Description
This article describes how to set up a hairpin NAT through the GUI to access a resource behind the firewall from a machine in the same network as the target destination.
In this example, the machine sends an access request to the public IP to access an internal resource.
Scope
Fortigate v6.4.0 onwards.
Solution
Users may want to access a web page hosted on a server in the same LAN network using a VIP on the firewall. In the following example:
Go to Policy & Object -> Firewall Policy -> Create New.
Incoming Interface: The LAN interface through which the client is reachable (port3).
Destination Interface: The LAN interface through which the server is reachable (port3) (If the server resides behind any other interface, use that interface.)
Source: The LAN subnet/host.
Destination: Call the VIP.
Security Profiles: Apply as per requirements.
Troubleshooting:
Apply flow filter to check the traffic flow:
diagnose debug flow filter saddr 10.146.14.19
diagnose debug flow filter daddr 14.14.46.152
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable
Access the Server as per requirements. In this scenario, a site is hosted at https://14.14.46.152:443.
id=65308 trace_id=628 func=print_pkt_detail line=5842 msg="vd-root:0 received a packet(proto=6, 10.146.14.19:54049->14.14.46.152:443) tun_id=0.0.0.0 from port3. flag [S], seq 300068082, ack 0, win 64240"
id=65308 trace_id=628 func=init_ip_session_common line=6028 msg="allocate a new session-00cec3d3, tun_id=0.0.0.0"
id=65308 trace_id=628 func=iprope_dnat_check line=5303 msg="in-[port3], out-[]"
id=65308 trace_id=628 func=iprope_dnat_tree_check line=824 msg="len=1"
id=65308 trace_id=628 func=__iprope_check_one_dnat_policy line=5168 msg="checking gnum-100000 policy-1"
id=65308 trace_id=628 func=get_new_addr line=1239 msg="find DNAT: IP-10.146.15.199, port-443"
id=65308 trace_id=628 func=__iprope_check_one_dnat_policy line=5258 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000"
id=65308 trace_id=628 func=iprope_dnat_check line=5315 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
id=65308 trace_id=628 func=fw_pre_route_handler line=184 msg="VIP-10.146.15.199:443, outdev-unknown"
id=65308 trace_id=628 func=__ip_session_run_tuple line=3435 msg="DNAT 14.14.46.152:443->10.146.15.199:443"
id=65308 trace_id=628 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=628 func=iprope_fwd_check line=794 msg="in-[port3], out-[port3], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
id=65308 trace_id=628 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=3"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-3, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-100004 policy-2, ret-matched, act-accept"
id=65308 trace_id=628 func=__iprope_user_identity_check line=1833 msg="ret-matched"
id=65308 trace_id=628 func=__iprope_check line=2307 msg="gnum-4e21, check-00000000be4a65b6"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2059 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
id=65308 trace_id=628 func=__iprope_check line=2324 msg="gnum-4e21 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=628 func=__iprope_check_one_policy line=2277 msg="policy-2 is matched, act-accept"
id=65308 trace_id=628 func=iprope_fwd_check line=831 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=65308 trace_id=628 func=iprope_fwd_auth_check line=850 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-2"
id=65308 trace_id=628 func=fw_forward_handler line=1000 msg="Allowed by Policy-2: SNAT"
id=65308 trace_id=628 func=ip_session_confirm_final line=3087 msg="npu_state=0x101, hook=4"
id=65308 trace_id=628 func=__ip_session_run_tuple line=3422 msg="SNAT 10.146.14.19->10.146.2.239:54049"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.