FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff
Article Id 251991

Description

 

This article describes how to implement a virtual IP (VIP) from a secondary IP address in FortiGate.

 

Scope

 

FortiGate.

 

Solution

 

Consider the following network scenario where a client is attempting to reach a server behind FortiGate. Instead of having a primary IP used as a VIP, a secondary IP is used.

 

VIP 2ndary IP.PNG

 

# show system interface port3 

edit "port3"

set vdom "root"

set ip 10.1.2.1 255.255.255.0

set allowaccess ping https ssh snmp http fgfm

set type physical

set alias "wan"

set snmp-index 3

set secondary-IP enable

# config secondaryip

edit 1

set ip 10.1.2.3 255.255.255.0    <-- A VIP address

set allowaccess https ssh snmp http fgfm

next

end

next

end

 

# config firewall vip

edit "VIP"

set uuid ba3ee4a4-cb0e-51ed-d1d3-0b224dab3ae6

set extip 10.1.2.3

set mappedip "192.168.30.2"

set extintf "port3"

next

end

 

# config firewall policy

edit 3

set name "VIP"

set uuid 7e9392ea-cb10-51ed-9709-57f6c793d368

set srcintf "port3"   <-- Incoming interface

set dstintf "port4"   <-- Outgoing interface to server

set action accept

set srcaddr "all"

set dstaddr "VIP"

set schedule "always"

set service "ALL"

set logtraffic all

set auto-asic-offload disable

next

end

 

Debug flow trace results:

 

2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5273 msg="in-[port3], out-[]"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_tree_check line=820 msg="len=1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5138 msg="checking gnum-100000 policy-1"
2023-04-11 04:32:16 id=65308 trace_id=80 func=get_new_addr line=1236 msg="find DNAT: IP-192.168.30.2, port-0(fixed port)"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_dnat_policy line=5228 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_dnat_check line=5285 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
2023-04-11 04:32:16 id=65308 trace_id=80 func=fw_pre_route_handler line=180 msg="VIP-192.168.30.2:5376, outdev-port3"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__ip_session_run_tuple line=3542 msg="DNAT 10.1.2.3:8->192.168.30.2:5376"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__vf_ip_route_input_rcu line=2012 msg="find a route: flag=00000000 gw-0.0.0.0 via port4"
2023-04-11 04:32:16 id=65308 trace_id=80 func=iprope_fwd_check line=791 msg="in-[port3], out-[port4], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_tree_check line=520 msg="gnum-100004, use int hash, slot=46, len=2"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2055 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_user_identity_check line=1830 msg="ret-matched"
2023-04-11 04:32:16 id=65308 trace_id=80 func=__iprope_check_one_policy line=2273 msg="policy-3 is matched, act-accept"

 

A successful ping:

 

PING 10.1.2.3 (10.1.2.3): 56 data bytes
64 bytes from 10.1.2.3: icmp_seq=0 ttl=127 time=2.9 ms
64 bytes from 10.1.2.3: icmp_seq=1 ttl=127 time=1.4 ms

 

Conclusion:

 

As long as the IP address is reachable, the method to implement a secondary IP as a VIP is exactly the same as primary IP. 

 

Related documents:

Technical Tip: Virtual IP (VIP) port forwarding co... - Fortinet Community

Technical Tip: Set a secondary IP on a FortiGate i... - Fortinet Community