Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
smxko
New Contributor

Created on ‎10-31-2024 05:53 AM Edited on ‎10-31-2024 05:54 AM

Fortigate uses VIP of down Interface (Bug?)

Some weird behavior I saw today. I'm doing NAT for two VLANs on a branch FGT with two VPN tunnels, so four VIPs in total. Two VIPs for the primary tunnel and two for the backup tunnel. In noticed that only the VIPs that reference the backup tunnel have a hit count (which has always been down so far). I attached a screenshot of that:

Unbenannt-1.png

 

Only when I reference the backup VIP in a policy, ping to the VIP works, even though it clearly uses a tunnel that isn't even up! How can that be? When I use the primary VIP in the policy, ping doesn't work bc of implicit deny.

In grouped both IPsec interfaces shown here into a zone, maybe that has something to do with that?

Labels:
457
0 Kudos
6 REPLIES 6
pminarik
Staff
Staff

Created on ‎10-31-2024 06:06 AM

Packet to a local IP doesn't have to come through its own interface. So likely there was a packet coming in over <another interface> with dst-ip = <VIP[...]backup>, and it was processed like that.

[ corrections always welcome ]
446
0 Kudos
smxko
New Contributor
In response to pminarik

Created on ‎10-31-2024 06:08 AM Edited on ‎10-31-2024 06:15 AM

Ok, so basically I don't need backup VIPs, even when ingress traffic for that VIP can originate from a different interface?

444
0 Kudos
pminarik
Staff
Staff
In response to smxko

Created on ‎10-31-2024 06:15 AM Edited on ‎10-31-2024 06:16 AM

Not necessary, yup.
As a matter of fact, you can just bind the VIPs to "any" interface, and control the access by deciding in which firewall policies you use the VIPs (=> controlling the permitted srcintf). The source tunnel/interface will not matter then, as long as the direction of flow is allowed by a firewall policy.

[ corrections always welcome ]
440
0 Kudos
smxko
New Contributor
In response to pminarik

Created on ‎10-31-2024 06:22 AM

Ok, thanks. Make sense. I just tried to already steer traffic before the policies by binding ingress traffic to its actual ingress interface. 

It probably uses the first list entry of the VIP table, so that's why only the backup one worked. It uses the backup one but couldn't find the policy, since the policy referenced the primary VIP only.

433
0 Kudos
pminarik
Staff
Staff
In response to smxko

Created on ‎10-31-2024 06:38 AM

That's right! If the VIPs functionally overlap, only the first one will be used.

[ corrections always welcome ]
429
0 Kudos
smxko
New Contributor
In response to pminarik

Created on ‎10-31-2024 08:32 AM

So what's the actual point of selecting an interface in the VIP config?

363
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.