Hi all,

Scenario:

• Two site, each with a fortigate
• Site A and Site B connected via BGP
• Site B gets main internet access through a default route advertised by Site A
• Sibte B also as a Fortiextender (4G) for backup WAN with a Public IP (static route with higher Administrative Distance than BGP)
• Mail goal is remote host's to do VPN directly for Site B Fortigate, even when dafult route is being imported from the BGP
• Site B Fortigate 61F FortiOS 7.2.11

Setup is proven to be working as when I do a specific static route to my public IP I can reach site B Fortigate (ping and VPN).

I tried to acomplish this with Policy Based Route however traffic was being dropped by RPF, even with src-check disabled in the interface. For test purpose I did a PBR as less strict as possible.

config router policy
    edit 1
        set input-device "WAN-BACKUP-5G"
        set src "0.0.0.0/0.0.0.0"
        set dst "0.0.0.0/0.0.0.0"
        set gateway <Fortiextender next-hop>
        set output-device "WAN-BACKUP-5G"
    next
end

After some troubleshoot I can see session is being created for inboud ping, but no reply packets counted:

session info: proto=1 proto_state=00 duration=2 expire=57 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log local may_dirty statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 29/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->in, reply out->post dev=26->18/18->26 gwy=193.126.22.140/0.0.0.0 hook=pre dir=org act=noop "my_public_IP":1->"FEXT_public_IP":8(0.0.0.0:0) hook=post dir=reply act=noop "FEXT_public_IP":1->"my_public_IP":0(0.0.0.0:0) src_mac="MAC" misc=0 policy_id=1 pol_uuid_idx=722 auth_info=0 chk_client_info=0 vd=0 serial=05172b18 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=00000000 no_ofld_reason: local

Thansk!