BugZero | Fortinet BugID 985508 - When allow-traffic-redirect is (default setting),...

Fortinet - Defect ID: 985508

When allow-traffic-redirect is (default setting), redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to ingress and egress for the same interface.config system global set allow-traffic-redirect disable endSee this community guide for more details Technical Tip: How to allow traffic when using the same logical interface for ingress and egress with source and destination IP is from different network.

Fortinet - Defect ID: 985508

When allow-traffic-redirect is (default setting), redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to ingress and egress for the same interface.config system global set allow-traffic-redirect disable endSee this community guide for more details Technical Tip: How to allow traffic when using the same logical interface for ingress and egress with source and destination IP is from different network.

Last updated on February 12th, 2025

BugZero Risk Score
8.3 High

Overall: 8.3

Lifecycle: 10.0

Community: 5.8

What is the BugZero Risk Score?

Fortinet Integration

Learn more about where this data comes from

Fortinet Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Unspecified
Status: Fixed
Impacted Service: Existing Known IssuesFirewall
Views: 1

Description

When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to ingress and egress for the same interface.config system global set allow-traffic-redirect disable end When allow-traffic-redirect is enabled, redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to ingress and egress for the same interface.config system global set allow-traffic-redirect disable end When allow-traffic-redirect is enabled (default setting), redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to ingress and egress for the same interface.config system global set allow-traffic-redirect disable end When allow-traffic-redirect is (default setting), redirect traffic that ingresses and egresses from the same interface may incorrectly get dropped if the source address of the incoming packet is different from the FortiGate's interface subnet and there is no firewall policy to allow the matched traffic.Workaround: disable allow-traffic-redirect and create a firewall policy to allow traffic to ingress and egress for the same interface.config system global set allow-traffic-redirect disable endSee this community guide for more details Technical Tip: How to allow traffic when using the same logical interface for ingress and egress with source and destination IP is from different network.

Change history

2023-05-11 Added: 7.0.14, 7.0.15, 7.2.10, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.4.0, 7.4.1, 7.4.2, 7.4.3

Relevant Products

Click on a version to see all relevant bugs

Affected versions:7.0.14, 7.0.15, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.4.0, 7.4.1, 7.4.2, 7.4.3

Fixed versions: 7.0.16, 7.2.11, 7.4.4

Relevant Products

Click on a version to see all relevant bugs

Affected versions:7.0.14, 7.0.15, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.4.0, 7.4.1, 7.4.2, 7.4.3

Fixed versions: 7.0.16, 7.2.11, 7.4.4

Top Fortinet Defects

8.6Defect ID: 1240901
PCI scan fails when using HTTP/1.0 on the SSLVPN port
8.6Defect ID: 1252663
On FortiGate D-series devices running older BIOS versions, the serial number changes to FGT0000000000001 after upgrading to FortiOS 7.4.10, 7.4.11, 7.6.5, and 7.6.6
8.5Defect ID: 1213247
504 Gateway Timeout shown when a virtual-server configured in full mode connects to a HTTPS server that only supports TLS <= 1.2 and which also only supports using SHA1 for signatures
8.4Defect ID: 1260236
Unexpected power off events occur in FortiGate 70G when configured in HA Active/Passive mode with wireless traffic
8.4Defect ID: 1259458
Intermittent reboot of FortiGate-71G caused by an error condition in the IPS engine

Ready to prevent the next vendor outage?

Get a demo

Fortinet - Defect ID: 985508

Fortinet - Defect ID: 985508

Last updated on February 12th, 2025

BugZero Risk Score8.3 High

Bug Details

Top Fortinet Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
8.3 High