FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Koushik_IND_Banglore
Article Id 343560
Description This article describes the preference between VIP and Virtual servers when configured for the same mapped IP.
Scope FortiGate.
Solution

The mapping of a specific IP address to another specific IP address is usually referred to as Destination NAT (DNAT). On FortiGate VIP and Virtual server features can be used as DNAT.

 

VIP: When the Central NAT is not being used, FortiOS calls this a Virtual IP Address, sometimes called a VIP. FortiOS uses a DNAT or Virtual IP address to map an External IP address to an IP address. This address does not have to be an individual host, it can also be an address range.

 

Virtual server: This is a special virtual IP type. Use this type of VIP to implement server load balancing.

 

However, the Virtual Server has the highest preference when the VIP and Virtual server are both configured mapping the same external IP to the internal IP (real server).

 

When configuring a VIP and a Virtual server mapping the same external IP to the same internal IP (real server) as below, even if keeping the Firewall policy for VIP on top of the policy for Virtual server, traffic will always follow the Virtual sever DNAT. 

 

VIP:

 

VIP TEST.png

 

Virtual server:

A virtual server is mapped between the same external and internal IP, however, we used a different port 80 as the mapped port to show the preference in sniffer and flow debug.

 

Virtual server.png

 

Firewall policy:

 

policy firewall.png

 

Sniffers:

 

2024-09-23 11:59:14.358314 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695
2024-09-23 11:59:15.409444 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695
2024-09-23 11:59:17.489456 port2 -- 10.121.8.132.52189 -> 10.45.8.135.80: syn 3646009695

 

Flow Debug:

 

23-09-2024 12:16 vd-root:0 received a packet(proto=6, 10.121.8.132:52511->10.121.7.212:8080) tun_id=0.0.0.0 from port3. flag [S], seq 170079641, ack 0, win 64240
23-09-2024 12:16 allocate a new session-007ef9bf
23-09-2024 12:16 in-[port3], out-[]
23-09-2024 12:16 len=2
23-09-2024 12:16 checking gnum-100000 policy-1
23-09-2024 12:16 match vip-Virtual srver, naddr=10.45.8.135, nport=80 <-----------
23-09-2024 12:16 matched policy-1, act=accept, vip=1, flag=100, sflag=2000400
23-09-2024 12:16 result: skb_flags-02000400, vid-1, ret-matched, act-accept, flag-00000100
23-09-2024 12:16 VIP-10.45.8.135:80, outdev-port3
23-09-2024 12:16 DNAT 10.121.7.212:8080->10.45.8.135:80
23-09-2024 12:16 find a route: flag=00000000 gw-0.0.0.0 via port2
23-09-2024 12:16 in-[port3], out-[port2], skb_flags-020004c0, vid-1, app_id: 0, url_cat_id: 0
23-09-2024 12:16 gnum-100004, use addr/intf hash, len=3
23-09-2024 12:16 checked gnum-100004 policy-2, ret-matched, act-accept
23-09-2024 12:16 policy-4 is matched, act-accept
23-09-2024 12:16 Allowed by Policy-4: AV <--- Allowed by the Policy with ID=4 (Virtual Server policy).