Technical Tip: How to configure VIP access where specific source IP to access specific VIP & all other IPs to use a different VIP (External IP remains same)

Keerthi_A · ‎07-26-2023

Description

This article describes how to configure a specific source IP to access a specific VIP & all other source IPs to use a different VIP (external IP remains same).

Scope

FortiGate.

Solution

IP schema used, in this example:

VIP1:

External IP: 10.1.1.2.

Map to IPV4 address: 10.177.6.18.

Source address: 10.170.7.232/32.

VIP2:

External IP: 10.1.1.2.

Map to IPV4 address: 10.177.6.19.

Configure VIP1 as below with a specific source IP address:

Configure VIP2 as below without any optional filters:

The source address in the optional filter can be added through the CLI session too in the following way.

CLI:

config firewall vip
edit "<VIP>"
set src-filter "10.170.7.232/32" <--
set extip 10.1.1.2
set mappedip "10.177.6.18"
set extintf "any"
next
end

Important Note: The VIP with the specific Source IP filter should be on top of the list.

If the VIP entries are already configured, then to change the order of VIP through the CLI, use the following commands:

config firewall vip

move <VIP NAME> [before/after] <VIP NAME>

end

Configure the firewall policies as required:

Verification:

When accessing from filtered source IP(10.170.7.232).

Debug flow:

id=65308 trace_id=31 func=print_pkt_detail line=5861 msg="vd-root:0 received a packet(proto=1, 10.170.7.232:1->10.1.1.2:2048) tun_id=10.5.23.225 from ipsec. type=8, code=0, id=1, seq=31."

id=65308 trace_id=31 func=init_ip_session_common line=6047 msg="allocate a new session-0000816d, tun_id=10.5.23.225"

id=65308 trace_id=31 func=get_new_addr line=1249 msg="find DNAT: IP-10.177.6.18, port-0(fixed port)"

id=65308 trace_id=31 func=fw_pre_route_handler line=185 msg="VIP-10.177.6.18:1, outdev-unknown"

id=65308 trace_id=31 func=__ip_session_run_tuple line=3448 msg="DNAT 10.1.1.2:8->10.177.6.18:1"

id=65308 trace_id=31 func=__vf_ip_route_input_rcu line=1994 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"

id=65308 trace_id=31 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=37, len=3"

id=65308 trace_id=31 func=fw_forward_handler line=1009 msg="Allowed by Policy-7:"

When accessing from any IP other than the source IP(10.170.7.232).

Debug flow:

id=65308 trace_id=33 func=print_pkt_detail line=5861 msg="vd-root:0 received a packet(proto=1, 10.170.6.18:1->10.1.1.2:2048) tun_id=10.5.23.225 from ipsec. type=8, code=0, id=1, seq=17."

id=65308 trace_id=33 func=init_ip_session_common line=6047 msg="allocate a new session-000096c9, tun_id=10.5.23.225"

id=65308 trace_id=33 func=get_new_addr line=1249 msg="find DNAT: IP-10.177.6.19, port-0(fixed port)"

id=65308 trace_id=33 func=fw_pre_route_handler line=185 msg="VIP-10.177.6.19:1, outdev-unknown"

id=65308 trace_id=33 func=__ip_session_run_tuple line=3448 msg="DNAT 10.1.1.2:8->10.177.6.19:1"

id=65308 trace_id=33 func=__vf_ip_route_input_rcu line=1994 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"

id=65308 trace_id=33 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=37, len=3"

id=65308 trace_id=33 func=fw_forward_handler line=1009 msg="Allowed by Policy-8:"

Troubleshooting:

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow filter addr x.x.x.x -> x.x.xx is the source IP from where accessing the VIP.

diagnose debug flow trace start 255

diagnose debug enable

Once traffic is initiated and the issue is reproduced, stop the debug using the below commands.

To stop the debug:

diagnose debug disable

diagnose debug reset

Related article:

Technical Tip: Limiting VIP access from specific sources.