second_member_1" "second_member_2" "second_member_3" "second_member_4" "second_member_5" "second_member_6" "second_member_7" "second_member_8" "second_member_9"
        set allow-routing enable
    next
    edit "ABC-TUNNEL-XYZ_remote"
        set uuid 9f5b7134-8ae8-51ef-263f-1cb2b5a6a08f
        set member "ABC-TUNNEL-XYZ_remote_subnet_1" "member_1" "member_10" "member_11" "member_2" "member_3" "member_4" "member_5" "member_6" "member_7" "member_8" "member_9" "nested_group"
        set comment "VPN: ABC-TUNNEL-XYZ (Created by VPN wizard)"
        set allow-routing enable
    next
end

 

However, 'second_member_9' is not enabled with the 'allow-routing' option, refer to the below config:

 

config firewall address

    edit "second_member_9"
        set uuid a1ad73f0-8ae9-51ef-be87-2a3c20da00c5
        set subnet 10.129.0.0 255.255.240.0
    next

end

 

address_3.JPG

 

With these settings, if FortiGate firmware is upgraded then the below logs can be seen after the upgrade on the console port.

 

diag debug config-error-log read

>>> "set" "dstaddr" "ABC-TUNNEL-XYZ_remote" @ root.router.static.2:value parse error (error -3)
>>> "set" "dstaddr" "ABC-TUNNEL-XYZ_remote" @ root.router.static.3:value parse error (error -3)

 

And with the 'second_member9' address object, the destination address will be missed to update on the static route as below, with this the static route will be the default route and it may affect the traffic flow.

 

static_route.JPG

 

config router static

    edit 2
        set device "ABC-TUNNEL-XYZ"
        set comment "VPN: ABC-TUNNEL-XYZ (Created by VPN wizard)"
    next

end

 

Conclusion:

If there are any address objects added to the firewall address wizard group, then make sure to enable the 'allow-routing' option.

 

155
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.