This article assumes central NAT is disabled. For configuring Destination NAT when central NAT is enabled, see 'Central DNAT' in the Administration Guide.
FortiGate performs Destination NAT using Virtual IP and Virtual Server objects. When multiple overlapping Virtual IPs are configured, FortiGate Destination NAT matching is similar to firewall policy matching but uses hidden Destination NAT policies.
Destination NAT policies are visible in the CLI using “diagnose firewall iprope list 100000”. See the v7.0 New Features guide 'Record Central NAT and DNAT hit count'.
diagnose firewall iprope list 100000
policy index=2 uuid_idx=669 action=accept [policy index depends on configuration order. uuid_idx of a VIP does not change] flag (8000100): nat pol_stats schedule() cos_fwd=0 cos_rev=0 group=00100000 av=00000000 au=00000000 split=00000000 host=0 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 7 -> zone(1): 0 [this virtual ip has a srcintf-filter applied for interface 7] source(1): 208.91.112.0-208.91.112.255, uuid_idx=669, [source address filter is applied] dest(1): 10.128.202.17-10.128.202.17, uuid_idx=669, [External IP of VIP] service(1):
[6:0x0:0/(0,65535)->(444,444)] flags:0 helper:auto [TCP port forwarding for 444->443 is applied]
nat(1): flag=0 base=10.128.202.17:444 10.140.255.102-10.140.255.102(443:443) [Internal IP:port of VIP]
policy index=4294967295 uuid_idx=0 action=drop [Implicit deny NAT policy] .. <output omitted>
Virtual Servers and Virtual IP share the same Destination NAT policy list. When the firewall receives the the first packet in a flow, the first matching Virtual Server or Virtual IP will be used for Destination NAT, then firewall polices are checked for access control.
Destination NAT policies are configured by changing the configuration and order of Virtual IP addresses and Virtual Servers.
- In v7.0 and earlier it is not usually possible to directly configure overlapping Virtual IP objects, but it is possible to load configuration with such overlaps.
- In v7.2 the overlap check is removed. Since it is much easier to configure overlapping objects, Virtual IPs should be configured to ensure the intended Virtual IP is matched. See the v7.2.0 new features guide 'Remove Overlap check for VIPs'.
Configuration options affecting destination NAT policies:
- The Virtual Server or Virtual IP must be configured on an enabled firewall policy before it is used for Destination NAT.
'vip1_no policy' will never be matched since it is not referenced in any firewall policy.
- Destination NAT is checked using the configured order of Virtual IPs and Virtual Servers.
vip3 will not be matched, since vip2 is above it in the Virtual IP list and both are configured in a firewall policy. In FortiOS v7.2 and later, it is possible to re-order NAT objects using the cli. See the article 'Virtual IP (VIP) port forwarding order of execution' for how to move Virtual IP objects.
After moving a Virtual IP or Virtual Server, historical hit counts will not be accurate because of known issue 1075113. For accurate hit count results, it is necessary to clear hit counts using 'diagnose firewall iprope clear 100000' after any virtual IP move. The hit counts issue is scheduled for fix in v7.2.11, v7.4.7, and 7.6.1.
- External service port is checked when Port Forwarding is in use.
Traffic will only match the virtual IP if the external IP and external service port match.
- Source IP and/or services filters are checked if configured.
Where optional source address or services filters are configured, the traffic will only match the virtual IP if it also matches the filters. If both source address and services filters are configured, traffic must match both.
- Traffic will match based on the Source Interface(s) filter configured in CLI.
By default, a Virtual IP will match traffic ingressing on any interface, not just the source interfaces used in firewall policies. This can cause unintended traffic drops. To restrict a Virtual IP to only match traffic that ingresses on particular interface(s), configure srcintf-filter in CLI.
config firewall vip
edit "vip6-restricted to wan2 and dmz"
set extip 10.128.202.14 set mappedip "10.140.255.106" set extintf "any" set srcintf-filter "wan2" "dmz"
next
end
Common misconfigurations:
- Attempting to specify destination NAT using firewall policy. Firewall policies do not control which Virtual IP is matched, except for the fundamental requirement that the Virtual IP must be configured on some firewall policy.
- Matching unintended Virtual Server. Virtual Servers are configured in a separate GUI section Policy & Objects > Virtual Servers but use the same policy ordering as Virtual IP addresses. They can be re-ordered in the exact same way as Virtual IPs.
- In current FortiOS versions, a Virtual IP with the default arp-reply enabled causes the external IP to be considered a local address whether or not the Virtual IP is used in a firewall policy. While this is not related to Destination NAT, this can cause unintended drops when first configuring a Virtual IP. See 'IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4'.
- Configuring a specific interface for the Virtual IP in GUI does not prevent the VIP from matching on other interfaces.
To allow the Virtual IP to only match on specific interfaces, use a 'srcintf-filter' as described earlier in this article.
Result:
By understanding FortiGate Destination NAT behavior and the available filtering options, an administrator can better configure Virtual IPs to match intended traffic and effectively troubleshoot when intended destination NAT is not chosen. For further Destination NAT troubleshooting steps, see the article '(Troubleshooting VIP (port forwarding)'.
|