Comprehensive and Detailed Explanation From FortiOS 7.6, FortiWeb 7.4 Exact Extract study guide:
According to the FortiOS 7.6 Azure Administration Guide and the Public Cloud Security documentation regarding Azure Gateway Load Balancer (GWLB) integration:
Encapsulation Overhead: Azure Gateway Load Balancer uses VXLAN (Virtual eXtensible LAN) to encapsulate the traffic before sending it to the FortiGate-VM HA cluster. This encapsulation adds a header that typically consists of 50 bytes for regular IPv4 traffic (Ethernet, IP, UDP, and VXLAN headers).
MTU Mismatch (Option A): The default maximum transmission unit (MTU) in Azure is 1500 bytes. If a protected VM sends a packet at the maximum default size (1500 bytes), and the GWLB then adds the 50-byte VXLAN header, the resulting encapsulated packet becomes 1550 bytes.
Packet Drops: If the FortiGate-VM's network interfaces are left at the default MTU of 1500 bytes, they will not be able to process the 1550-byte encapsulated frames without fragmentation. Because many network paths or configurations (including Azure's fabric for certain flows) may drop packets that require fragmentation or have the Don't Fragment (DF) flag set, this results in the observed intermittent connectivity issues and dropped traffic.
Required Resolution: To resolve this issue, administrators must increase the MTU on the FortiGate-VM interfaces (specifically the one receiving GWLB traffic) to at least 1570 bytes to accommodate both IPv4 and IPv6 VXLAN overhead.
Why other options are incorrect:
Option B: While an incorrect health probe port would cause the GWLB to mark the FortiGate as down, it would typically lead to a complete loss of traffic flow through that instance rather than intermittent packet drops within an active flow.
Option C: The GWLB itself is the component adding the overhead; it is the FortiGate's inability to receive the larger resulting frame (due to its own default MTU setting) that causes the failure.
Option D: Packet fragmentation by the application is a secondary effect. The primary "intermittent" issue described in GWLB deployments is almost always related to the tunneling overhead exceeding the receiving interface's MTU.
