VIP route advertisement

Hi, When creating a VIP, the fortigate will automatically create a proxy arp for that address. So when someone is asking for 50.50.1.1 the fortigate will respond.

Hi, and welcome to the forums. You are right, this is a routing issue. On your ISP' s side though. A VIP defines an address translation, more precisely a destination address translation (DNAT). Incoming packets destined at the VIP (50.50.1.1) will have their destination IP address field modified to the corresponding internal address (10.1.1.1). It is important to realize that this is not routing but NAT. Now, for the external address: of course it is unknown if you just ' create' it in a VIP. This will only work with a routable IP address which is routed by your ISP to your site. The next-hop router (your default gateway) has to know where to send the traffic for this address. It does so by routing. So you need to have a public routeable IP address assigned to you by your ISP in order to be able to use it. Then you can use it via DNAT, or, as a secondary address on the WAN interface. In both cases, the FGT will respond to requests to this public IP address by answering ARP requests (proxy ARP in case of a VIP as Selective has pointed out, or real ARP for secondary addresses) and that ultimately will make the connection possible. Hope this helps. Please feel free to post further questions if it' s still unclear how to make your internal server accessible over the WAN port.

thank you for the replies that answers my question that the proxy arp should be taking place automatically! The route is known through the internet, I can trace route to it, and I get as far as the gateway router. The next hop would be the fortigate. I suspect the fortigate is not playing nice with my traceroute. Because I can also see the route learned dynamically on the gateway router via the LAN interface. So the issue now seems to be the DNAT is not working correctly. I have set a policy to allow incoming traffic on the wan interface, with a destination of the VIP. But no traffic is seen hitting the wan interface of the firewall either.

I would use the built-in sniffer to determine that traffic is actually hitting the WAN interface. If not, the gateway router doesn' t route properly. If you see traffic but no traffic on the internal port then the VIP is broken. - use the ' any' interface first to see where traffic is seen on the FGT: ' diag sniffer packet any icmp 4' The ' 4' adds the interface name to the trace. - I' ve yet got to see a VIP that is not working by itself. NAT is the most stable and most used feature on a FGT.