Topology:

Traffic is sent from subnet 172.16.10.0/24 to 10.122.0.0/20.

The debug flow shows RPF Check Failed:

FGT-B # id=65308 trace_id=727 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=1, 172.16.10.1:3->10.122.3.180:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=3, seq=0."
id=65308 trace_id=727 func=init_ip_session_common line=6110 msg="allocate a new session-000025c5"
id=65308 trace_id=727 func=iprope_dnat_check line=5480 msg="in-[port2], out-[]"
id=65308 trace_id=727 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=727 func=iprope_dnat_check line=5505 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=727 func=ip_route_input_slow line=1695 msg="reverse path check fail, drop"

This means that FGT-B is receiving the packet from the wrong interface.

172.16.20.0/24 should come from port2, but the routing table does not have any entry of it.

FGT-B # get router info routing-table details 172.16.10.1

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 10.47.15.254, via port1

FGT-B was supposed to learn this subnet from OSPF.

FGT-A already redistributes both Static and Connected routes.

config router ospf
    set router-id 1.1.1.1
        config area
            edit 0.0.0.0
            next
        end
        config network
            edit 1
                set prefix 10.121.0.0 255.255.240.0
            next
        end
        config redistribute "connected"
            set status enable
        end
        config redistribute "static"
            set status enable
            set routemap "RM-RD-STA"
        end
        config redistribute "rip"
        end
        config redistribute "bgp"
        end
        config redistribute "isis"
        end
 end

Checking routing on FGT-A, subnet 172.16.10.0/24 was from Static Routes.

FGT-A # get router info routing-table details 172.16.10.0

Routing table for VRF=0
Routing entry for 172.16.10.0/24
Known via "static", distance 10, metric 0, best
* directly connected, port2

Static Routes were being redistributed into OSPF with Route Map configured for the filter.

config redistribute "static"
    set status enable
    set routemap "RM-RD-STA"
end

The route map has a prefix list as the matching statement.

config router route-map
    edit "RM-RD-STA"
        config rule
            edit 1
                set match-ip-address "PL-STATIC"
            next
        end
    next
end

config router prefix-list
     edit "PL-STATIC"
         config rule
             edit 1
                 set prefix 192.168.1.0 255.255.255.0
                 unset ge
                 unset le
             next
             edit 2
                 set prefix 192.168.2.0 255.255.255.0
                 unset ge
                 unset le
             next
         end
     next

end

Subnet 172.16.10.0 was not on the list, which is why it is not being redistributed.

config router prefix-list
    edit "PL-STATIC"
        config rule
            edit 3
                set prefix 172.16.10.0 255.255.255.0
                unset ge
                unset le
            next
        end
    next
end

After adding subnet 172.16.10.0/24 into the prefix list, the routes will now show on FGT-B.

FGT-B # get router info routing-table details 172.16.10.0

Routing table for VRF=0
Routing entry for 172.16.10.0/24
Known via "ospf", distance 110, metric 10, best
Last update 01:37:01 ago
* vrf 0 10.121.2.141, via port2

The debug flow will now show that the traffic is accepted by the firewall policy.

FGT-B # id=65308 trace_id=746 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=1, 172.16.10.1:7->10.122.3.180:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=7, seq=0."
id=65308 trace_id=746 func=init_ip_session_common line=6110 msg="allocate a new session-00003c2a"
id=65308 trace_id=746 func=iprope_dnat_check line=5480 msg="in-[port2], out-[]"
id=65308 trace_id=746 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=746 func=__iprope_fwd_check line=810 msg="in-[port2], out-[port3], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=746 func=fw_forward_handler line=998 msg="Allowed by Policy-1:"

The FGT-A OSPF advertisement can also be shown using this command.

Before:

FGT-A # get router info ospf database adv-router 1.1.1.1

OSPF Router with ID (1.1.1.1) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 965 8000000a 1901 0031 1

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag
10.121.2.141 1.1.1.1 975 80000007 c07f 0031

AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag
192.168.1.0 1.1.1.1 1675 80000006 62f2 0031 E2 192.168.1.0/24 0
192.168.2.0 1.1.1.1 1505 80000006 57fc 0031 E2 192.168.2.0/24 0

After:

FGT-A # get router info ospf database adv-router 1.1.1.1

OSPF Router with ID (1.1.1.1) (Process ID 0, VRF 0)

Router Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag Link count
1.1.1.1 1.1.1.1 1004 8000000a 1901 0031 1

Net Link States (Area 0.0.0.0)

Link ID ADV Router Age Seq# CkSum Flag
10.121.2.141 1.1.1.1 1014 80000007 c07f 0031

AS External Link States

Link ID ADV Router Age Seq# CkSum Flag Route Tag
172.16.10.0 1.1.1.1 6 80000001 35c8 0021 E2 172.16.10.0/24 0
192.168.1.0 1.1.1.1 1714 80000006 62f2 0031 E2 192.168.1.0/24 0
192.168.2.0 1.1.1.1 1544 80000006 57fc 0031 E2 192.168.2.0/24 0