FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff
Description
This article describes IP pool behavior.

Solution
IP Pools is a mechanism that allows sessions leaving the FortiGate Firewall to use NAT.
An IP Pool defines a single IP address or a range of IP addresses to be used as the source address for the duration of the session.
These assigned addresses will be used instead of the IP address assigned to that FortiGate interface.

IP Pools once configured, even never being explicitly used firewall policy, FortiGate assumed the configured IP Pools address as local address, and will not forward the traffic according to routing table.
Unlike firewall address object, that will only take effect when it is explicitly selected in firewall policy.

In the case that the next hop device IP, or destination IP that shall be allowed by firewall policy, being mistakenly configured as IP Pool, traffic will be terminated in FortiGate.
id=20085 trace_id=381 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=6, 10.116.1.177:60192->52.52.208.2:443) from port2. flag [S], seq 3608362859, ack 0, win 65340"
id=20085 trace_id=381 func=init_ip_session_common line=5534 msg="allocate a new session-00056c55"
id=20085 trace_id=381 func=vf_ip_route_input_common line=2574 msg="find a route: flag=04000000 gw-10.47.3.254 via port1"
id=20085 trace_id=381 func=fw_forward_handler line=743 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=381 func=__ip_session_run_tuple line=3282 msg="SNAT 10.116.1.177->10.47.1.85:60192"
Snippet of debug flow above shows host 10.116.1.177 was trying to accessing to 52.52.208.2 on port 443.
The access has been allowed by firewall policyid#1 and host 10.116.1.177 gets translated to egress interface IP 10.47.1.85.

When 52.52.208.2 is being configured as IP Pool, and not being used in any firewall policy
Alza-kvm55 (root) # diag firewall iplist list
list iplist info:(vf=root)
one IPlist entry:

dev=0 devname= type=1 used=1 ip range=52.52.208.2-52.52.208.2

Access to 52.52.208.2 will be terminated in FortiGate.
id=20085 trace_id=581 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=6, 10.116.1.177:60325->52.52.208.2:443) from port2. flag [S], seq 1295495056, ack 0, win 65340"
id=20085 trace_id=581 func=init_ip_session_common line=5534 msg="allocate a new session-0005737a"
id=20085 trace_id=581 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-52.52.208.2 via root"
id=20085 trace_id=581 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
To avoid any destination IP being false-positively dropped by FortiGate, any unused IP Pool has to be removed from FortiGate configuration.
Most of the time, IP Pool addresses are within the same subnet of the FortiGate interface IP.
If IP Pool addresses and FortiGate interface IP are from different subnet range, then the next hop unit has to be able to re-route IP Pool addresses back to FortiGate.


Contributors