Description
This article describes the default behavior of how packets are treated by FortiGate once a packet should ingress and egress the same logical interface, i.e intra-interface or intra-VLAN traffic scenarios.
Scope
FortiGate.
Solution
By design and by default, if during the routing decision is determined that the packet that ingresses over port1, for example, should egress as well over port1 (with no VLAN tag change, no DNAT, or no IPSEC encapsulation/decapsulation) packet is sent back over port1.
This behavior is by default enabled, but it can be modified under system global settings.
config system global
set allow-traffic-redirect enable*|disable <- Default value is enable.
end
allow-traffic-redirect <--Disable to prevent traffic with the same local ingress and egress interface from being forwarded without a policy check.
The combination of the enable/disable status of 'allow-traffic-redirect' and the source IP of the packet can lead to the following scenarios:
- If the source IP address is on the same network with the firewall's interface that will do the traffic redirection and 'set allow-traffic-redirect' is enabled then the traffic will be redirected without the need for a policy, solely based on the routing decision.
- If the source IP address is on the same network as the firewall's interface that will do the traffic redirection and 'set allow-traffic-redirect' is disabled, then the traffic will have to be matched by an IPv4 policy before being forwarded over the same interface that it entered on. If no IPv4 policy matches the traffic, then it will match the implicit deny policy, and it will be dropped.
- If the source IP address is on a different network than the firewall's interface that will do the traffic redirection, the traffic will have to be matched against an IPv4 policy no matter of the status enabled or disabled of 'set allow-traffic-redirect'. But after 7.0.16, 7.2.11, and 7.4.4, the behavior was changed, and no policy or existing session will be required for this scenario if allow-traffic-redirect is enabled. If allow-traffic-redirect is disabled, FortiGate will do a policy match. This change should be particularly aware in the cloud environment where there is a lot of traffic having the same incoming and outgoing interface on FortiGate. If there is a firewall policy configured to inspect this traffic with the same incoming and outgoing interface, this option should be disabled after upgrading to these versions.
When an IPv4 policy is needed to forward the traffic over the same interface that it came from then anti-replay would need to be disabled for TCP traffic so that the traffic will not be dropped as replayed traffic.
config firewall policy
edit <policy ID>
set anti-replay enable*|disable <- Default value.
end
Note:
- Under certain conditions, a route flap or routing peer connectivity issues could cause traffic to loop between FortiGate and the hop from where the traffic was originating till the TTL expires for each packet. This could result in high CPU on the FortiGate and the next hop device if there is a considerable amount of traffic looping. Either a blackhole route or 'set allow-traffic-redirect disable' can be used in such scenarios to avoid the L3 traffic loops.
- For the public Cloud VMs, it is always recommended to set the status of 'allow-traffic-redirect' to 'disable' due to one-arm traffic (the default value is 'enable').
- This also affects the logging. The behavior is demonstrated in Troubleshooting Tip: Missing Traffic logs on VM when the Ingress and Egress interface are same for t....
Related article:
