Hello everyone,

I’m currently working on network configurations featuring FortiGate firewalls and I’m facing some difficulties (bugs ?) using Batfish.
If I well understood (this ticket by @dhalperi), support for Fortinet appliances is limited, but is traceroute supposed to be fully supported?

Example 1 – bug

Here is a minimalist example of network topology I’m working on:

Full Batfish snapshot with all configuration files: dbg_forti2.zip

Problem

From 193.168.0.3 I’m able to traceroute until 199.168.0.2, but from 199.168.0.2 I can’t even reach fortigate1, while ensuring my route tables are correct.

Traceroute

SERVER1     = "850250b1-6342-4727-9652-7e4f8f94c531"
SERVER1_IP  = "193.168.0.3/24"
SERVER2     = "05c19e8f-bddf-4a61-b63b-bf8ce577c0f7"
SERVER2_IP  = "199.168.0.2/24"
df = bf.q.traceroute(
    startLocation=escape(SERVER2), 
    headers=HeaderConstraints(
        dstIps=escape(SERVER1), srcIps=escape(SERVER2), applications="http"
    ),
    ignoreFilters=True).answer().frame()

Result

I got NEIGHBOR_UNREACHABLE as if no route were found for 193.168.0.3 destination, however a route exists according bf.q.routes():

-> 193.168.0.0/24 is routed through 197.168.0.2 (port1)

And all L3 edges are correctly detected by Batfish:

-> 199.168.0.2 is linked to fortigate1[port1]

Moreover, no warning nor issues were found using bf.q.parseWarnings() and bf.q.initIssues().

Example 2

However, by adding an additional router between 199.168.0.2 and fortigate1 this topology works fine:

I can traceroute both ways.

Conclusion

Is there a bug in routing with Fortigate when a host is directly connected to a Fortinet appliance?
Additional question: do you confirm IPsec tunnels are not yet handled by Batfish for Fortinet appliances?
Thanks for your help.