Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Selecting wrong interface



This is the setup: 


Internet <-> Check Point FW <-> "Link-net" <-> Fortigate 500 Cluster <-> Internet


A server running a few public services is located on a VLAN behind the FG500, but the subnet with the public adresses and NAT is located on the CP. 


The packet hits CP on the public address and NAT redirects to an internal address -> this internal address is routed on the CP side to the link-net to FG500 -> the packet hits the local server correctly on the internal address behind FG500. 


The problem is that the return traffic does not use the same way back, it uses the default route on FG500 and not the link-net


Is this normal behaviour? And does anybody have some tips beside using PBR (which I know work).


The FG500 is running version 6.2.3



Esteemed Contributor III

What's in your table on the FGT? if you have a default and it's not going back thru the CHKP gw that is normal and would be the expected behavior.


cli-cmd below might show better your route-table rib entries


  "get router info routing all"


On the chkp gateway you can enter cli expert-mode on the cpsg and issues the cli-cmd 

" ip route get x.x.x.x" and see what egress is used for routing to that internal address.


Ken Felix




PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors