FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Matt_B
Staff
Staff
Article Id 362148
Description This article describes the default FortiOS Destination NAT behavior when Central NAT is not in use.
Scope FortiOS.
Solution

This article assumes central NAT is disabled. For configuring Destination NAT when central NAT is enabled, see 'Central DNAT' in the Administration Guide.

FortiGate performs Destination NAT using Virtual IP and Virtual Server objects. When multiple overlapping Virtual IPs are configured, FortiGate Destination NAT matching is similar to firewall policy matching but uses hidden Destination NAT policies.

 

Destination NAT policies are visible in the CLI using “diagnose firewall iprope list 100000”. See the v7.0 New Features guide 'Record Central NAT and DNAT hit count'.

diagnose firewall iprope list 100000

policy index=2 uuid_idx=669 action=accept [policy index depends on configuration order. uuid_idx of a VIP does not change]
flag (8000100): nat pol_stats
schedule()

cos_fwd=0 cos_rev=0
group=00100000 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 7 -> zone(1): 0 [this virtual ip has a srcintf-filter applied for interface 7]
source(1): 208.91.112.0-208.91.112.255, uuid_idx=669, [source address filter is applied]
dest(1): 10.128.202.17-10.128.202.17, uuid_idx=669,  [External IP of VIP]

service(1):

[6:0x0:0/(0,65535)->(444,444)] flags:0 helper:auto [TCP port forwarding for 444->443 is applied]

nat(1): flag=0 base=10.128.202.17:444 10.140.255.102-10.140.255.102(443:443) [Internal IP:port of VIP]

 

policy index=4294967295 uuid_idx=0 action=drop  [Implicit deny NAT policy]
..
<output omitted>


Virtual Servers and Virtual IP share the same Destination NAT policy list. When the firewall receives the the first packet in a flow, the first matching Virtual Server or Virtual IP will be used for Destination NAT, then firewall polices are checked for access control.


Destination NAT policies are configured by changing the configuration and order of Virtual IP addresses and Virtual Servers.

 

  • In v7.0 and earlier it is not usually possible to directly configure overlapping Virtual IP objects, but it is possible to load configuration with such overlaps.
  • In v7.2 the overlap check is removed. Since it is much easier to configure overlapping objects, Virtual IPs should be configured to ensure the intended Virtual IP is matched. See the v7.2.0 new features guide 'Remove Overlap check for VIPs'.


Configuration options affecting destination NAT policies:

 

  • The Virtual Server or Virtual IP must be configured on an enabled firewall policy before it is used for Destination NAT.

    vip list_1.png
    'vip1_no policy' will never be matched since it is not referenced in any firewall policy.

  • Destination NAT is checked using the configured order of Virtual IPs and Virtual Servers.

    vip unintended match_1.png

vip3 will not be matched, since vip2 is above it in the Virtual IP list and both are configured in a firewall policy. In FortiOS v7.2 and later, it is possible to re-order NAT objects using the cli. See the article 'Virtual IP (VIP) port forwarding order of execution' for how to move Virtual IP objects.

After moving a Virtual IP or Virtual Server, historical hit counts will not be accurate because of known issue 1075113. For accurate hit count results, it is necessary to clear hit counts using 'diagnose firewall iprope clear 100000' after any virtual IP move. The hit counts issue is scheduled for fix in v7.2.11, v7.4.7, and 7.6.1.

  • External service port is checked when Port Forwarding is in use.

    portforward.PNG

Traffic will only match the virtual IP if the external IP and external service port match.

  • Source IP and/or services filters are checked if configured.

    Option Filters.PNG

Where optional source address or services filters are configured, the traffic will only match the virtual IP if it also matches the filters. If both source address and services filters are configured, traffic must match both.

  • Traffic will match based on the Source Interface(s) filter configured in CLI.
    By default, a Virtual IP will match traffic ingressing on any interface, not just the source interfaces used in firewall policies. This can cause unintended traffic drops. To restrict a Virtual IP to only match traffic that ingresses on particular interface(s), configure srcintf-filter in CLI.

config firewall vip

edit "vip6-restricted to wan2 and dmz"

set extip 10.128.202.14
set mappedip "10.140.255.106"
set extintf "any"
set srcintf-filter "wan2" "dmz"

next

end

 

Common misconfigurations:

 

  • Attempting to specify destination NAT using firewall policy. Firewall policies do not control which Virtual IP is matched, except for the fundamental requirement that the Virtual IP must be configured on some firewall policy.
  • Matching unintended Virtual Server. Virtual Servers are configured in a separate GUI section Policy & Objects > Virtual Servers but use the same policy ordering as Virtual IP addresses. They can be re-ordered in the exact same way as Virtual IPs.
  • In current FortiOS versions, a Virtual IP with the default arp-reply enabled causes the external IP to be considered a local address whether or not the Virtual IP is used in a firewall policy. While this is not related to Destination NAT, this can cause unintended drops when first configuring a Virtual IP. See 'IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4'.
  • Configuring a specific interface for the Virtual IP in GUI does not prevent the VIP from matching on other interfaces.

    DMZ VIP_1.png

To allow the Virtual IP to only match on specific interfaces, use a 'srcintf-filter' as described earlier in this article.

Result:

 

By understanding FortiGate Destination NAT behavior and the available filtering options, an administrator can better configure Virtual IPs to match intended traffic and effectively troubleshoot when intended destination NAT is not chosen. For further Destination NAT troubleshooting steps, see the article '(Troubleshooting VIP (port forwarding)'.

Contributors