Created on 04-11-2023 05:18 AM Edited on 04-14-2023 04:35 AM By Jean-Philippe_P
Description
This article describes how to implement a virtual IP (VIP) from a secondary IP address in FortiGate.
Scope
FortiGate.
Solution
Consider the following network scenario where a client is attempting to reach a server behind FortiGate. Instead of having a primary IP used as a VIP, a secondary IP is used.
# show system interface port3
edit "port3"
set vdom "root"
set ip 10.1.2.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type physical
set alias "wan"
set snmp-index 3
set secondary-IP enable
# config secondaryip
edit 1
set ip 10.1.2.3 255.255.255.0 <-- A VIP address
set allowaccess https ssh snmp http fgfm
next
end
next
end
# config firewall vip
edit "VIP"
set uuid ba3ee4a4-cb0e-51ed-d1d3-0b224dab3ae6
set extip 10.1.2.3
set mappedip "192.168.30.2"
set extintf "port3"
next
end
# config firewall policy
edit 3
set name "VIP"
set uuid 7e9392ea-cb10-51ed-9709-57f6c793d368
set srcintf "port3" <-- Incoming interface
set dstintf "port4" <-- Outgoing interface to server
set action accept
set srcaddr "all"
set dstaddr "VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
next
end
Debug flow trace results:
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5273 msg="in-[port3], out-[]"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_tree_check line=820 msg="len=1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5138 msg="checking gnum-100000 policy-1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=get_new_addr line=1236 msg="find DNAT: IP-192.168.30.2, port-0(fixed port)"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5228 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5285 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
2023-04-11 04:32:16 id=65308 trace_id=80 func=fw_pre_route_handler line=180 msg="VIP-192.168.30.2:5376, outdev-port3"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__ip_session_run_tuple line=3542 msg="DNAT 10.1.2.3:8->192.168.30.2:5376"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port4"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_fwd_check line=791 msg="in-[port3], out-[port4], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_tree_check line=520 msg="gnum-100004, use int hash, slot=46, len=2"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2055 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_user_identity_check line=1830 msg="ret-matched"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2273 msg="policy-3 is matched, act-accept"
A successful ping:
PING 10.1.2.3 (10.1.2.3): 56 data bytes
64 bytes from 10.1.2.3: icmp_seq=0 ttl=127 time=2.9 ms
64 bytes from 10.1.2.3: icmp_seq=1 ttl=127 time=1.4 ms
Conclusion:
As long as the IP address is reachable, the method to implement a secondary IP as a VIP is exactly the same as primary IP.
Related documents:
Technical Tip: Virtual IP (VIP) port forwarding co... - Fortinet Community
Technical Tip: Set a secondary IP on a FortiGate i... - Fortinet Community
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.