FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 191144



When a NATed session is created on the FortiGate and if there is then a route change that affects the destination IP address of that session, the outgoing interface is not changed.  This behaviour is by design.

This could impact some cases with IPSec scenario. For example, in the case where there is a static default route on a physical interface, and another static route on an IPSec interface.

Because the IPSec interface is taking more time to be brought up, traffic destined to the IPSec route can create a session using the default route.

If that happens, even when the IPSec interface is brought up the traffic destined to go through the IPSec static route will still be sent through the already established session over the default route.



There are two options to change this behaviour:

1) Create a deny policy on top to deny traffic that must go to the VPN tunnel not to go via the physical interface set on the default route.

2) Create a blackhole route for the destination reachable via the VPN tunnel with smaller weight than the IPSec static route. When the IPsec interface goes up, the static route associated to it will take precedence over the blackhole route.