Hi,
I'm running an HA cluster of 2x FGT-300D. The cluster is talking OSPF towards 2 Nexus 5000 devices.
Once I apply an access-list/prefix-list via distribute-list-in to only install the default route on the cluster, all remote communication is impossible... Through debugging I still see traffic (icmp/https) entering the fortigate cluster.
Once I remove the distribute-list-in statement traffic restores (as more routes enter the routing table). All other (more specific) routes are pointing towards the same 2 Nexus 5000 devices. The default routes are also pointing to these 2 Nexus devices.
I was checking RPF documentation which states that anti-spoofing kicks in once there is no locally attached subnet or any other route. But having only a default route shouldn't trigger anti-spoofing, right?
Any clue?
regards,
Jeroen
cluster is 2x 300D active/passive
5.2.4 build 688
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.