FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
It is often required that a protected resource can be accessible from the internet by a specific IP but also, it may need to initiate sessions and be NATted to the same public IP that clients use to access it.
The FortiGate has a public IP address on it's WAN interface. In the examples below the FortiGate has a public IP address of 172.25.187.64. This is not really public but it works for the purpose of this example.
There may be a resource behind the FortiGate such as a web server, mail server or PBX, just to name a few examples. If there are a range of public IP addresses such as 172.25.187.64 - 66, then one of the IP addresses (other than .64) can be used for the external IP address on a Virtual IP address (VIP).
This will allow the clients accessing the resource to reach it via a public address and translate (DNAT) it to the private IP address.
However, this does not address the scenario where it is required that the resource uses the same public IP address as the external IP address on the VIP any time that the resource initiates a session to the internet.
Use a Virtual IP, to destination NAT the external IP address to the internal IP address.
There are two ways to set up a virtual IP.
1. The first is to use a one-to-one static NAT. An external IP and no port forwarding is specified (meaning all ports are forwarded). If this setup is used, outbound sessions originating from the internal IP are automatically NATed to the external virtual IP.
2. If you make a port forward virtual IP by specifying a port, then sessions originating from the internal device will only be NATed to your external interface, if you have NAT enabled. In that case you would need to use an IP Pool to NAT the traffic to the virtual IP.
Typically you have an external IP that users on the internet will resolve a FQDN to, so as to reach the resource, such as OWA/web server or others, on your network.
The public IP will belong to the FortiGate and then be translated (Destinated NAT) to the private IP of the internal resource.
Below, are some sample images and configurations of an example for a mail server. The principle is the same.
The steps are:
1. Create a VIP
- Define the external IP
- Define the internal IP
- If the external IP is dedicated to (used only by) the resource, do not use port forward.
- If you are sharing the external IP with other resources, then you must define the ports that will be forwarded, under the port forward section.
Note that defining the ports is not a security concern as you can limit the open ports on a firewall policy.
*By not defining the ports on the "port forwarding" you are ensuring that the external IP belongs to the specific resource.
When that resource initiates a session that uses a NATted policy (destined to the internet) it's public address will be that used by the VIP.
This is important so that resources it is contacting can send its traffic back to it.
2. Create an inbound, wan to internal policy (in this case the internal interface it Root_FSSO0).
- Set the source address to "all".
- Set the destination address to the VIP you created in step 1.
- The services are the ports that you will need open to access the resource (ie. smtp opens port 25, smtpss opens 465).
- DO NOT enable NAT
3. For the outbound policy, we want the Mail server to access external resources by its public ip address that we assigned on the VIP.
Create a outbound, wan to internal, policy.
- Set the source address object
- Set the destination address to all.
- The services can be all, or you can define them as well.
- Enable NAT “Use outgoing interface address”
In this case, as we have not defined the ports on the VIP, we do not need to make use of an ip-pool to NAT the traffic to 172.25.187.65
When we do a sniff on the FortiGate for 126.96.36.199 and ping from the mail server, we can see that it has taken the external IP of the VIP.