Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rishab444
Staff
Staff

Created on ‎03-30-2025 10:36 PM Edited on ‎12-11-2025 10:04 PM By Community Manager

Article Id 385350

Troubleshooting Tip: Missing Traffic logs on VM when the Ingress and Egress interface are same for the traffic

Description This article describes the event that occurs when no logs are displayed on the FortiGate when traffic Ingresses and Egresses from the same interface. 
Scope FortiGate-VM.
Solution

This is a common scenario in Cloud or VM environments when the traffic is expected to Ingress and Egress from the same interface, making FortiGate act as a one-arm sniffer or SNAT purposes.

2025-03-19 10:54:49.603554 port2 in 10.212.105.163.59880 -> 10.20.134.15.443: syn 940505181
2025-03-19 10:54:49.603585 port2 out 10.212.105.163.59880 -> 10.20.134.15.443: syn 940505181
2025-03-19 10:54:49.603588 sriovslv1 out 10.212.105.163.59880 -> 10.20.134.15.443: syn 940505181
2025-03-19 10:54:49.855776 port2 in 10.212.105.163.59882 -> 10.20.134.15.443: syn 2864824995
2025-03-19 10:54:49.855806 port2 out 10.212.105.163.59882 -> 10.20.134.15.443: syn 2864824995
2025-03-19 10:54:49.855809 sriovslv1 out 10.212.105.163.59882 -> 10.20.134.15.443: syn 2864824995

This is an expected behavior when 'allow-traffic-redirect' is enabled under system settings. The traffic is redirected instead of flowing through the policy set.

This behavior is enabled by default, but it can be modified under system global settings. 

config system global
    set allow-traffic-redirect enable*|disable <----- Default value.
end

 

Starting from FortiOS v7.6.5, 'set allow-traffic-redirect' is now disabled by default; hairpin traffic as described above will now be required to match a policy instead of being forwarded. For the change behavior, see: Policy check required for hairpin traffic.


After disabling this, the log is generated when the traffic flows through the firewall policy configured from port 2 to port 2.

 

Note: Starting from versions v7.0.16, v7.2.11, v7.4.4, and v7.6.0, FortiGate introduced a change in traffic handling where enabling allow-traffic-redirect bypasses the need for a firewall policy or existing session, allowing traffic to be redirected seamlessly, whereas disabling allow-traffic-redirect causes FortiGate to check for a firewall policy matching the traffic.

 

The command is not supported on FortiProxy.

Related articles:
Technical Tip: Traffic handled by FortiGate for packet which ingress and egress same interface 

Technical Tip: How to allow traffic when using the same logical interface for ingress and egress wit...
1271
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.