Hey gurus, kinda new to Fortigate having experience mostly with Palo and Cisco. While troubleshooting a VPN outage, I noticed in my logs that all of the interesting traffic was being denied - ( Denied by forward policy check (policy 0)
So this got me looking at policies to see if something had changed, however while doing so, the Checkpoint admin on the other side cleared his SAs, the tunnel came back up and then the logs shows the same traffic being permitted.
Is this just a feature of the Fortigate that if the tunnel interface is down, it’ll just start denying that traffic meant to route to that tunnel interface? On Palos and Ciscos I would see the traffic being permitted but just not routing because the interface is down.
Figured I’d ask since this had me confused and thinking policies were the problem.
If the interface is down, associated routes should drop out of the route table and cause traffic to not get matched to a policy and hit the default deny (policy 0).
Interesting, so on a Fortigate polices are route dependent. I can have a policy permitting the traffic but if there is no route in the table for that traffic, the firewall sees that as not matching the policy? Is there a way to tweak the logs and/or settings to be more transparent about the fact that it’s dropping traffic because of a route dependency rather than a missing/wrong policy?
Going back to your initial question, I do not believe FortiOS will inherently deny VPN traffic once a tunnel is down.
What will happen is that it’s going to match another route (if one exists), and then go through policy checking.
If my logic is sound, most likely your traffic was egressing the blackhole route(s) and hitting policy 0 because you don’t (obviously) have policies to allow egressing the null interface.
Not at all, there is a default route. In this case the tunnel interface is down so the Fortigate started blocking traffic like there was no matching policy until the tunnel interface came back up. I’m just trying to understand why. It’s always fun learning quirks of new platforms.
“I do not believe FortiOS will inherently deny VPN traffic once a tunnel is down.”
Are your sure this is correct? You should read afroman_says response.
His response:
“That static route is tied to an interface. If that interface is down, that route is not valid. Same for connected interfaces as well. It makes sense logically because the FGT (or any network device) shouldn’t permit routing to any networks defined on an interface that is down.”
So that means that the VPN traffic will be denied since there is no route for that traffic. In fact, I have seen this myself when creating a route and that interface has been down, when doing a show route on the fortigate, the route is not present, only the ones that are active are present.
Traffic would match the destination interface of the default route.
Do you have a rule allowing your traffic out that interface? If not, then the log is correct in telling you do not have s rule permitting traffic out that interface.
I see what you mean. So even though I have a static route configured pointing traffic to that tunnel interface, if the interface goes down, that static route is pulled from the route table and therefore the destination interface in the policy doesn’t match. I think since there is a static route I didn’t expect the route to drop from the table.
So even though I have a static route configured pointing traffic to that tunnel interface, if the interface goes down, that static route is pulled from the route table and therefore the destination interface in the policy doesn’t match.
There was a farmer who had a dog and bingo was his name-o!
I think since there is a static route I didn’t expect the route to drop from the table.
That static route is tied to an interface. If that interface is down, that route is not valid. Same for connected interfaces as well. It makes sense logically because the FGT (or any network device) shouldn’t permit routing to any networks defined on an interface that is down.
EDIT: wanted to add that if this behavior was allowed, essentially you’re creating a “blackhole” route. If this is your intention, you can create a static route and reference the “blackhole” device for this purpose.
