Technical Tip: Enable security mode on extintf will make Virtual IP not working

tonylin1 · ‎01-04-2023

Description

This article describes how enabling security mode on an external interface (extintf) will make Virtual IP not work.

Scope

FortiGate.

Solution

Topology of Virtual IP:

2.2.2.245 ---> 2.2.2.220(port2)FGT(port3) 3.3.3.244 ---> 3.3.3.243

Configuration of Virtual IP:

config system interface
edit "port2"
set vdom "root"
set ip 2.2.2.244 255.255.255.0
set allowaccess ping fabric
set type physical
next
end

config firewall vip
edit "port2_VIP"
set extip 2.2.2.200
set mappedip "3.3.3.243"
set extintf "port2"
set portforward enable
set protocol icmp
next
end

config firewall policy
edit 1
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "port2_VIP"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

The FortiGate offers a function to visualize the policy engine and how a packet goes through the policy framework. The command set for this example is:

diag debug flow filter addr 2.2.2.200
diag debug enable
diag debug flow trace start 2

This reads as - show 2 packets with the address 2.2.2.200 in source or destination and how these are evaluated. The 'trace_id=<number>' in the example identifies one packet.

Execute only 'diag debug flow filter' to show the current filter as it may already contain a filter set in an earlier troubleshooting session.

use 'diag debug flow filter clear' to clear the filter.

Debug the flow when it is not working:

id=65308 trace_id=11 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 2.2.2.245:2048->2.2.2.200:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2048, seq=0."
id=65308 trace_id=11 func=init_ip_session_common line=6073 msg="allocate a new session-000128a6, tun_id=0.0.0.0"
id=65308 trace_id=11 func=get_new_addr line=1228 msg="find DNAT: IP-3.3.3.243, port-2048"
id=65308 trace_id=11 func=fw_pre_route_handler line=178 msg="VIP-3.3.3.243:2048, outdev-port2"
id=65308 trace_id=11 func=__ip_session_run_tuple line=3523 msg="DNAT 2.2.2.200:8->3.3.3.243:2048"
id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-3.3.3.243 via port3"
id=65308 trace_id=11 func=fw_forward_handler line=918 msg="Allowed by Policy-1:"

If the security-mode captive portal on port2 is set up, VIP will not work:

config system interface
edit "port2"
set vdom "root"
set ip 2.2.2.244 255.255.255.0
set allowaccess ping fabric
set type physical
set security-mode captive-portal
next
end

Debug flow:

id=65308 trace_id=14 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 2.2.2.245:2304->2.2.2.200:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2304, seq=0."
id=65308 trace_id=14 func=init_ip_session_common line=6073 msg="allocate a new session-0001294a, tun_id=0.0.0.0"
id=65308 trace_id=14 func=get_new_addr line=1228 msg="find DNAT: IP-3.3.3.243, port-2304"
id=65308 trace_id=14 func=fw_pre_route_handler line=178 msg="VIP-3.3.3.243:2304, outdev-port2"
id=65308 trace_id=14 func=__ip_session_run_tuple line=3523 msg="DNAT 2.2.2.200:8->3.3.3.243:2304"
id=65308 trace_id=14 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-3.3.3.243 via port3"
id=65308 trace_id=14 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"

Technical Tip: Enable security mode on extintf will make Virtual IP not working

You are leaving our website