Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fquerzo_FTNT
Staff
Staff

Created on ‎02-26-2016 01:00 AM Edited on ‎11-23-2021 07:41 AM By Anonymous

Article Id 195748

Technical Tip: Self-originated traffic and policy-based IPsec

Description

In general, self-originated traffic does not need firewall policy to leave FortiGate, the only exception is when the traffic needs to go inside IPsec tunnel (policy-based). In this case, after route lookup, if an IPsec policy is matched then packet is sent through the tunnel.

The policy lookup is done only based on destination ("dstint" + "dstaddr" + "service"). If no IPsec policy has been found then the packet is sent unencrypted.

A common mistake is to create IPsec policy with "dstaddr=ALL" and "service=ANY", this will force all self-generated traffic to be sent through the tunnel.


Scope

If it is not required to send self-originated traffic inside the tunnel, then try to exclude the destination address and service from the IPsec firewall policy, so the IPsec policy will not be matched and self-originated traffic will be sent unencrypted.
 

 

Labels:
2006
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.