Blackhole

An issue which I have had was when a site to site VPN dropped, traffic for the VPN would be routed out the default route and a session was created. When the VPN can back up, the traffic would not go over the VPN as a session had already been created going out the default route to the internet.
To resolve this we can add Blackhole route on the FortiGate for the destination network with higher distance than the original one.
In CLI:

config router static
edit
set blackhole enable
set distance 220
set dst
end

 

When the tunnel is down, by adding this route the Fortigate does not forward the packet out the default route and thus does not create a session.
I would advise adding this blackhole routes for all private address range so that the FortiGate does not send non-internet traffic over the internet link.

Leave a Reply