This version provides NSH chaining support for virtual wire pair, TP mode networks. FortiOS receives and unwraps the NSH packets and re-encapsulates them before sending them out. The inner packet is processed by firewall policies.
NSH support in FortiGate is basically unwrapping the packet on Ingress and putting the NSH header back on before sending it out. Other parts of NSH aren't supported yet (SI is currently left unchanged).
There's no CLI/GUI change. The only change is to show
ext_header=nsh in NSH session info when listing sessions.
config system virtual-wire-pair edit "test-vw" set member "port1" "mgmt2" next end config firewall policy edit 99 set uuid 241710a0-3ac6-51e9-10e9-9dd3eb65e708 set srcintf "mgmt2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next end
Sample results of configuring a wire pair and policy between port1 and mgmt2. Packets with NSH are processed and the session list shows
A (vdom1) # diag sys session list session info: proto=6 proto_state=01 duration=10 expire=3595 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0 state=log may_dirty br src-vis dst-vis f00 statistic(bytes/packets/allow_err): org=112/2/1 reply=60/1/1 tuples=2 tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 5/0 orgin->sink: org pre->post, reply pre->post dev=4->9/9->4 gwy=0.0.0.0/0.0.0.0 hook=pre dir=org act=noop 172.16.200.11:46739->172.16.200.55:23(0.0.0.0:0) hook=post dir=reply act=noop 172.16.200.55:23->172.16.200.11:46739(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) src_mac=00:00:11:11:11:11 dst_mac=00:00:22:22:22:22 misc=0 policy_id=99 auth_info=0 chk_client_info=0 vd=1 serial=0000094d tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x040001 no_offload no_ofld_reason: mac-host-check disabled-by-policy non-npu-intf ext_header_type=nsh total session 1