Created on
04-11-2023
05:18 AM
Edited on
04-14-2023
04:35 AM
By
Jean-Philippe_P
Description
This article describes how to implement a virtual IP (VIP) from a secondary IP address in FortiGate.
Scope
FortiGate.
Solution
Consider the following network scenario where a client is attempting to reach a server behind FortiGate. Instead of having a primary IP used as a VIP, a secondary IP is used.
# show system interface port3
edit "port3"
set vdom "root"
set ip 10.1.2.1 255.255.255.0
set allowaccess ping https ssh snmp http fgfm
set type physical
set alias "wan"
set snmp-index 3
set secondary-IP enable
# config secondaryip
edit 1
set ip 10.1.2.3 255.255.255.0 <-- A VIP address
set allowaccess https ssh snmp http fgfm
next
end
next
end
# config firewall vip
edit "VIP"
set uuid ba3ee4a4-cb0e-51ed-d1d3-0b224dab3ae6
set extip 10.1.2.3
set mappedip "192.168.30.2"
set extintf "port3"
next
end
# config firewall policy
edit 3
set name "VIP"
set uuid 7e9392ea-cb10-51ed-9709-57f6c793d368
set srcintf "port3" <-- Incoming interface
set dstintf "port4" <-- Outgoing interface to server
set action accept
set srcaddr "all"
set dstaddr "VIP"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
next
end
Debug flow trace results:
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5273 msg="in-[port3], out-[]"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_tree_check line=820 msg="len=1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5138 msg="checking gnum-100000 policy-1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=get_new_addr line=1236 msg="find DNAT: IP-192.168.30.2, port-0(fixed port)"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5228 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5285 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
2023-04-11 04:32:16 id=65308 trace_id=80 func=fw_pre_route_handler line=180 msg="VIP-192.168.30.2:5376, outdev-port3"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__ip_session_run_tuple line=3542 msg="DNAT 10.1.2.3:8->192.168.30.2:5376"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port4"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_fwd_check line=791 msg="in-[port3], out-[port4], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_tree_check line=520 msg="gnum-100004, use int hash, slot=46, len=2"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2055 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_user_identity_check line=1830 msg="ret-matched"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2273 msg="policy-3 is matched, act-accept"
A successful ping:
PING 10.1.2.3 (10.1.2.3): 56 data bytes
64 bytes from 10.1.2.3: icmp_seq=0 ttl=127 time=2.9 ms
64 bytes from 10.1.2.3: icmp_seq=1 ttl=127 time=1.4 ms
Conclusion:
As long as the IP address is reachable, the method to implement a secondary IP as a VIP is exactly the same as primary IP.
Related documents:
Technical Tip: Virtual IP (VIP) port forwarding co... - Fortinet Community
Technical Tip: Set a secondary IP on a FortiGate i... - Fortinet Community