Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vladimir_Ostrovsky
New Contributor

Sending RST to LB / VIP clients?

Good day,

 

Regular firewall policies has an option to send TCP RST packets to clients, when policy's action is set to "deny": [style="background-color: #888888;"]# set send-deny-packet enable[/style]

 

But as far as I see, if the policy's destination is a VIP or virtual-server (load balancer), this option doesn't work. I configure "set action deny", "set send-deny-packet enable" - but still clients get nothing, their connection attempts are just silently discarded.

 

Is there any option to make FortiGate to return RST in these cases as well? Or maybe it's possible to make an LB to return RST in case action is set to "allow", but none of its realservers pass health checks?

 

Thanks, Vladimir.

1 Solution
tanr
Valued Contributor II

I'm not sure whether send-deny-packet works for VIPs, but just want to confirm that you have the policy's "match-vip" set to "enable"?

View solution in original post

4 REPLIES 4
tanr
Valued Contributor II

I'm not sure whether send-deny-packet works for VIPs, but just want to confirm that you have the policy's "match-vip" set to "enable"?

Vladimir_Ostrovsky

Honestly, I didn't know about this option - thanks, tanr!

 

But now I've set it, and it still didn't help - the clients' SYN packets are just discarded:

config firewall policy    edit 0       set name "World_to_webserver"       set srcintf "Internet_zone"       set dstintf "Webserver_zone"       set srcaddr "all"       set dstaddr "webserver"       set schedule "always"       set service "HTTPS"       set logtraffic disable       set fsso disable       set action deny       set send-deny-packet enable       set match-vip enable       next end

 

Maybe I'm missing something?

 

tanr
Valued Contributor II

Have you turned on logging for the policy to make sure it's actually getting hit?  Beyond that, sounds like time to call TAC and have them step through it.

Vladimir_Ostrovsky

Thanks, yes, the policy is definitely getting hit (by the way, regardless of the match-vip parameter - probably because VIP is explicitly defined as destination).

 

I opened a ticket at https://support.fortinet.com, meanwhile they're silent. :)

Top Kudoed Authors