Fortigate destination interface root. Here my troubleshooting steps.

Fortigate destination interface root In FortiOS version 6. 4/5. IP: <old IP> Mapped IP: <new IP> no Port Forwarding In Firewall>Policy>Policy, create a new policy for outgoing traffic (just for this one device): source IF: internal source IP: <reader' s internal IP> dest IF: wan1 dest IP Configure IPAM locally on the FortiGate Interface MTU packet size Adding the root FortiGate to FortiExplorer for Apple TV Destination user information in UTM logs May 8, 2017 · It's not that easy. Hello! I have this problem with FortiGate-100E where existing / new policy rules match weirdly on ip addresses ex: Policy to allow 192. Incoming Interface. 6 connected to a FortiGate cluster of 3000D with firmware 5. Aug 28, 2023 · Hi, I have Fortigate 60F and two ISP added to SD-WAN: WAN1 WAN2 I would like always to route traffic from Interface "3" (Subnet 192. Click OK. The administrator of the root FortiGate must also authorize the device before it can join the Security Fabric. root interface, which the SSL VPN connection flows through. FG100ETKxxxxxxxx vd=root dtime=2022-02-25 16:14:29 Hi, Today in the fortianalyzer with firmware 5. The following can be configured, so that this information is logged. ScopeFortiManager, FortiGate. The VDOM link interface in the traffic (root) VDOM (ivl-lan-ext0) has obtained an IP address dynamically from the FortiGate Controller. 5. config user local edit "test" set type password set passwd 123456 next end config user group Sep 6, 2019 · set interface "port2" set gateway 20. Related Articles. This topic contains the following examples: I'm seeing a bunch of traffic in our logs with source/destination interface are both the public ISP interface. To enable FortiTelemetry on an interface: Go to Network -> Interfaces . Interesting and puzzling. Feb 9, 2024 · Since the Zone contains more than just the ssl. Create a normal security policy from wan1 to SSLVPN Tunnel Interface to allow SSL VPN traffic to connect to the Internet. Destination interface interlink 1. Azure does not inherently recognize routes to the subnet associated with this loopback interface (e. Solution This event ID can have two different outputs which separately describe whether the interface went up or down. 115. ScopeFortiGate. Destination address: Local subnet(s) allowed for the VPN clients. 4. Solution Topology: User Machine <--------> FW <-------> Internet Tested IPs in LAB on version 7. This article provides a solution for an issue where the destination interface shown in the traffic logs does not match the SD-WAN quality interface when asymmetric routing is involved. 1. Priority Feb 13, 2020 · Scenario: We have a Fortigate 200E that a MSP configured for us to allow SSL-VPN connections to a few servers. A list of pending authorizations is shown. - Destination route towards the LAN interface. Nov 13, 2018 · It could be due to asymmetric route, session expired, or fortigate just received a single tcp packet with fin flag only (the syn packet and the rest are missing). 0 the typical circumstances behind the 'Interface status changed'. Parameters: all_vdoms (bool) – True - get interface-objects of all VDOMs, False - get interface-objects assigned to an initialized VDOM. Solution: Check IPsec Tunnel Status: Open the FortiGate web interface and navigate to VPN > IPsec Tunnels. Asymmetric routing enabled in VDOM system settings: config system settings Source Interface is the interface from which the traffic originates. 0/24 to 192. In realtime, this is calculated from the session list, and in historical it is from the logs. root). 1X} set egress-shaping-profile <profile> set device-identification {enable | disable} set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response fabric ftm} set Click OK. 88. Source Interface LAN Port 2. 8, 3. To configure an interface in the CLI: config system interface edit <name> set vdom <VDOM_name> set mode {static | dhcp | pppoe} set ip <IP_address/netmask> set security-mode {none | captive-portal | 802. FortiGate Solution . Jul 1, 2020 · Note that FortiLink interface will not be a visible option from GUI while creating firewall policy, so it is required to use FortiGate CLI to create policy. ALL. I don't even think you can even do that btw? What fortiOS version are you seeing a aggregate as a destination interface ? Now if you had a aggregate called . In the Fabric Setup step, click Review Authorization on Root FortiGate. 200 set priority 255 next end next end IPv6 virtual router. - IPSEC Phase 2 parameters. 0 set allowaccess ping https ssh http fgfm set type physical set snmp-index 1 next edit "port2" set vdom "root" set ip 10 Source interface: New VPN tunnel interface. No matter what they look like, as soon as the FW interface IP itself is pinged, the ping results in a log entry referring to implicit rule 0 as if all firewall rules was simply bypassed. 0/0 NAT to internet, or even a simple permit policy rule like 192. 6 and more recent version where the FortiGate interface does not respond to Ping even if Ping is allowed in interface configuration. 80, 3. API Key: Password: N/A: Yes: API key of the FortiGate instance. Apr 11, 2011 · Hi, to achieve a destination NAT you define a VIP like this: Firewall>Virtual IP>Virtual IP Create New Name: readerVIP Ext. g. Oct 31, 2020 · - Policy from IPSEC interface to destination interface. It means you have a network, link or path issues Ken Felix May 12, 2024 · This article describes how to allow traffic when only using the same logical interface for ingress and egress with source and destination IPs from different networks. 11 255. Solution: In this example, 'port3' is being replaced with 'port2' on two FortiGates. set srcaddr "tac" "ubuntu" set dstaddr "all" next end Jun 18, 2008 · I am using the version 3 MR 6 on a Fortigate 200 A and am trying to setup ssl VPN. 5 or 10. I've verified there is no conflict with the new IP Range. always. Scope: FortiGate version 7. Generally, such a log message is created, when a packet comes to a FortiGate and FortiOS and it can't find an existing session for it, although it is expected that it has to be already in place. 117. NAT64 policy. Jan 21, 2025 · This article describes a change of behavior in version 7. vpn state changes . 1). 10. Nov 15, 2019 · - Source interface: ssl. After disable the web mode access create the policy from ssl. 5, FWIW. root) Destination Interface - From which the real server is reachable (In this it's Port3) Source - SSLVPN subnet + The user group which will be accessing the server Destination - Call the VIP or Virtual server ( Set the Inspection Mode to Proxy-based. 20. The company uses a single ISP to connect to the Internet. root interface, it is possible to authenticate with a user that is a member of the 'SSLVPN_LDAP_admin' group. Jun 2, 2016 · On the root FortiGate, assign the LAN role to all interfaces that may connect to downstream FortiGate devices. - Source: The IP address assigned from SSL VPN pool + the SSL VPN group - Destination: The IP address. - Destination interface: the interface behind the host is. FortiOS 6. From reading the document for MR6, they mention a new interface ssl. 0/24 without any NAT it matches weirdly like Jun 13, 2023 · The solution is to replace the IP assigned to the FortiGate interface 10. If only the IP address is in the log, I get message: Destination Interface unknown-0 - no session matched. 31. Do I need to configure the firewall policies for ssl. 4-1 in GNS3 unable to ping GNS3 VM, unable to ping windows 11 host machine, unable to ping gateway. FortiGate IP address: Nov 13, 2018 · config system interface edit "NOCSWITCH" set vdom "root" set ip 10. By default, static routes on FortiGate have an AD of 10. Network Address Translation (NAT) is the process that enables a single device, such as a router or firewall, to act as an agent between the internet or public network and a local or private network. 16. This leads to unexpected behavior in BGP. THe IPv4 policy rule is straightforward enough: From: SSL-VPN tunnel interface (ssl root) To: LAN Source(s): SSLVPN Tunnel Addresses, SSL VPN login Schedule: Always Services: All (for troubleshooting - normally just RDP and ping) Action: Accept NAT: Disabled Proxy Options: custom HTTP sessions are accepted at the wan1 interface with destination IP address 172. Take note of the trace_id, it is incremented once per packet received by kernel from network card driver or local processes. Command to configure policy using FortiGate CLI. When forwarded, the destination address of the session is translated to the IP address of one of the web servers. Solution . The command: diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface> This one helped me. 4 with the IP that is not assigned to any FortiGate interface, but still in the same subnet, for example, 10. Typically something external to the firewall. Jan 27, 2025 · When the IKE daemon detects a tunnel down event towards the destination IP 172. Jun 30, 2021 · Destination IP address: 192. 240. Nov 8, 2024 · In this scenario, the loopback interface (LoopbackSubnet) is configured on the firewall as an internal network (Logical interface), a logical interface without a physical Network Interface Card (NIC). X set peertype any set net-device disable set proposal aes256-sha512 set dhgrp 21 set nattraversal disable set remote-gw Y. routing path and protocol changes. May 31, 2024 · The article describes how to change interfaces to zones in firewall policies on FortiGate managed by FortiManager with minimum (to no) impact on the production environment. For the interface connected to the Internet, set the IP/Network Mask to 10. May 12, 2020 · On the receiving end, the FortiGate unit or FortiClient removes the extra layer of encapsulation before decrypting the packet: config vpn ipsec phase1-interface edit "tunnel-name" set interface "wan1" set ike-version 2 set peertype any set net-device enable set proposal aes256-sha1 set nattraversal enable default setting is “enable” To configure the interface settings: config system interface edit port10 config vrrp edit 200 set vrip 10. If "WAN2" is down then clients on Interface "3" will be offline (that is OK). Deprecated. Set Outgoing Interface to the interface you want to allow access to. root) Outgoing Interface. 9: Server IP: 10. Action. set vdom root. This defines through which interface the traffic should exit the FortiGate. Scope . How is it possible that FGT equire a user or device when we do not have anything like that in Policy Configuring the root FortiGate and downstream FortiGates. 70 is sending the packet to 10. Source Interface inter_link0 (root interlink) 4. Service: All. Destination interface: Interface of destination network. Settings do not affect the VPN configuration. The device is a Fortigate 620b with a 4. 0, VIPs cannot be selected in the SSL VPN policy, so some other parameters have to be checked. 8" set members 1 2 next end config service edit 1 set name "subnet-to-port1" set member 1 set dst "all" set src "subnet" next end end 5) Generate traffic from 'subnet' to verify that it is using the correct interface In the gutter on the right side of the screen, click Review authorization on root FortiGate. Y next end config vpn ipsec phase2-interface edit "O-BLA-DIS-PRIM" set phase1name "O Nov 13, 2018 · The message is informational and mean things causes destination unknown ? asymmetrical. 129 Interface Apr 25, 2020 · There is an option to configure L2TP in interface/route based IPsec VPN. More information can be shown in a tooltip while hovering over these entries. FortiGate is the name of the fabric device. SSL-VPN tunnel interface (ssl. Oct 8, 2020 · The root FortiGate has to have Security Fabric Connection enabled on the interface that the device connects to. 3. Feb 13, 2025 · API Root: String: https:/{{ip address}} Yes: API root of the FortiGate instance. Jun 2, 2016 · Route look-up on the other hand provides a utility for you to enter criteria such as Destination, Destination Port, Source, Protocol and/or Source Interface, in order to determine the route that a packet will take. ; Edit port2: Set Role to WAN. Scope: FortiManager, FortiGate. 56. Ken Felix We added a machine to a network in Azure (talking about an Azure Fortigate VM), but the Fortigate refuses to talk to it. In this example, a client PC is using IPv6 and an IPv6 VIP to access a server that is using IPv4. root and the outgoing physical interface port17. In the gutter on the right side of the screen, click Review authorization on root FortiGate. all, PKI-Machine-Group. Scope FortiGate. root interface, and authentication is configured under the IPv4 policy, users coming from other interfaces inside the zone will be prompted for authentication. root, mgmt where in the destination as a vip object. Disable NAT>> NAT is not required between these VDOMs. For example. ScopeFortiGate v7. The following procedures include configuration steps for a typical Security Fabric implementation, where the edge FortiGa This article describes how to use a TCL script in FortiManager to replace an interface used as a source or destination in FortiGate policies. The trace_id Apr 23, 2019 · The message is informational and mean things causes destination unknown ? asymmetrical. root. Schedule. root to get SSL VPN working. Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. The edge FortiGate is typically configured as the root FortiGate, as this allows you to view the full topology of the Security Fabric from the top down. NAT: Enable. Most FortiGate device's physical interfaces support jumbo frames that are up to 9216 bytes, but some only support 9000 or 9204 bytes. . Source. 2. Go to Security Policy and create policy between root and marketing VDOMs. Set the Source to the SASE subnet address object and for the user select the user group configured for authentication. 6 and more recent with asymmetric routing enabled. This agent acts in real-time to translate the source or destination IP address of a client or server on the network interface. Sep 6, 2019 · This article describes possible root causes of having logs with interface 'unknown-0'. Mar 1, 2023 · the behavior of the outgoing traffic once VIP is created without port forwarding and IP Pool, only enabling the NAT in the policy. It is not possible to combine the ssl. No explicit policy exists from source interface "src-interface" to destination interface "dst-interface" as determined by a route lookup to "x. Changing the maximum transmission unit (MTU) on FortiGate interfaces changes the size of transmitted packets. x. Configure IPAM locally on the FortiGate Interface MTU packet size Adding the root FortiGate to FortiExplorer for Apple TV Destination user information in UTM logs Jun 15, 2024 · FortiGate 7. 8. 118, port 8080) and forwards them to the internal servers. The Mode field is automatically populated as Identity Provider (IdP). A pop-up window opens to a log in screen for the root FortiGate. Scope: FortiGate, IPSec. The root cause is identified as Windows Firewall settings on the target host. This example shows how to configure a FortiGate unit to use inter-VDOM routing to route outgoing traffic from individual VDOMs to a root VDOM with Internet access. If WAN load balancing is being used in versions 5. config firewall shaping-policy edit <id> set traffic-type {forwarding | local-in | local-out} next end. X. 0/24 dst 0. Here my troubleshooting steps. 14 and later, 7. But, why didn't the Policy Lookup work. The root FortiGate must have FortiTelemetry enabled on the interface that the device connects to. port2. Default is False. In this example, an IPv6 VRRP router is added to port20 on the FortiGate. root interface with port 7 at the Incoming Interface at the Firewall Policy. Verify SSL: Checkbox: Unchecked: Yes: If enabled, the integration verifies that the SSL certificate for the connection to the FortiGate server is valid. 6. Select Allow and then click OK to authorize the downstream FortiGate. Mar 5, 2013 · Hello, anyone of you bump into a situation like this: - added one static entry on the " static route" entry on VDOM root - destination interface is an IPSec tunnel so, if you issue the " get router info routing-table all" on the CLI, the above mentioned static entry does not appear. Interface: internal Type: Static NAT Ext. Enable SAML Single Sign-On. Enter an IP address in the Management IP I have tested all kinds of ways to specify the source interface + address and destination interface + address. 101. 0 MR2 release. A FortiGate can apply shaping policies to local traffic entering or leaving the firewall interface based on source and destination IP addresses, ports, protocols, and applications. A device can request to join the Security Fabric from another FortiGate, but it must have the IP address of the root FortiGate. 0. set ip 1. Configure IPAM locally on the FortiGate Interface MTU packet size Adding the root FortiGate to FortiExplorer for Apple TV Destination user information in UTM logs Aug 28, 2023 · Hi, I have Fortigate 60F and two ISP added to SD-WAN: WAN1 WAN2 I would like always to route traffic from Interface "3" (Subnet 192. 197 (ICMP). Apr 20, 2015 · that session or connection attempts that are established to a FortiGate interface, are by default not logged if they are denied. But then during the next stage it got stock with SSL-VPN tunnel interface as LAN role. 255. The traffic VDOM can be used to: Apply application steering to the local internet connection or to FortiGate Controller network (FortiSASE) using SD-WAN. It means you have a network, link or path issues . Solution In the forward traffic logs of FortiGate, the SD-WAN Quality Interface is show Get interface-objects in specified vdom, all or filtered by some of params. Enable logging of the denied t Nov 13, 2018 · The message is informational and mean things causes destination unknown ? asymmetrical. 0/24) to ISP "WAN2" and never failover to ISP "WAN1". 1X} set egress-shaping-profile <profile> set device-identification {enable | disable} set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response fabric ftm} set Although the tunnel is successfully established and allows initial traffic flow, ICMP pings to the destination host are unsuccessful. Ken Felix Apr 30, 2020 · It could be due to asymmetric route, session expired, or fortigate just received a single tcp packet with fin flag only (the syn packet and the rest are missing). interface link-state change. Configure VPN interfaces. x,5. 121 on TCP port 8080, and forwarded from the internal interface to the web servers. 1 255. 1. During forwarding, the destination address is translated to the specific web server chosen by the load balancer. Oct 16, 2024 · [7658:root:1c]login_failed:405 user[jfelix],auth_type=16 failed [sslvpn_login_permission_denied] This could indicate a missing policy for that particular group 'SSLVPN_LDAP_admin'. Jul 2, 2010 · Interface MTU packet size. After changing the source interface from 'any' to the ssl. The root FortiGate pop-up window shows the state of the device authorization. Ken Felix Click OK. 11. Destinations with specific static routes and even source/destinations with a matching policy route sometimes disappear with these destination interface = root entry. Mar 18, 2010 · Where does the FortiGate think it is routing this traffic? There is a default route that should catch anything. That would be just a ipv4 interface under the LAG bundle and has noting todo with the sub-interfaces. edit LAG1 . However, the BGP daemon is unable to determine whether the event pertains to the primary or secondary tunnel interface. 168. Once you click Search, the corresponding route will be highlighted. ACCEPT. 7, 7. 2 next end config health-check edit "8. 30 255. When other interfaces can Jul 23, 2017 · From the FortiGate web-based manager, Outgoing Interface: internal: Destination Address: Select the SSL VPN virtual interface, ssl. Solution In this diagram test machine 10. x" ** Any ideas about this issue ? many thanks in advanced. 3. 1/255. 100, it notifies the BGP daemon to immediately bring down the BGP neighborship to 172. When other interfaces can Nov 15, 2018 · Once the Device (Devide detection) or User (we have FSSO connection to AD) is defined in the Source, the connection will be successful. The debug flow shows it failing a check on policy 4 and dropping the packet. Enabled, All Sessions Apr 13, 2023 · Troubleshooting this issue, I used "Policy Lookup" on a downstream FortiGate, the FortiGate where I worked on. Be assured that the NAT device before FortiGate is aware that this IP should be routed back to FortiGate. 8" set server "8. Solution FortiOS 2. Source address: Address range for endpoint clients. Endpoint Registration. 200. 2/5. 4. Two departments of a company, Accounting and Sales, are connected to one FortiGate. 3/32 and any other servers that must be accessed. Nov 6, 2017 · I have a fortigate 92d and while running the Security Fabric Audit it asked me to choose a role for interfaces which I did. FortiGate. Log Allow Traffic. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card. Solution Create a new zone (say, 'test-zone') without adding any member interface (say, por Hi, I have problem with my fortigate 60e durring create VIP point to my linux server which port 80, create policy from wan to internal interface, and point to destination (VIP) with open all service. Scope: FortiGate 7. 0 set allowaccess ping https ssh snmp http set vlanforward enable set type switch set role lan set snmp-index 26 next end Apr 18, 2022 · Incoming Interface - SSL-VPN tunnel interface (ssl. 0 set allowaccess ping https ssh http set type emac-vlan set snmp-index 13 set interface "Uplink" next end Feb 22, 2024 · The setup of the IPSec and the interface on the core FortiGate is: config vpn ipsec phase1-interface edit "O-BLA-DIS-PRIM" set interface "MAN_A1" set ike-version 2 set local-gw X. When the LAN role is assigned to an interface, LLDP transmission is enabled by default. Destination interface port1 > WAN In the gutter on the right side of the screen, click Review authorization on root FortiGate. Policy 4 has a different source and destination interface. Scope FortiOS 2. Apr 23, 2019 · The message is informational and mean things causes destination unknown ? asymmetrical. This load-balancing setup utilizes several features: Interface MTU packet size. filter - Filter fortigate-objects by one or multiple Filtering conditions. edit . So I changed it back to undefined and then I’m back to choose what should be the SSL-VPN tunnel interface (ssl. root) = LAN, DMZ or WAN. x,4. Create an address object for the web server 10. The FortiGate uses NAT64 to translate the request from IPv6 to IPv4 using the virtual interface naf. The branch must define its local tunnel interface IP address, and the remote tunnel interface IP address of the datacenter FortiGate, to establish the point to multipoint VPN. Dec 17, 2019 · In that case, change the specific portal only to have Tunnel mode access. The FortiGates send a probe packet from each of their SD-WAN member interfaces so that they can determine the best route according to their policies. Enter the log in credentials for the root FortiGate, then click Login. 120. – Jun 2, 2014 · A loopback interface must be defined on the hub FortiGate to be used as a common probe point for the FortiGates that are using SD-WAN. 0 and later. 30 FortiGate has the following EMAC-VLAN configured: # config system interface edit "emac-FGT" set vdom "root" set ip 192. 2. Scope: FortiGate HA. 6 and there is a need to configure L2TP, interface/route based L2TP can be used to achieve it. , 10. The following steps describe how to add the FortiGate to serve as the root device, and how to configure the required FortiAnalyzer logging. Login in root VDOM. 1X} set egress-shaping-profile <profile> set device-identification {enable | disable} set allowaccess {ping https ssh http snmp telnet fgfm radius-acct probe-response fabric ftm} set Apr 30, 2020 · The message is informational and mean things causes destination unknown ? asymmetrical interface link-state change routing path and protocol changes vpn state changes Typically something external to the firewall. Y. Lower values indicate higher priority. 6 and later, 7. If I set a firewall policy with a destination interface of 'outside' (wan/internet) with a destination address of any (my intention is to permit outbound internet access only), will this also permit the sources I've defined in my policy to any address in my service provider's network? Nov 11, 2024 · As a workaround, 'any' can be used for a destination interface such as the following: config firewall multicast-policy edit 1 set uuid 386da6f4-8c3c-51ef-62b4-4a484a66318c set name "v100" set logtraffic enable set srcintf "Vlan100" set dstintf "any" <- Destination has to be changed to 'any'. Route look-up on the other hand provides a utility for you to enter criteria such as Destination, Destination Port, Source, Protocol and/or Source Interface, in order to determine the route that a packet will take. Service. kwargs – Fortigate REST API parameters. FGT1 (interface) # show config system interface edit "port1" set vdom "root" set ip 10. 222. The sample system event message(s) will be looked like below: date=2025-01-07 time&#61 Mar 14, 2022 · FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic. Destination. Checking the route to the specific IP, the Fortigate knows it is on a "connected" network, but attempting to SSH to that device results in "No Route to Host". Solution: The HA direct management interface and the route can be configured from the GUI as follows: Go to System -> HA, edit Master FortiGate -> Management Interface Reservation, and enable this Feb 17, 2020 · Configure interface: In the root FortiGate (HQ1), go to Network -> Interfaces. , wan1, port1) that connects to the next hop. root for example. Ken Felix Interface-based traffic shaping profile Interface-based traffic shaping with NP acceleration QoS assignment and rate limiting for FortiSwitch quarantined VLANs Ingress traffic shaping profile Internet Services Configure IPAM locally on the FortiGate Interface MTU packet size Adding the root FortiGate to FortiExplorer for Apple TV Destination user information in UTM logs Destination NAT. FGT-A has no VDOMs and FGT-B has VDOMs enabled, the script is making changes for 'root The IPv6 session is between the naf. 100. From the debug flow, you can see the traffic came in from the ssl. 6 we noticed some logs related to TCP sessions that intermittently are displayed as deny-policy violation - destination interface "unknown-0". 5. Technical Note: How to access remote resource via IPsec for SSL VPN user Configuring the root FortiGate as the IdP To configure the root FortiGate as the IdP: Log in to the root FortiGate. (root) # config firewall policy (policy) edit 80 (New policy ID) (80) set srcintf <fortilink> May 28, 2024 · The FortiGate accepts connections on interface Port10 (destination IP: 10. Create same policy in root VDOM. Device request. On the secondary device (FortiGate B), change the priority so that it becomes the primary: (global) # config system ha set priority 250 end; Verify the NetFlow status on FortiGate A, which is using the new primary's mgmt1 IP: (global) # diagnose test application sflowd 3; Verify that the NetFlow packets use the new source IP on FortiGate B: May 9, 2023 · This article describes how to check the routes configured using the HA reserved management interface on the FortiGate HA setup. Jan 9, 2025 · Interface: The physical or logical interface (e. If the issue persists even after that, open a TAC ticket along with debug logs and config file. This one finally didn't had an issue. 1/30 . The root FortiGate must have Security Fabric Connection enabled on the interface that the device connects to. After configuring the interface IP address and static route, you shall see configuration on two Fortigate like this. Administrative Distance (AD): A metric value to prioritize the route. Set Incoming Interface to SSL-VPN tunnel interface (ssl. See Inter-VDOM routing for more information. rwqi cub iap bsbavf uoj niquzpa fkiy vqfgh hozrjz nema octw jbyf wgvcn nlau kugf