Description
This article describes how to configure 'static-nat' firewall VIP objects whose external and mapped IP addresses are identical to avoid losing them when upgrading.
Solution
FortiOS 5.4 and 5.6 releases.
It is possible to create 'static-nat' type Firewall VIP objects with same external and Mapped IP using the GUI or the CLI.
From GUI.
This article describes how to configure 'static-nat' firewall VIP objects whose external and mapped IP addresses are identical to avoid losing them when upgrading.
Solution
FortiOS 5.4 and 5.6 releases.
It is possible to create 'static-nat' type Firewall VIP objects with same external and Mapped IP using the GUI or the CLI.
From GUI.
From CLI.
Default value of the firewall VIP 'type' variable is 'static-nat'.
FortiOS 6.0 and 6.2 releases.
It is NOT possible to create 'static-nat' type firewall VIP objects with same external and Mapped IP using the GUI or the CLI anymore.
Creating such kind of objects using the GUI or the CLI triggers an error.
From GUI.
# config firewall vipNote.
(vip) show
# config firewall vip
edit "SSH_redirect"
set extip 10.10.10.10
set extintf "any"
set portforward enable
set mappedip "10.10.10.10"
set extport 22
set mappedport 222
next
end
Default value of the firewall VIP 'type' variable is 'static-nat'.
FortiOS 6.0 and 6.2 releases.
It is NOT possible to create 'static-nat' type firewall VIP objects with same external and Mapped IP using the GUI or the CLI anymore.
Creating such kind of objects using the GUI or the CLI triggers an error.
From GUI.
From CLI.
From GUI.
# config firewall vipWith FortiOS 6.0 and 6.2 releases, unlike with FortiOS 5.4 and 5.6, Firewall VIP objects with same external and Mapped IP needs to be assigned a type of 'load-balance' instead of 'static-nat'.
(vip) edit SSH_redirect
new entry 'SSH_redirect' added
(SSH_redirect) set extip 10.10.10.10
(SSH_redirect) set extintf any
(SSH_redirect) set mappedip 10.10.10.10
(SSH_redirect) set portforward enable
(SSH_redirect) set extintf 22
(SSH_redirect) set mappedport 222
(SSH_redirect) end
Static NAT's extip should be different from mappedip.
object check operator error, -8, discard the setting
Command fail. Return code -8
From GUI.
From CLI.
The difference between the 'static-nat' and 'load-balance' type is that 'load-balance' is normally used to balance traffic between different servers behind a FortiGate.
If only one-to-one DNAT mapping is used, the 'load-balance' and 'static-nat' types work similarly.
Issue when upgrading from FortiOS 5.4 / 5.6 to FortiOS 6.0 or 6.2 releases.
As mentioned earlier, with FortiOS 6.0 and 6.2 releases, Firewall VIP objects configured with the same external and Mapped IP address need to be assigned a type of 'load-balance' instead of 'static-nat'.
A consequence of this change is that any 'static-nat' type Firewall VIP objects whose external and mapped IP addresses are identical, as well as all the Firewall Policy objects referring to them, are being lost when upgrading from a FortiOS 5.4 / 5.6 to FortiOS 6.0 or higher. If such a thing occurs, a set messages similar to the following are then displayed in the output of the “config-error-log” command (diag debug config-error-log read) for each VIP / Firewall Policy object lost.
The three 'config-error-log' statements above typically correspond to the following configuration setup:
For each 'static-nat' Firewall VIP object whose external and mapped IP addresses are identical:
1) Remove the Firewall VIP object reference from all objects referring to it (e.g. Firewall Policy(ies)
2) Delete the Firewall VIP object.
3) Re-create the Firewall VIP object but set a type of 'load-balance' this time.
4) Put the reference of the Firewall VIP object back in all objects that were referring to it before (e.g. Firewall Policy(ies)
Based on the example above, that will give the following change:
# config firewall vipNote.
(vip) edit SSH_redirect
new entry 'SSH_redirect' added
(SSH_redirect) set extip 10.10.10.10
(SSH_redirect) set extintf any
(SSH_redirect) set mappedip 10.10.10.10
(SSH_redirect) set portforward enable
(SSH_redirect) set extintf 22
(SSH_redirect) set mappedport 222
(SSH_redirect) set type load-balance <-----
(SSH_redirect) end
The difference between the 'static-nat' and 'load-balance' type is that 'load-balance' is normally used to balance traffic between different servers behind a FortiGate.
If only one-to-one DNAT mapping is used, the 'load-balance' and 'static-nat' types work similarly.
Issue when upgrading from FortiOS 5.4 / 5.6 to FortiOS 6.0 or 6.2 releases.
As mentioned earlier, with FortiOS 6.0 and 6.2 releases, Firewall VIP objects configured with the same external and Mapped IP address need to be assigned a type of 'load-balance' instead of 'static-nat'.
A consequence of this change is that any 'static-nat' type Firewall VIP objects whose external and mapped IP addresses are identical, as well as all the Firewall Policy objects referring to them, are being lost when upgrading from a FortiOS 5.4 / 5.6 to FortiOS 6.0 or higher. If such a thing occurs, a set messages similar to the following are then displayed in the output of the “config-error-log” command (diag debug config-error-log read) for each VIP / Firewall Policy object lost.
# diag debug config-error-log readNote.
>>> "next" @ root.firewall.vip.SSH_redirect:failed command (error 1)
>>> "set" "dstaddr" "SSH_redirect" @ root.firewall.policy.1:value parse error (error -3)
>>> "next" @ root.firewall.policy.1:failed command (error 1)
The three 'config-error-log' statements above typically correspond to the following configuration setup:
# config firewall vip
edit "SSH_redirect"
set extip 10.10.10.10
set extintf "any"
set portforward enable
set mappedip "10.10.10.10"
set extport 22
set mappedport 222
next
end
# config firewall policyTo avoid losing such kind of objects during the upgrade, it is required to modify, before upgrading, the original FortiOS 5.4 / 5.6 configuration as per the below procedure.
edit 1
set name "Lan-2-DMZ"
set srcintf "port4"
set dstintf "port3"
set srcaddr "all"
set dstaddr "SSH_redirect" <-----
set action accept
set schedule "always"
set service "SSH"
set nat enable
next
end
For each 'static-nat' Firewall VIP object whose external and mapped IP addresses are identical:
1) Remove the Firewall VIP object reference from all objects referring to it (e.g. Firewall Policy(ies)
2) Delete the Firewall VIP object.
3) Re-create the Firewall VIP object but set a type of 'load-balance' this time.
4) Put the reference of the Firewall VIP object back in all objects that were referring to it before (e.g. Firewall Policy(ies)
Based on the example above, that will give the following change:
# config firewall vipBelow the Firewall Policy referring to the VIP.
edit "SSH_redirect"
set extip 10.10.10.10
set extintf "any"
set mappedip "10.10.10.10"
set portforward enable
set extport 22
set mappedport 222
set type load-balance <-----
next
end
# config firewall policy
edit 1
set name "Lan-2-DMZ"
set srcintf "port4"
set dstintf "port3"
set srcaddr "all"
set dstaddr "SSH_redirect" <-----
set action accept
set schedule "always"
set service "SSH"
set nat enable
next
end
