Created on 10-04-2023 07:19 AM Edited on 10-04-2023 07:34 AM By Jean-Philippe_P
Description | This article describes the required configuration for GRE egress traffic on chassis-based FortiGate. |
Scope | FortiGate 6k and 7k. |
Solution |
Step 1: To make sure the chassis is processing the GRE traffic as an endpoint, a flow rule has to be added:
config load-balance flow-rule edit 0 set status enable set vlan 0 set ether-type ip set protocol gre set action forward set forward-slot master set priority 3 end
FortiGate-6000 v6.4.14 special features and limitations
Step 2: Consider this traffic flow:
The ingress traffic (TCP or UDP) will be load-balanced according to 'config load-balance settings'.
So it will cause a problem when traffic is not forwarded to the FPC master initially. To fix that it is necessary to have a flow rule saying if one wants to reach subnetB go to FPC master.
config load-balance flow-rule
The following network diagram could be one of the use cases of egress GRE traffic:
Here is a table comparing the traffic with and without the flow rule:
Depending on the use case, the traffic discriminant should be selected carefully. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.