FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Description
This article describes how to configure firewall policies for a VIP when Central NAT is enabled.

Scope
FortiGate

Solution
When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address. This is normal behaviour due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs.

The only thing needed is to create the VIP as usual:


VIP.PNG
 
Then, create the firewall policy and in the destination field, select the local IP configured into the VIP.
 
policy VIP.PNG
 

Starting from 6.2 there is a new feature 'match-vip-only' to apply to a policy when Central NAT is enabled, CLI only (disabled by default)

# config firewall policy
edit RDP
    set  match-vip-only enable
next
end
 
If it is disabled, traffic from SDWAN to LAN with 192.168.1.60 (internal IP) or 192.168.157.162 (external IP) as the destination will be allowed.
 
If 'match-vip-only' is enabled the policy will be matched only if a DNAT is applied before, so only traffic from SDWAN to LAN with destination 192.168.157.162 (external ip) will match the policy.
This behaviour has changed starting from FOS 6.4.3 where match-vip-only is not configurable and there are no options to change this config.
Contributors