config system haWith regards to the source NAT, two kinds of NAT configuration are needed:
set hbdev "port1" 50
set session-pickup enable
set session-pickup-connectionless enable
set session-pickup-expectation enable
set session-pickup-nat enable
set override disable
end
config firewall ip-translation
edit 1
set startip 10.0.0.10
set endip 10.0.0.10
set map-startip 100.0.0.10
next
edit 2
set startip 20.0.0.10
set endip 20.0.0.10
set map-startip 200.0.0.10
next
end
config firewall ippool
edit "CLIENT_PRI_IPPOOL"
set type one-to-one
set startip 100.0.0.10
set endip 100.0.0.10
next
end
config firewall policy
edit 1
set name "CLIENT->SERVER_PRI"
set srcintf "port1"
set dstintf "port2"
set srcaddr "CLIENT_PRI_10.0.0.10"
set dstaddr "SERVER_PRI_100.0.0.100"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set ippool enable
set poolname "CLIENT_PRI_IPPOOL"
next
end
config firewall ip-translationNote: The firewall policy on FGT-SEC is not mandatory, it has been added to the configuration in case the session is initialized through the secondary path.
edit 1
set startip 10.0.0.10
set endip 10.0.0.10
set map-startip 100.0.0.10
next
edit 2
set startip 20.0.0.10
set endip 20.0.0.10
set map-startip 200.0.0.10
next
end
config firewall ippool
edit "CLIENT_SEC_IPPOOL"
set type one-to-one
set startip 200.0.0.10
set endip 200.0.0.10
next
end
config firewall policy
edit 1
set name "CLIENT->SERVER_SEC"
set srcintf "port1"
set dstintf "port2"
set srcaddr "CLIENT_SEC_20.0.0.10"
set dstaddr "SERVER_SEC_200.0.0.100"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set ippool enable
set poolname "CLIENT_SEC_IPPOOL"
next
end
FGT-PRI # diag sys session filter proto 132FGT-SEC:
FGT-PRI # diag sys session list
session info: proto=132 proto_state=01 duration=211 expire=3599 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=11
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu dst-vis synced f00 complex
statistic(bytes/packets/allow_err): org=3632/34/1 reply=2296/33/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=65->64/64->65 gwy=100.0.0.100/10.0.0.10
hook=post dir=org act=snat 10.0.0.10:5002→100.0.0.100:3868(100.0.0.10:5002)
hook=pre dir=reply act=dnat 100.0.0.100:3868->100.0.0.10:5002(10.0.0.10:5002)
dst_mac=5e:dc:81:0b:60:b1
misc=0 policy_id=4 auth_info=0 chk_client_info=0 vd=1
serial=000108f6 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): not-established/not-established, none(0)/none(0)
npu_state_err=04/04
sctp: ctx_st=3 saddr=(10.0.0.10=>100.0.0.10, 20.0.0.10=>200.0.0.10)(2) daddr=(100.0.0.100, 200.0.0.100)(2)
FGT-PRI # diag sniffer packet any 'proto 132' 4 20
interfaces=[any]
filters=[proto 132]
3.266145 port2 in 100.0.0.100 -> 100.0.0.10: ip-proto-132 64
3.266157 port1 out 100.0.0.100 -> 10.0.0.10: ip-proto-132 64
3.266279 port1 in 10.0.0.10 -> 100.0.0.100: ip-proto-132 64
3.266291 port2 out 100.0.0.10 -> 100.0.0.100: ip-proto-132 64
FGT-SEC # diag sys session filter proto 132Above session has been synchronized from the FGT-PRI but doesn’t process any traffic on FGT-SEC
FGT-SEC # diag sys session list
session info: proto=132 proto_state=01 duration=366 expire=3593 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=56
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty npu f00 syn_ses complex
statistic(bytes/packets/allow_err): org=0/0/0 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=58->59/59->58 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 10.0.0.10:5002→100.0.0.100:3868(100.0.0.10:5002)
hook=pre dir=reply act=dnat 100.0.0.100:3868->100.0.0.10:5002(10.0.0.10:5002)
misc=0 policy_id=4 auth_info=0 chk_client_info=0 vd=1
serial=000108f6 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
sctp: ctx_st=3 saddr=(10.0.0.10=>100.0.0.10, 20.0.0.10=>200.0.0.10)(2) daddr=(100.0.0.100, 200.0.0.100)(2)
session info: proto=132 proto_state=00 duration=366 expire=never timeout=never flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
state=log npu synced complex
statistic(bytes/packets/allow_err): org=1932/23/1 reply=1932/23/1 tuples=2
tx speed(Bps/kbps): 5/0 rx speed(Bps/kbps): 5/0
orgin->sink: org pre->post, reply pre->post dev=59->58/58->59 gwy=20.0.0.10/200.0.0.100
hook=pre dir=org act=dnat 200.0.0.100:3868→200.0.0.10:5002(20.0.0.10:5002)
hook=post dir=reply act=snat 20.0.0.10:5002→200.0.0.100:3868(200.0.0.10:5002)
misc=0 policy_id=4 auth_info=0 chk_client_info=0 vd=1
serial=000108f6 tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0
npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=440/444, ipid=444/440, vlan=0x0067/0x0066
vlifid=444/440, vtag_in=0x0067/0x0066 in_npu=4/3, out_npu=4/3, fwd_en=0/0, qid=17/17
FGT-SEC # diag sniffer packet any 'proto 132' 4
interfaces=[any]
filters=[proto 132]
10.485112 port2 in 200.0.0.100 -> 200.0.0.10: ip-proto-132 64
10.485125 port1 out 200.0.0.100 -> 20.0.0.10: ip-proto-132 64
10.485294 port1 in 20.0.0.10 -> 200.0.0.100: ip-proto-132 64
10.485303 port2 out 200.0.0.10 -> 200.0.0.100: ip-proto-132 64
Related Articles
Configuration Guide: FortiGate Session Life Support Protocol (FGSP)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.