Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Intra-Interface routing behavior

Hello, I am curious about the Fortigate behavior when the traffic handled by firewall for packet which ingress and egress same interface. I have found this information:


According to what I have seen in a physical FortiGate, what is described in the Fortinet document is true and the traffic is allowed when the incoming traffic goes out thorugh the same interdace, without any policy check.


On the other hand, I also have an Azure firewall where I have multiple subnets connected in the Port2, and the traffic between these subnets is checked and blocked by firewall policies. Do you know what I am missing here and why this behavior is different to the one described in the above Fortinet documentation? Thank you very much for the help.


Best regards.


I'm not so famiiar with VM enviroment like Azure, AWS, etc. But are you sure those subnets are NOT separated by VLANs on the FGT side, where are the different/separate "interfaces"? They happen to be on the same physical interface, port2.


No, I have just one physical port with an IP Address. To reach these subnets, I have a static route pointing to the same Azure network device (but there is not internal communication between subnets inside the Azure network device, and traffic pass through FortiGate). 


For example, I have these subnets:


Subnet A:

Subnet B:


In the port2, I have the IP To reach subnet Aand B, I have static routes pointing to the IP through port2 (the Azure device with IP is not able to perform inter-subnet routing as mentioned before, and the traffic is sent to inter-subnet routing is performed by the FortiGate. When I check the session, it looks in this way:


post dev=5->5/5->5 gwy=   As you can see, the incoming and outgoing interfaces are the same, and same happens for the gateways.


Is possible that the Fortinet documentation is related to traffic inside the same subnet or something else? Thanks



If that's the case, then yes, your assumption is probably right. Since the source and destination subnets are different, routing/L3 is involved then policy might be necessary.


I suggest you open a ticket at TAC to verify.

Top Kudoed Authors