UTM inspection on asymmetric traffic on L3
When traffic passes asymmetrically through FGSP peers, UTM inspection can be supported by always forwarding traffic back to the session owner for processing. The session owner is the FortiGate that receives the first packet of the session.
For networks where L2 connectivity is not available, such as cloud environments, traffic bound for the session owner are forwarded through the peer interface using a UDP connection.
In this example, traffic from the internal network first hits FGT_1, but the return traffic is routed to FGT_2. Consequently, return traffic is packed and sent from FGT_2 to FGT_1 using UDP encapsulation between two peer interfaces (port 3). Traffic is then inspected by FGT_1.
Both of the FortiGates in this example are peering on interfaces in the same subnet, but the solution does not require the FortiGate peers to be on the same subnet or connected back-to-back.
Due to the bouncing of traffic back to the session owner, performance degradation is expected. |
To configure FGT_1:
- Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_2:
config system standalone-cluster set standalone-group-id 1 set group-member-id 0 set layer2-connection unavailable unset session-sync-dev config cluster-peer edit 1 set peerip 10.2.2.2 next end end
- Configure the firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set logtraffic all set nat enable next end
To configure FGT_2:
- Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_1:
config system standalone-cluster set standalone-group-id 1 set group-member-id 1 set layer2-connection unavailable unset session-sync-dev config cluster-peer edit 1 set peerip 10.2.2.1 next end end
- Configure the firewall policy:
config firewall policy edit 1 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set logtraffic all set nat enable next end