Description
This article describes how to configure firewall policies for a VIP when Central NAT is enabled.
Scope
FortiGate.
Solution
When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address.
This is normal behavior due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs. VIP matches for local-out traffic as well, if you want to restrict local-out traffic to do not match the VIP, it is possible to use 'srcintf-filter' .
The only thing needed is to create the VIP as usual:
Create the local ip address object and the firewall policy. In the destination field of the firewall policy, select the local IP configured into the VIP.
Starting from v6.2 there is a new feature 'match-vip-only' to apply to a policy when Central NAT is enabled, CLI only (disabled by default)
config firewall policy
edit RDP
set match-vip-only enable
next
set match-vip-only enable
next
end
If it is disabled, traffic from SD-WAN to LAN with 192.168.1.60 (internal IP) or 192.168.157.162 (external IP) as the destination will be allowed.
If 'match-vip-only' is enabled the policy will be matched only if a DNAT is applied before, so only traffic from SDWAN to LAN with destination 192.168.157.162 (external IP) will match the policy. This behavior has changed starting from v6.4.3 where match-vip-only is not configurable and there are no options to change this config.
If 'match-vip-only' is enabled the policy will be matched only if a DNAT is applied before, so only traffic from SDWAN to LAN with destination 192.168.157.162 (external IP) will match the policy. This behavior has changed starting from v6.4.3 where match-vip-only is not configurable and there are no options to change this config.
