- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Routing issue - FortiGate VM02 - intra-interface r...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing issue - FortiGate VM02 - intra-interface routing
I have a virtual VM02 FortiGate. Two interfaces, inside and transit. Behind the transit interface is multiple subnets. All subnets can ping to the interface of the the transit interface. What I cannot get to work is connectivity between subnets VIA the fortigate.
The policies are in place to allow traffic and I do see inbound traffic hitting the counters. An example of a policy is:
source int: transit
dest int: transit
source IP: 10.0.0.0/24
dest IP: 10.0.2.0/24
The only way I can get this communication to work is to enable NAT on the policy. This works fine for ping but will break directed IP traffic.
I have all of the static routes in place and have no issues again with FortiGate to subnet traffic, it's just when the traffic traverses the fortigate between the subnets. I can only imagine it has something to do with the interface being the same ingress and egress. I don't think this could trigger RPF rules since the routes are there (flow logs do not show any issues that I can see)
I cannot use VLANs to separate the traffic and I cannot utilize additional interfaces.
I also tried to set the allowed-traffic-redirect option to enabled and it didn't seem to help
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your policy does not seem correct. Your source and destination interfaces are same.
Orestis Nikolaidis
Network Engineer/IT Administrator
Orestis Nikolaidis
Network Engineer/IT Administrator
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your policy is 100% correct (if not a bit unusual), this is what is needed in your situation.
The hint with NAT points to the hosts: if they don't know where to send reply traffic to 'unknown' subnets they would just drop it. You could sniff for reply traffic on the target interface - if correct, you'll see the request coming in, and the reply going out.
So, please check the setting of the default route on your hosts. If DHCP provided, this is not much work.
And RPF doesn't apply here as all subnets are directly connected (are they?). If you host multiple subnets on one interface you need to create static routes for them.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a bit more context, I didn't want to bring it up since it might muddy the waters a bit.
This is in Azure and is running a multi-subscription model. Each VNet consists of multiple subnets. Each subnet (and each host) has a default route pointing to the transit interface IP of the FortiGate. There are multiple VNets 'peered' back to the VNet where the FortiGate is placed. SO, from the FortiGate's perspective, all of these other networks are reachable via the same interface... AND all communication in both directions will use the single interface. The details of why this happens in all based on the architecture of Azure. It is kinda like a router on a stick but without the VLANs. It is a bit different but makes sense in the context of Azure.
When I turn on NAT on the policies, the FortiGate is doing source NAT to the IP address of the interface. The hosts just respond to that IP and it works.
I have done packet captures on all points. I see the data get to the firewall but it does not then leave the firewall (when not using NAT). SO, I am fairly sure that the firewall is preventing this traffic but I'm not sure why.
This is like a hairpin, but without the NAT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is kind of what I would think is happening and what would fix it, but it doesn't seem to help:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD43937
Related Posts
- FortiClient Azure SSO VPN issues 34 Views
- FortiGate 30E Slow connection via NAT 82 Views
- Which Firewall of Fortigate help me... 53 Views
- FortiMangaer and FGT Hub migration issues... 32 Views
- Hub-Spoke With Redundant Tunnels 60 Views
Labels
-
FortiGate
6,442 -
FortiClient
1,284 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
326 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
64 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
53 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.