Description
This article describes how to implement a virtual IP (VIP) from a secondary IP address in FortiGate.
Scope
FortiGate.
Solution
Consider the following network scenario where a client is attempting to reach a server behind FortiGate. Instead of having a primary IP used as a VIP, a secondary IP is used.
show system interface port3
edit "port3"
set vdom "root"
set ip 10.1.2.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type physical
set alias "wan"
set snmp-index 3
set secondary-IP enable
config secondaryip
edit 1
set ip 10.1.2.3 255.255.255.0 <-- A VIP address.
set allowaccess https ssh snmp http fgfm
next
end
next
end
config firewall vip
edit "VIP"
set uuid ba3ee4a4-cb0e-51ed-d1d3-0b224dab3ae6
set extip 10.1.2.3
set mappedip "192.168.30.2"
set extintf "port3"
next
end
config firewall policy
edit 3
set name "VIP"
set uuid 7e9392ea-cb10-51ed-9709-57f6c793d368
set srcintf "port3" <-- Incoming interface.
set dstintf "port4" <-- Outgoing interface to server.
set action accept
set srcaddr "all"
set dstaddr "VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
next
end
Debug flow trace results:
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5273 msg="in-[port3], out-[]"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_tree_check line=820 msg="len=1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5138 msg="checking gnum-100000 policy-1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=get_new_addr line=1236 msg="find DNAT: IP-192.168.30.2, port-0(fixed port)"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5228 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5285 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
2023-04-11 04:32:16 id=65308 trace_id=80 func=fw_pre_route_handler line=180 msg="VIP-192.168.30.2:5376, outdev-port3"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__ip_session_run_tuple line=3542 msg="DNAT 10.1.2.3:8->192.168.30.2:5376"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port4"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_fwd_check line=791 msg="in-[port3], out-[port4], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_tree_check line=520 msg="gnum-100004, use int hash, slot=46, len=2"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2055 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_user_identity_check line=1830 msg="ret-matched"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2273 msg="policy-3 is matched, act-accept"
A successful ping:
PING 10.1.2.3 (10.1.2.3): 56 data bytes
64 bytes from 10.1.2.3: icmp_seq=0 ttl=127 time=2.9 ms
64 bytes from 10.1.2.3: icmp_seq=1 ttl=127 time=1.4 ms
Conclusion:
As long as the IP address is reachable, the method to implement a secondary IP as a VIP is exactly the same as primary IP.
Note:
If the secondary IP is the same as the VIP external IP and is only configured for the VIP access, it is actually not necessary to have the secondary IP configured since the VIP can respond to the ARP request for the external IP by default, which is the same as what the secondary IP does.
So, the traffic to the VIP external IP can reach the FortiGate even if this IP address is not configured on the interface as secondary. See the article below:
Technical Tip: ARP reply setting in Virtual IP/IP Pool
Related documents:
Technical Tip: Virtual IP (VIP) port forwarding co... - Fortinet Community
Technical Tip: Set a secondary IP on a FortiGate i... - Fortinet Community
