Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Duplicating traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 10-19-2009 02:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Duplicating traffic
Hi everyone!
I' m new on this forum as well as with managing FortiGate (310b in my case).
The problem that i' m experiencing is as following:
First few words about my net topology.
We have 2 core router/switches in a cluster mode (VRRP).
From both, there is a physical connection to the FG ports 1 and 2, which are in redundant mode and defined in a group called LAN.
That means, from one core sw to FG port1, from the other (backup) core sw to FG port2.
From the FG ports 3 and 4 (also redundant ports - group External) there is a physical connection to 2 layer 2 switches, each port of the FG to one L2 switch.
Each L2 sw is connected to a Nokia FW. Hence, there are 2 Nokia' s in a cluster.
One thing more, the L2 sw are also connected directly to each other.
The problem is as following:
When we try to ping from internal LAN (host connected to core sw, for example) to DMZ (which is connected on the FW on a separate physical interface), we get a duplicated reply packet.
On the FG there is a firewall policy that allows all traffic from internal addresses to DMZ addresses, and aplying no Protection Profile on this traffic.
This is also happening for other traffic, besides icmp.
We tested many things, and came to the conclusion that the problem is (probably) related to ARP and STP on the switches.
We have tried to forward stp on all 4 ports on the FG but with no luck.
Please, any suggestion is more than welcome.
This is a rather big issue in our case.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can you post a diagram?
Stupid Q: Did you config the VLAN correctly?
Are that Cisco switches?
The FG310B is in Nat/Route mode?
Regards, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Not applicable
Created on 10-19-2009 09:44 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eric,
thanks for your answer.
I' m sending you the diagram.
The VLAN' s are configured correctly :).
The switches are Alcatel, both the core, as well the L2 switches.
The FG is working in Transparent mode.
The thing is that the traffic, when it arrives at the L2 switch (back from DMZ) is broadcasted throughout that VLAN (because of the mac-address entry in the L2 switch) and therefore the FG receives the same packet on both " External" ports (Port3 and Port4, which is normal in Redundant mode, but receives both packets thru LAN port (Port1) which is also normal behavior when 2 ports are in redundant mode.
Port2 (also LAN port) is not transmitting any traffic, also normal behavior.
We also enabled stpforward and l2forward, in order to pass STP thru FG, but id didn' t solved our problem.
In that case, we had 2 root bridges on the same segment!!! Not good :)
So, you have some more info now to chew on :))
Regards,
Alex
Not applicable
Created on 10-19-2009 09:49 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eric,
for the case you didn' t received the diagram, i am embedding it in the post...
Not applicable
Created on 10-19-2009 09:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is rather a big picture :))
Regards,
Alex
Not applicable
Created on 10-19-2009 10:06 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I changed the image size (again :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) are the Nokia firewalls in an active/active or active/passive config?
2) if you hang a PC off of the L2 switch before you hit your core do you get duplicated pings? How about if you hang the PC off of the other switch?
I just checked a router that we have on the far side of a transparent proxy, and I' m not seeing any of the ARP resolutions as (ff:ff:ff:ff:ff:ff) - what device is making the decisions to start broadcasting the traffic? My guess would be the Nokia boxes?
Not applicable
Created on 10-19-2009 11:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The both Nokia' s are in a cluster and working in active/passive mode.
when we tried a ping from the primary Nokia (on the left side of the picture) towards some internal host (connected on the Main Core switch) we also got duplicated ICMP reply packets, wich means that the traffic is going thru the FG external port (Port3), and then the traffic is sent thru both FG internal ports (Port1 and Port2).
We excluded the Nokia as the source of the duplicating, because, when we ping some other addresses wich are also behind the Nokia (on an another Nokia physical interface), or addresses on the Internet, there aren' t any duplicated replies.
Just to mention, in the FortiGate firewall policy is a rule that allows the traffic from internal LAN towards DMZ without any protection profile applied.
The primary Nokia receives the ICMP request packet and sends a reply, the secondary Nokia sees the reply packet on the DMZ interface (but not sending any traffic).
I think that the problems lies somewhere in the L2 - FortiGate connection.
Does anybody has some experience with stpforward option of the FG?
Both, the core and the L2 switches uses RSTP.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven' t read thru the hole tread but based on your diagram, I think you forgot to create broadcasting domains. As the FG is in TP mode it' s also a L2 switch and ARP' s will be replicated on every port regardless of the VLAN. Broadcasting domains prevents this.
Cheers, Eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Not applicable
Created on 10-20-2009 12:49 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Eric,
how should i configure the broadcast domain(s) on the FG?
thx + regards
Alex
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Traffic between VLANs: Fortigate 40f &... 141 Views
- I Have Issue on Netflow FortiGate 107 Views
- Help to create a handler with... 135 Views
- Routing with two wan int 186 Views
- Issues with TCP Syslog Logs on... 123 Views
Labels
-
FortiGate
8,081 -
FortiClient
1,624 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
366 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
179 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.