FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mmaubert
Staff
Staff
Description
This article describes how to configure 'static-nat' firewall VIP objects whose external and mapped IP addresses are identical to avoid losing them when upgrading.

Solution
FortiOS 5.4 and 5.6 releases.

It is possible to create 'static-nat' type Firewall VIP objects with same external and Mapped IP using the GUI or the CLI.

From GUI.





From CLI.
# config firewall vip
(vip) show

# config firewall vip
    edit "SSH_redirect"
        set extip 10.10.10.10
        set extintf "any"
        set portforward enable
        set mappedip "10.10.10.10"
        set extport 22
        set mappedport 222
    next
end
Note.
Default value of the firewall VIP 'type' variable is 'static-nat'.

FortiOS 6.0 and 6.2 releases.

It is NOT possible to create 'static-nat' type firewall VIP objects with same external and Mapped IP using the GUI or the CLI anymore.
Creating such kind of objects using the GUI or the CLI triggers an error.

From GUI.




From CLI.
# config firewall vip
(vip) edit SSH_redirect
new entry 'SSH_redirect' added

(SSH_redirect) set extip 10.10.10.10
(SSH_redirect) set extintf any
(SSH_redirect) set mappedip 10.10.10.10
(SSH_redirect) set portforward enable
(SSH_redirect) set extintf 22
(SSH_redirect) set mappedport 222
(SSH_redirect) end
Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code -8
With FortiOS 6.0 and 6.2 releases, unlike with FortiOS 5.4 and 5.6, Firewall VIP objects with same external and Mapped IP needs to be assigned a type of 'load-balance' instead of 'static-nat'.

From GUI
.




From CLI.
# config firewall vip
(vip) edit SSH_redirect
new entry 'SSH_redirect' added

(SSH_redirect) set extip 10.10.10.10
(SSH_redirect) set extintf any
(SSH_redirect) set mappedip 10.10.10.10
(SSH_redirect) set portforward enable
(SSH_redirect) set extintf 22
(SSH_redirect) set mappedport 222
(SSH_redirect) set type load-balance                <-----
(SSH_redirect) end
Note.
The difference between the 'static-nat' and 'load-balance' type is that 'load-balance' is normally used to balance traffic between different servers behind a FortiGate.
If only one-to-one DNAT mapping is used, the 'load-balance' and 'static-nat' types work similarly.


Issue when upgrading from FortiOS 5.4 / 5.6 to FortiOS 6.0 or 6.2 releases.

As mentioned earlier, with FortiOS 6.0 and 6.2 releases, Firewall VIP objects configured with the same external  and Mapped IP address need to be assigned a type of 'load-balance' instead of 'static-nat'.
A consequence of this change is that any 'static-nat' type Firewall VIP objects whose external and mapped IP addresses are identical, as well as all the Firewall Policy objects referring to them, are being lost when upgrading from a FortiOS 5.4 / 5.6 to FortiOS 6.0 or higher. If such a thing occurs, a set messages similar to the following are then displayed in the output of the “config-error-log” command (diag debug config-error-log read) for each VIP / Firewall Policy object lost.
# diag debug config-error-log read
>>>  "next" @ root.firewall.vip.SSH_redirect:failed command (error 1)
>>>  "set" "dstaddr" "SSH_redirect" @ root.firewall.policy.1:value parse error (error -3)
>>>  "next" @ root.firewall.policy.1:failed command (error 1)
Note.
The three 'config-error-log' statements above typically correspond to the following configuration setup:
# config firewall vip
    edit "SSH_redirect"
        set extip 10.10.10.10
        set extintf "any"
        set portforward enable
        set mappedip "10.10.10.10"
        set extport 22
        set mappedport 222
    next
end
# config firewall policy
    edit 1
        set name "Lan-2-DMZ"
        set srcintf "port4"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "SSH_redirect"                    <-----
        set action accept
        set schedule "always"
        set service "SSH"
        set nat enable
    next
end
To avoid losing such kind of objects during the upgrade, it is required to modify, before upgrading, the original FortiOS 5.4 / 5.6 configuration as per the below procedure.

For each 'static-nat' Firewall VIP object whose external and mapped IP addresses are identical: 

1) Remove the Firewall VIP object reference from all objects referring to it (e.g. Firewall Policy(ies)
2) Delete the Firewall VIP object.
3) Re-create the Firewall VIP object but set a type of 'load-balance' this time.
4) Put the reference of the Firewall VIP object back in all objects that were referring to it before (e.g. Firewall Policy(ies)

Based on the example above, that will give the following change:
# config firewall vip
    edit "SSH_redirect"
        set extip 10.10.10.10
        set extintf "any"
        set mappedip "10.10.10.10"
        set portforward enable
        set extport 22
        set mappedport 222
        set type load-balance                        <-----
    next
end
Below the Firewall Policy referring to the VIP.
# config firewall policy
    edit 1
        set name "Lan-2-DMZ"
        set srcintf "port4"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "SSH_redirect"                    <-----
        set action accept
        set schedule "always"
        set service "SSH"
        set nat enable
    next
end

Contributors