Technical Tip: GRE egress traffic on chassis based FortiGate

Step 1:

To make sure the chassis is processing the GRE traffic as an endpoint, a flow rule has to be added:

config load-balance flow-rule

    edit 0

        set status enable

        set vlan 0

        set ether-type ip

        set protocol gre

        set action forward

        set forward-slot master

        set priority 3

end

• Refer to this documentation:

FortiGate-6000 v6.4.14 special features and limitations

Step 2:

Consider this traffic flow:

• subnetA -> 6k -> tunnel -> GRE-Endpoint -> subnetB.

The ingress traffic (TCP or UDP) will be load-balanced according to 'config load-balance settings'.
This means it can be distributed among all FPCs. But GRE traffic is only handled by the FPC master.

So it will cause a problem when traffic is not forwarded to the FPC master initially.

To fix that it is necessary to have a flow rule saying if one wants to reach subnetB go to FPC master.

• It will look like this:

config load-balance flow-rule
    edit 21
        set status enable
        set ether-type ipv4
        set src-addr-ipv4 0.0.0.0 0.0.0.0
        set dst-addr-ipv4 10.1.1.0 255.255.255.0 (subnetB)
        set protocol any
        set action forward
        set forward-slot master
        set comment "subnetB"
    next
end

The following network diagram could be one of the use cases of egress GRE traffic:

Here is a table comparing the traffic with and without the flow rule:

Depending on the use case, the traffic discriminant should be selected carefully.