Technical Tip: Configure firewall policies for a VIP when Central NAT is enabled
Description
This article describes how to configure firewall policies for a VIP when Central NAT is enabled.
Scope
FortiGate.
Solution
When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address.
This is normal behavior due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs. VIP matches for local-out traffic as well, if you want to restrict local-out traffic to not match the VIP, it is possible to use 'srcintf-filter'.
The only thing needed is to create the VIP as usual:
Example configuration in the CLI:
config firewall vip
edit "RDP"
set extip 192.168.17.162
set mappedip "192.168.1.60"
set extintf "any"
set portforward enable
set extport 3389
set mappedport 3389
next
end
edit "RDP"
set extip 192.168.17.162
set mappedip "192.168.1.60"
set extintf "any"
set portforward enable
set extport 3389
set mappedport 3389
next
end
Create the local IP address object and the firewall policy. In the destination field of the firewall policy, select the local IP configured into the VIP.
Example configuration in the CLI:
config firewall address
edit "192.168.1.60"
set subnet 192.168.1.60 255.255.255.255
next
end
edit "192.168.1.60"
set subnet 192.168.1.60 255.255.255.255
next
end
config firewall policy
edit 0
set name "RDP"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "192.168.1.60"
set schedule "always"
set service "ALL"
next
end
edit 0
set name "RDP"
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "192.168.1.60"
set schedule "always"
set service "ALL"
next
end
Starting from v6.2, there is a new feature 'match-vip-only' to apply to a policy when Central NAT is enabled, CLI only (disabled by default).
config firewall policy
edit RDP
set match-vip-only enable
next
set match-vip-only enable
next
end
If it is disabled, traffic from SD-WAN to LAN with 192.168.1.60 (internal IP) or 192.168.157.162 (external IP) as the destination will be allowed.
If 'match-vip-only' is enabled, the policy will be matched only if a DNAT is applied before, so only traffic from SD-WAN to LAN with destination 192.168.157.162 (external IP) will match the policy. This behavior has changed starting from v6.4.3 where match-vip-only is not configurable and there are no options to change this config.
If 'match-vip-only' is enabled, the policy will be matched only if a DNAT is applied before, so only traffic from SD-WAN to LAN with destination 192.168.157.162 (external IP) will match the policy. This behavior has changed starting from v6.4.3 where match-vip-only is not configurable and there are no options to change this config.
Related documents: