This article describes how the virtual IP affects outbound traffic.

The virtual IP(VIP) is config to allow incoming traffic. If not config properly, it will cause outbound traffic failure.

If port1 is the primary external interface, and VIP on port2 is on top of VIP on port1, the outbound connection will fail.  

Consider the below scenario:

There are two external interfaces:

port1: 10.9.10.188/20

port2: 10.0.0.1/24

Two VIPs are config:

config firewall vip

    edit "VIP-Port2"

        set uuid 72b1a3ea-55f2-51ef-01d3-240d9bfdfb4b

        set extip 10.0.0.3                     <-  Port2 subnet.

        set mappedip "192.168.86.3"

        set extintf "any"

    next

    edit "VIP-port1"

        set uuid 98c2d612-55f2-51ef-08ef-a52a641f52e1

        set extip 10.9.10.189                <-  port1 subnet

        set mappedip "192.168.86.3"

        set extintf "any"

    next

end

The port1 is the primary external interface:

FGVM01TM23000541 # get router info routing-table all

Routing table for VRF=0

S*      0.0.0.0/0 [10/0] via 10.9.15.254, port1, [1/0]

                  [10/0] via 10.0.0.2, port2, [10/0]

Lan is behind port3. The test PC IP is 192.168.86.3.

The outbound traffic will NAT to the port2 IP and traffic will be sent out to port1, and then the connection fails.

FGVM01TM23000541 # di sniffer packet any 'host 9.9.9.9 and icmp' 4

Using Original Sniffing Mode

interfaces=[any]

filters=[host 9.9.9.9 and icmp]

12.895468 port3 in 192.168.86.3 -> 9.9.9.9: icmp: echo request

12.895565 port1 out 10.0.0.3 -> 9.9.9.9: icmp: echo request

Flow trace:

FGVM01TM23000541 # id=65308 trace_id=25 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 192.168.86.3:1->9.9.9.9:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=45."

id=65308 trace_id=25 func=init_ip_session_common line=6080 msg="allocate a new session-05a2b478, tun_id=0.0.0.0"

id=65308 trace_id=25 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-10.9.15.254 via port1"

id=65308 trace_id=25 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=43, len=2"

id=65308 trace_id=25 func=get_new_addr line=1213 msg="find SNAT: IP-10.9.10.188(from IPPOOL), port-60418"

id=65308 trace_id=25 func=get_new_addr line=1213 msg="find DNAT: IP-10.0.0.3, port-0(fixed port)"

id=65308 trace_id=25 func=fw_forward_handler line=989 msg="Allowed by Policy-1: SNAT"

Policy-1 allows traffic from port3 to port1. The source NAT in policy-1 is 'Use Outgoing Interface Address' which is 10.9.10.188.

FortiGate searches in the VIP list from top to bottom and matches the first VIP that mapping to the server 192.168.86.3. In this scenario, it matches the VIP on port2, then overrides the source NAT to port2 IP 10.0.0.3, and sends traffic to port1. The ISP of port1 drops the traffic.