FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff
Article Id 196651

Description

 
This article describes the default behavior of how packets are treated by FortiGate once a packet should ingress and egress the same logical interface.
 
Scope
 
FortiGate.


Solution

 

By design and by default, if during the routing decision is determined that the packet which ingresses over port1, for example, should egress as well over port1 (with no VLAN tag change, no DNAT, or no IPSEC encapsulation/decapsulation) packet is sent back over port1.

 

This behavior is by default enabled, but it can be modified under system global settings.

 

config system global
    set allow-traffic-redirect enable*|disable <- Default value.
end

 

The combination of the enable/disable status of 'allow-traffic-redirect' and the source IP of the packet can lead to the following scenarios:

  1. If the source IP address is on the same network with the firewall's interface that will do the traffic redirection and 'set allow-traffic-redirect' is enabled then the traffic will be redirected without the need for a policy, solely based on the routing decision.
  2. If the source IP address is on the same network with the firewall's interface that will do the traffic redirection and 'set allow-traffic-redirect' is disabled then the traffic will have to be matched by an IPv4 policy before being forwarded over the same interface that entered on. If no IPv4 policy will match the traffic then it will match the implicit deny policy and it will be dropped.
  3. If the source IP address is on a different network than the firewall's interface that will do the traffic redirection, the traffic will have to be matched against an IPv4 policy no matter the status enabled or disabled of 'set allow-traffic-redirect'. But after 7.0.16, 7.2.11, and 7.4.4, the behavior was changed and no policy or existing session will be required for this scenario if allow-traffic-redirect is enabled. If allow-traffic-redirect is disabled, FortiGate will do policy match.

 

When an IPv4 policy is needed to forward the traffic over the same interface that it came from then anti-replay would need to be disabled for TCP traffic so that the traffic will not be dropped as replayed traffic.

 

config firewall policy
    edit <policy ID>
        set anti-replay enable*|disable <- Default value.
end

 

For the public Cloud VMs, the status of 'allow-traffic-redirect' is always set to disable due to one-arm traffic.