FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rpillai
Staff
Staff
Description
This article describes how to port forward traffic if the host is behind a VDOM without Internet Access.

Scope
FortiGate 5.2, FortiGate 5.4

Solution
This article assumes that the inter-vdom link and policies have already been configured and that the host behind VDOM-A can reach the Internet.

rpillai_FD39278_tn_FD39278-1.jpg

VIP object

rpillai_FD39278_tn_FD39278-2.jpg

Policy from wan to Inter-vdom link
rpillai_FD39278_tn_FD39278-3.jpg

Policy configuration on VDOM-A

rpillai_FD39278_tn_FD39278-4.jpg

Packet Flow

FGVM000000045972 (root) # 2016-08-31 12:44:36 id=20085 trace_id=20 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 192.168.13.102:51981->192.168.13.24:3389) from port1. flag [S], seq 1090537097, ack 0, win 8192"
2016-08-31 12:44:36 id=20085 trace_id=20 func=init_ip_session_common line=4868 msg="allocate a new session-005bce00"
2016-08-31 12:44:36 id=20085 trace_id=20 func=fw_pre_route_handler line=182 msg="VIP-192.168.25.2:3389, outdev-port1"
2016-08-31 12:44:36 id=20085 trace_id=20 func=__ip_session_run_tuple line=2769 msg="DNAT 192.168.13.24:3389->192.168.25.2:3389"
2016-08-31 12:44:36 id=20085 trace_id=20 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.168.25.2 via root-VDOMA0"
2016-08-31 12:44:36 id=20085 trace_id=20 func=fw_forward_handler line=698 msg="Allowed by Policy-9:"   //This is the 'Policy for VIP'
2016-08-31 12:44:36 id=20085 trace_id=21 func=print_pkt_detail line=4717 msg="vd-VDOM-A received a packet(proto=6, 192.168.13.102:51981->192.168.25.2:3389) from root-VDOMA1. flag [S], seq 1090537097, ack 0, win 8192"
2016-08-31 12:44:36 id=20085 trace_id=21 func=init_ip_session_common line=4868 msg="allocate a new session-005bce01"
2016-08-31 12:44:36 id=20085 trace_id=21 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-192.168.25.2 via port6"
2016-08-31 12:44:36 id=20085 trace_id=21 func=fw_forward_handler line=698 msg="Allowed by Policy-1:" //This is the 'Incoming Policy'
2016-08-31 12:44:36 id=20085 trace_id=22 func=print_pkt_detail line=4717 msg="vd-VDOM-A received a packet(proto=6, 192.168.25.2:3389->192.168.13.102:51981) from port6. flag [S.], seq 1320276989, ack 1090537098, win 8192"
2016-08-31 12:44:36 id=20085 trace_id=22 func=resolve_ip_tuple_fast line=4781 msg="Find an existing session, id-005bce01, reply direction"
2016-08-31 12:44:36 id=20085 trace_id=22 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-192.168.13.102 via root-VDOMA1"

Contributors