Fortinet black logo

Administration Guide

UTM inspection on asymmetric traffic in FGSP

UTM inspection on asymmetric traffic in FGSP

When traffic passes asymmetrically through FGSP peers, UTM inspection can be supported by always forwarding traffic back to the session owner for processing. The session owner is the FortiGate that receives the first packet of the session.

In this example, traffic from the internal network first hits FGT_1, but the return traffic is routed to FGT_2. Consequently, traffic bounces from FGT_2 port1 to FGT_1 port1 using FGT_1’s MAC address. Traffic is then inspected by FGT_1.

This example requires the following settings:

  • The internal and outgoing interfaces of both FortiGates in the FGSP pair are in the same subnet.
  • Both peers have layer 2 access with each other.

To configure FTG_1:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_2:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 0
        set layer2-connection available
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.2		
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end
To configure FTG_2:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_1:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 1
        set layer2-connection available
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.1		
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end

Results

Capture packets on FGT_2 to see that traffic bounced from FGT_2 to FGT_1 over the traffic interface.

FGT_2 # diagnose sniffer packet any 'host 10.1.100.15 and host 172.6.200.55' 4
interfaces=[any]
filters=[host 10.1.100.15 and host 172.16.200.55]
91.803816 port1 in 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800480 port1 in 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800486 port1 out 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800816 port1 in 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800818 port1 out 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279

UTM inspection on asymmetric traffic in FGSP

When traffic passes asymmetrically through FGSP peers, UTM inspection can be supported by always forwarding traffic back to the session owner for processing. The session owner is the FortiGate that receives the first packet of the session.

In this example, traffic from the internal network first hits FGT_1, but the return traffic is routed to FGT_2. Consequently, traffic bounces from FGT_2 port1 to FGT_1 port1 using FGT_1’s MAC address. Traffic is then inspected by FGT_1.

This example requires the following settings:

  • The internal and outgoing interfaces of both FortiGates in the FGSP pair are in the same subnet.
  • Both peers have layer 2 access with each other.

To configure FTG_1:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_2:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 0
        set layer2-connection available
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.2		
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end
To configure FTG_2:
  1. Configure FGSP cluster attributes, including setting the peer IP to the IP address of FGT_1:
    config system standalone-cluster
        set standalone-group-id 1
        set group-member-id 1
        set layer2-connection available
        unset session-sync-dev
        config cluster-peer
            edit 1
                set peerip 10.2.2.1		
            next
        end
    end
  2. Configure the firewall policy:
    config firewall policy
        edit 1
            set srcintf "port2"
            set dstintf "port1"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable 
            set av-profile "default"
            set logtraffic all
            set nat enable
        next
    end

Results

Capture packets on FGT_2 to see that traffic bounced from FGT_2 to FGT_1 over the traffic interface.

FGT_2 # diagnose sniffer packet any 'host 10.1.100.15 and host 172.6.200.55' 4
interfaces=[any]
filters=[host 10.1.100.15 and host 172.16.200.55]
91.803816 port1 in 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800480 port1 in 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800486 port1 out 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800816 port1 in 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279
92.800818 port1 out 172.16.200.55.80 -> 10.1.100.15.40008: syn 2572073713 ack 261949279