FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that the GUI access on the SD-WAN or ECMP interface is lost after upgrading to v7.4.1, v7.4.2 or v7.4.3.
The issue involves loss of GUI access due to mismatched egress interfaces and the originating traffic (http/https/REST API) on FortiGate devices running firmware version 7.4.1.
The issue can be confirmed by running a packet capture on GUI traffic. The response from FortiGate is routed out of an incorrect interface, creating asymmetric flow:
diagnose sniffer packet any "host a.b.c.d" 4 0 l
interfaces=[any]
filters=[host a.b.c.d]
wan1 in a.b.c.d -> x.y.z.v: syn
wan2 out x.y.z.v -> a.b.c.d: syn ack
a.b.c.d is the IP of the source from outside, and x.y.z.v is the wan1 IP.
Scope
FortiGate devices running firmware version v7.4.1, v7.4.2, and v7.4.3.
Solution
The issue has been reported with a known issue ID 961796 and fixed in version 7.4.4 (build 2596)
Workaround:
The user can access the GUI via another internal interface that is not part of an SD-WAN link.
