The principle holds true even if traffic is not offloaded, though.)
(As a point aside, in Fortinet firewalls established sessions are indeed offloaded from the CPU to a network processing ASIC at that point - which is incapable of looking up routes or policies. After these decisions, subsequent traffic belonging to the same session is forwarded without any further decisions to make. It will determine the route to apply and whether forwarding is permitted or not. The Fortigate (as a stateful firewall) will create a session from the information of the first packet arriving.
This persists until I reboot the host that is having its traffic routed over the Internet. It's as if the FortiGate remembers that some hosts were previously routed over the Internet, while any new traffic is correctly routed over the VPN. However, once the VPN comes back up, any host that had recently tried to send traffic across the VPN will have their traffic continue to go out to the Internet while other hosts (on the same subnet) will have their traffic routed over the VPN. If the VPN goes down, the FortiGate starts routing traffic through it's public IP and out to the Internet where it gets stopped (as expected). I can do a traceroute and see that the traffic goes to the FortiGate and then over the VPN. I have a static Route to forward traffic for the subnet on the other side of the VPN through the VPN. I have a FortiGate 90D (v5.2.5,build701) which has an IPSec site-to-site VPN connection to another firewall and I can access nodes across the VPN. I'm fairly new to Fortinet devices, so please let me know if I'm making a rookie mistake.
0 kommentar(er)
