Hello guys,
This is my first post here and wanted to clarify something in my head about the way Fortigate processes traffic.
I have the following topology. R1 ---- FGT ----R2 + this configuration:
-R1 and R2 both have 9.9.9.9/32 configured as Loopback interfaces.
-FGT has 1.1.1.1/32 configured as Loopback interface
-R1 has static route towards 1.1.1.1 via FGT
-R2 has default route via FGT
-FGT has default route via R1 and static route to 9.9.9.9 via R2.
If I try to ping 1.1.1.1, it works from both R1 and R2. I find that odd, given the fact that the best route towards 9.9.9.9 is via R2.
The only thing I could think is regarding the fact that when pinging from R1 (the one that should not work from my point of view), the FGT because it has loose RPF configured, it allows the traffic on that port and then when replying it does not consult the routing table and rather it sends the reply via the interface it received it. Can I have a confirmation about this behavior?
BR,
Radu
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
That would be my guess also but why are you using the same 9.9.9.9/32 on r1 & r2? Instead of writing this out, can you provide the route table
i.e
get router info routing-table all
Also, I believe regardless of more specific routes, if you ping an interface address and it has a route, that echo-reply will be sourced with the address of the echo-request destination address.
PCNSE
NSE
StrongSwan
This makes perfect sense to me. The firewall RPF check just makes sure it can route back out on the same interface. Since 9.9.9.9 falls within 0.0.0.0/0 route towards R1, of course it works. And since it also falls within 9.9.9.9/32 route towards R2, that one works as well.
What *wouldn't* would is trying to ping 1.1.1.1 from R2 using a source address that makes the FGT match the default route toward R1. Then the RPF check fails and you don't receive the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.