Fortigate same zone but different interface packet process logic

myky · ‎01-30-2020

Hi All,

Sorry, my first post here, and forgive me if this has already been asked earlier.

What firewall will do if it receives SYN, ACK (half-open session) packet or subsequent packets for an already established session on a different interface (not the one where the packet was sent out)?

Thanks,

Myky

Toshi_Esumi · ‎01-30-2020

Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.

View solution in original post

emnoc · ‎01-30-2020

It would drop it unless asymmetricalrouting was enabled. Google statefull-inspection firewall which is what any fortigate does or any modern UTM/NGFW.

Ken Felix

PCNSE

NSE

StrongSwan

myky · ‎01-30-2020

Ok perfect, so similar logic that Palo does:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK

Cheers

myky · ‎01-30-2020

Ok, thanks. So packet check per-interface, not per zone.

myky · ‎01-30-2020

Hmm.. It looks like not all UTM/NGFW behave the same way:

The firewall is zone-based, which means that for all received packets during the session creation and subsequent packets, a source zone lookup will occur before moving to the next step of matching an existing session. So if both the interfaces are placed in the same zone, they will be treated as the same area and asymmetry will not be applied within the same zone. This way, the asymmetry protection does not need to be disabled.

Toshi_Esumi · ‎01-30-2020

Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.

emnoc · ‎01-30-2020

Are you using zones? I believe you have a option for allow action per each zone that's defined,that is something you can look at ? I still believe interface and asymmetrical checks will still by implied

Ken Felix

PCNSE

NSE

StrongSwan

myky · ‎01-30-2020

Thanks guys! I see that the function of "zone" is a bit different from Palo. Anyway, l just needed to know if FG will behave the same way or not. Cheers!

packet_drop_FTNT · ‎02-27-2024

If traffic egresses port1 and return traffic comes in on port2 and ECMP routes exist (and policy) then the session get's "dirty". When a session is "dirty" it get's re-evaluated by the CPU (instead of offloaded) and the session get's refreshed: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/14295/controlling-return-pat....

Fortigate same zone but different interface packet process logic

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website