Skip to main content
beldridge
beldridge
New Member
April 21, 2022
Question

FQDN VIP to Private server on LAN

  • April 21, 2022
  • 2 replies
  • 4438 views

We have a Fortigate 200D that is running code 6.0.14.

 

Is it possible to create a FQDN VIP that maps to a server on the inside? Much like a static VIP?

 

we have a PBX that uses a Static VIP, we want to convert that to a FQDN. 

Our idea is we have three WAN interfaces we want to add each WAN IP to the FQDN and program the phones instead of using the external IP use a FQDN with all three static IP assigned to it and when a interface goes down it will connect using the other IP's on the FQDN  and not have any loss or little of. 

2 replies

seshuganesh
Staff
seshuganesh
Staff
April 21, 2022

HI Team,

 

As per your requirement, you need to create three VIP with all three external interface IP address.

If one is not reachable, phone should have ability to go for secondary.
Its better if your phone has ability to check whether IP is up or down like link monitor in fortigate.

Accordingly you can achieve it

beldridge
beldridgeAuthor
New Member
April 21, 2022

thank you for the reply, 

 

What would be the CLI commands to create a FQDN  VIP that points to a private server? 

 

When I created one the Mapped address is the FQDN and the external is 0.0.0.0 shouldn't the external be the FQDN and the mapped address be the internal? unless im missing something or just not understand because the Static VIP is as such. 

seshuganesh
Staff
seshuganesh
Staff
April 22, 2022

What would be the CLI commands to create a FQDN  VIP that points to a private server? 

FQDN should point to the external IP address, not for the private IP as per your requirement.

Its like, there is nothing to do in fortigate, you need to create three VIP for the same private IP with different public IP. Its completely depends on DNS resolution from then and how phone will identify which public IP it should chose to send the request.

 

pminarik
Staff
pminarik
Staff
April 22, 2022

Hi belridge,

 

The CLI commands to create an FQDN-based VIP look like this:

 

 

config firewall vip     edit "my_test_vip"         set type fqdn         set extaddr <fqdn-type-address-object>         set mapped-addr <fqdn-type-address-object>         set extintf <external-interface>         ... end

 

 

 

CLI documentation reference is available here. (6.2 link; the 6.0 document is unfortunately incorrect)

 

Note that for FQDN-type VIPs, the mapped destination is always mandatory to be an FQDN object, whereas the external address is optional (can be FQDN (set extaddr) or IP (set extip)). In other words, if you only need the external address to be an FQDN, you will need to set the internal one as FQDN as well.

 

Lastly, if you would like to see this in the GUI, the option was added in 6.4.2 (reference).

 

addendum: It may be worth pointing out, in case it is not clear, that these FQDNs' sole purpose is to provide dynamic updates to what would otherwise be the static-IP extip and mappedip attributes. The FortiGate periodically queries the DNS server for these FQDNs and uses the resulting IPs to internally update the extip/mappedip attributes of the VIP. This is to say, these FQDNs do not provide any sort of domain-based reverse-proxy functionality, nor any other "magic".

    Terms & ConditionsAccessibility statement