Skip to main content
Dworf
Dworf
New Member
June 16, 2021
Question

DNAT VIPs and policies

  • June 16, 2021
  • 2 replies
  • 3266 views

Hi there,

So I've got a 1500D.

The first policy is this one:

Source: subnet1

Destination: a DNAT VIP mapping 70.12.5.7 to 70.12.5.67 (just an example I don't know these IPs)

Port: 465

And the second policy is this one:

Source: all

Destination: 70.12.5.7

Port: 465

 

Problem: when I try to reach 70.12.5.7 with an IP outside of sunbnet1 I am redirected to 70.12.5.67. I don't want that, I want only IPs in subnet1 group trying to reach 70.12.5.7 to be redirected to 70.12.5.67.

I know that the fortigate does the DNAT before the policy lookup, so what do I have to modify ti have the policies working like I want ?

Thanks for your help.  

2 replies

srajeswaran
Staff
srajeswaran
Staff
June 17, 2021

Please specify the source address on your VIP config. It can be found under "Optional Filters" on VIP config page.

 

 

Andregyn
Andregyn
New Member
June 22, 2021

Hey,

To do what you want, you need to specify the source network in your Virtual IP rule.

You can do that under VIP Rule -> optional filters -> Source address, doing this configuration your DNAT will be applied only for the subnet you configured there, in this case, subnet1. 

 

 

CLI:

config firewall vip

edit "your rule"

set src-filter subnet1/24 

end

 

 

Terms & ConditionsAccessibility statement