Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vladimir_Ostrovsky
New Contributor

Created on ‎01-21-2020 03:56 PM

Sending RST to LB / VIP clients?

Good day,

 

Regular firewall policies has an option to send TCP RST packets to clients, when policy's action is set to "deny": [style="background-color: #888888;"]# set send-deny-packet enable[/style]

 

But as far as I see, if the policy's destination is a VIP or virtual-server (load balancer), this option doesn't work. I configure "set action deny", "set send-deny-packet enable" - but still clients get nothing, their connection attempts are just silently discarded.

 

Is there any option to make FortiGate to return RST in these cases as well? Or maybe it's possible to make an LB to return RST in case action is set to "allow", but none of its realservers pass health checks?

 

Thanks, Vladimir.

4324
0 Kudos
1 Solution
tanr
Valued Contributor II

Created on ‎01-21-2020 04:15 PM

I'm not sure whether send-deny-packet works for VIPs, but just want to confirm that you have the policy's "match-vip" set to "enable"?

View solution in original post

3155
0 Kudos
4 REPLIES 4
tanr
Valued Contributor II

Created on ‎01-21-2020 04:15 PM

I'm not sure whether send-deny-packet works for VIPs, but just want to confirm that you have the policy's "match-vip" set to "enable"?

3156
0 Kudos
Vladimir_Ostrovsky
New Contributor
In response to tanr

Created on ‎01-22-2020 02:28 AM

Honestly, I didn't know about this option - thanks, tanr!

 

But now I've set it, and it still didn't help - the clients' SYN packets are just discarded:

config firewall policy    edit 0       set name "World_to_webserver"       set srcintf "Internet_zone"       set dstintf "Webserver_zone"       set srcaddr "all"       set dstaddr "webserver"       set schedule "always"       set service "HTTPS"       set logtraffic disable       set fsso disable       set action deny       set send-deny-packet enable       set match-vip enable       next end

 

Maybe I'm missing something?

 

3116
0 Kudos
tanr
Valued Contributor II
In response to Vladimir_Ostrovsky

Created on ‎01-22-2020 11:22 AM

Have you turned on logging for the policy to make sure it's actually getting hit?  Beyond that, sounds like time to call TAC and have them step through it.

3117
0 Kudos
Vladimir_Ostrovsky
New Contributor
In response to tanr

Created on ‎01-22-2020 02:57 PM

Thanks, yes, the policy is definitely getting hit (by the way, regardless of the match-vip parameter - probably because VIP is explicitly defined as destination).

 

I opened a ticket at https://support.fortinet.com, meanwhile they're silent. :)

3117
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.