Description This article describes how to prevent black hole route
advertisement to a remote BGP peer. Scope FortiOS v7.0.x, v7.2.x,
v7.4.x, v7.6.x. Solution When a tunnel goes down, the route to the
remote subnet may be withdrawn from the routing ta...
Description This article describes how to configure VDOM DNS for
multi-vdom system, where the system DNS is used with public DNS, and
firewall rules on some of the VDOMs are configured with internal FQDN as
the destination. Scope FortiOS v7.0.x, v7.2...
Description This article describes how to configure the proper Virtual
IP (VIP) with loopback on FortiOS v7.4.8+. Scope FortiOS v7.4.8+.
Solution There is a change in the behavior when VIP is configured on the
loopback. This article will describe how...
Description This article describes how to configure FortiGate to send
TCP RST or ICMP6 'unreachable prohibited' for a blocked traffic. Scope
FortiOS 7.2, 7.4, 7.6 Solution By default FortiOS does not send TCP RST
for blocked traffic (IPv4 and IPv6). ...
Description This article describes how the traffic to specific VIP can
be restricted on FortiGate. Scope FortiOS 7.0, 7.2, 7.4, 7.6. Solution
Sometimes, access to certain VIPs needs to be restricted for specific IP
addresses. This article describes h...
Hello Kennylin, Thanks for the new logs. Again FortiGate creates a new
session (session ID 0009159e) , DNAT is triggered correctly, but the RST
packet looks strange, because it's locally generated : 2025-11-12
12:44:53 id=65308 trace_id=64 func=print...
Hello Kenny, Thanks for the logs.So based on them source is x.y.z.133,
destination is x.y.z.136 over TCP 80. Because of the DNAT, x.y.z.136 is
translated to 192.168.1.60, traffic is allowed by policy No 6, for this
policy is configured an IPpool , so...
Hello Kenny , I hope you are doing well. It will be useful if you run
the following debug when the user is testing the access from x.y.z.133
to x.y.z.136 , please use the following debug : diagnose debug reset
diagnose debug disable diagnose debug fl...
Dear chrisgdg, It's expected behavior. If the device has expired support
contract or EOF starting from FortiOS 7.4.8 GA, an automatic firmware
upgrade is forced once there is a new GA release. This upgraded can't be
cancelled, it can be only postpone...
Hi João, Based on the output from the routing table above, you have two
default routes , one BGP with AD of 20 and one static with AD of 240.
When you have 2 route for the same destination with different AD,
FortiOS will install the one with lowest A...
