question

ThisIsCvE avatar image
0 Likes"
ThisIsCvE asked

Azure ignores route table to FortiGate VM

Hey guys!

I need some help because I'm really desperate about my issue.

I'm running a single Fortigate-VM in Azure. It is configured with one external (port1) and one internal (port2). In Azure a VNet with the IP range 172.16.0.0/16 is deployed and there are several subnets subnet's deployed. The reason why I get in touch today is that my issue shouldn't be an issue. The route attached to the VNet seems to ignore what's configured in there.

First of all the route table is configured like that:2023-04-24-15-28-20-vmfgt-routetable-vnet-draas-fg.jpg

The configuration behaves - in my point of view - a little bit weird. It seems that the between different subnets doesn't pass the Fortigate. I assume this because if a ping to a VM in another Subnet is executed it doesn't be shown in the logs. A tracert to the VMs doesn't show the Fortigate as a hop as well. Removing the "Virtual Network" routes results that the ping is shown in the logs on Fortigate, but the VMs within the same subnet can't communicate to each other anymore.

Does anyone have any advice what's happening here?

Thank you,

Christian

FortiGate Cloudazure
2023-04-24-15-28-20-vmfgt-routetable-vnet-draas-fg.jpg (68.2 KiB)
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

·
aquinteros avatar image
0 Likes"
aquinteros answered

you have to create the static routes in Fortigate for each subnet you need to communicate with and reference the port2 (internal)

· 1
10 |600
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

ThisIsCvE avatar image ThisIsCvE commented ·

Thanks for your response. I tried the settings you mentioned but they didn't solve the issue. I removed the static routes on the route table in Azure and added them to the Fortigate. This works under the condition there is a any <-> any policy configured which the VNet related address object as source and destination configured.


Any other ideas?

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space