Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amorales
New Contributor

Intra-Interface routing behavior

Hello, I am curious about the Fortigate behavior when the traffic handled by firewall for packet which ingress and egress same interface. I have found this information:

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD36468

 

According to what I have seen in a physical FortiGate, what is described in the Fortinet document is true and the traffic is allowed when the incoming traffic goes out thorugh the same interdace, without any policy check.

 

On the other hand, I also have an Azure firewall where I have multiple subnets connected in the Port2, and the traffic between these subnets is checked and blocked by firewall policies. Do you know what I am missing here and why this behavior is different to the one described in the above Fortinet documentation? Thank you very much for the help.

 

Best regards.

4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

I'm not so famiiar with VM enviroment like Azure, AWS, etc. But are you sure those subnets are NOT separated by VLANs on the FGT side, where are the different/separate "interfaces"? They happen to be on the same physical interface, port2.

amorales

No, I have just one physical port with an IP Address. To reach these subnets, I have a static route pointing to the same Azure network device (but there is not internal communication between subnets inside the Azure network device, and traffic pass through FortiGate). 

 

For example, I have these subnets:

 

Subnet A: 192.168.1.0/24

Subnet B: 192.168.2.0/24

 

In the port2, I have the IP 10.1.1.1/24. To reach subnet Aand B, I have static routes pointing to the IP 10.1.1.2/24 through port2 (the Azure device with IP 10.1.1.2 is not able to perform inter-subnet routing as mentioned before, and the traffic is sent to inter-subnet routing is performed by the FortiGate. When I check the session, it looks in this way:

 

post dev=5->5/5->5 gwy=10.1.1.2/10.1.1.2   As you can see, the incoming and outgoing interfaces are the same, and same happens for the gateways.

 

Is possible that the Fortinet documentation is related to traffic inside the same subnet or something else? Thanks

 

Toshi_Esumi

If that's the case, then yes, your assumption is probably right. Since the source and destination subnets are different, routing/L3 is involved then policy might be necessary.

Toshi_Esumi

I suggest you open a ticket at TAC to verify.

Labels
Top Kudoed Authors