Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
myky
New Contributor

Fortigate same zone but different interface packet process logic

Hi All,

 

Sorry, my first post here, and forgive me if this has already been asked earlier.

What firewall will do if it receives SYN, ACK (half-open session) packet or subsequent packets for an already established session on a different interface (not the one where the packet was sent out)? 

 

Thanks,

Myky

1 Solution
Toshi_Esumi
Esteemed Contributor III

Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.

View solution in original post

8 REPLIES 8
emnoc
Esteemed Contributor III

It would drop it unless asymmetricalrouting was enabled. Google statefull-inspection firewall which is what any fortigate does or any modern UTM/NGFW.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
myky
New Contributor

Ok perfect, so similar logic that Palo does:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK

Cheers 

myky
New Contributor

Ok, thanks. So packet check per-interface, not per zone.

 

 

myky
New Contributor

Hmm.. It looks like not all UTM/NGFW behave the same way:

The firewall is zone-based, which means that for all received packets during the session creation and subsequent packets, a source zone lookup will occur before moving to the next step of matching an existing session. So if both the interfaces are placed in the same zone, they will be treated as the same area and asymmetry will not be applied within the same zone. This way, the asymmetry protection does not need to be disabled.

 

 

Toshi_Esumi
Esteemed Contributor III

Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.

emnoc
Esteemed Contributor III

Are you using zones? I believe you have a option for allow action per each zone that's defined,that is something you can look at ? I still believe interface and asymmetrical checks will still by implied

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
myky
New Contributor

Thanks guys! I see that the function of "zone" is a bit different from Palo. Anyway, l just needed to know if FG will behave the same way or not. Cheers!

packet_drop_FTNT

If traffic egresses port1 and return traffic comes in on port2 and ECMP routes exist (and policy) then the session get's "dirty". When a session is "dirty" it get's re-evaluated by the CPU (instead of offloaded) and the session get's refreshed: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/14295/controlling-return-pat...

Labels
Top Kudoed Authors