Fortinet white logo
Fortinet white logo

Administration Guide

UTM inspection on asymmetric traffic on L3

UTM inspection on asymmetric traffic on L3

When traffic passes asymmetrically through FGSP peers, UTM inspection can be supported by always forwarding traffic back to the session owner for processing. The session owner is the FortiGate that receives the first packet of the session.

For networks where L2 connectivity is not available, such as cloud environments, traffic bound for the session owner are forwarded through the peer interface using a UDP connection.

In this example, traffic from the internal network first hits FGT_1, but the return traffic is routed to FGT_2. Consequently, return traffic is packed and sent from FGT_2 to FGT_1 using UDP encapsulation between two peer interfaces (port 3). Traffic is then inspected by FGT_1.

Both of the FortiGates in this example are peering on interfaces in the same subnet, but the solution does not require the FortiGate peers to be on the same subnet or connected back-to-back.

Caution

Due to the bouncing of traffic back to the session owner, performance degradation is expected.

To configure FGT_1:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_2:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 0
        set layer2-connection unavailable
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.2
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end
To configure FGT_2:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_1:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 1
        set layer2-connection unavailable
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.1
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end

Related Videos

sidebar video

Support UTM Inspection on Asymmetric Traffic in FGSP

  • 1,014 views
  • 4 years ago

More Links

UTM inspection on asymmetric traffic on L3

UTM inspection on asymmetric traffic on L3

When traffic passes asymmetrically through FGSP peers, UTM inspection can be supported by always forwarding traffic back to the session owner for processing. The session owner is the FortiGate that receives the first packet of the session.

For networks where L2 connectivity is not available, such as cloud environments, traffic bound for the session owner are forwarded through the peer interface using a UDP connection.

In this example, traffic from the internal network first hits FGT_1, but the return traffic is routed to FGT_2. Consequently, return traffic is packed and sent from FGT_2 to FGT_1 using UDP encapsulation between two peer interfaces (port 3). Traffic is then inspected by FGT_1.

Both of the FortiGates in this example are peering on interfaces in the same subnet, but the solution does not require the FortiGate peers to be on the same subnet or connected back-to-back.

Caution

Due to the bouncing of traffic back to the session owner, performance degradation is expected.

To configure FGT_1:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_2:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 0
        set layer2-connection unavailable
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.2
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end
To configure FGT_2:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_1:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 1
        set layer2-connection unavailable
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.1
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end