Created on 02-23-2023 11:56 AM Edited on 02-23-2023 12:06 PM
Description |
This article shows how the use of a hairpin can allow an application on a server to browse a webpage hosted within itself.
In this example, the FortiGate sends server queries to its own assigned public IP address, from one internal interface to another. https://community.fortinet.com/t5/FortiGate/Technical-Note-Using-an-auto-hairpin-to-browse-a-webpage... |
Scope | FortiGate v6.x, v7.x. |
Solution |
Consider a scenario where an internal server queries a web application hosted inside of it. While trying to access the webpage, this action causes traffic to take a hairpin effect. FortiGate sends traffic to the internet and redirects it back to the same interface, mapping the server.
This is useful when the administrator wants to verify whether the VIP server is working as intended. See this document for more information about hair pins in networking.
Follow the steps in this article to configure a hairpin to allow a server to browse a webpage hosted on itself.
1) Configure a VIP mapping with 'any' interface:
# config firewall vip edit "hairpin-vip" set uuid 3acb6a34-b282-51ed-77eb-bf23ffe194a5 set extip [public_ip-address] set mappedip "[server_ip-address]" set extintf "any" set portforward enable set extport [service_port] set mappedport [service_port] next end
In this scenario:
# config firewall vip edit "hairpin-vip" set uuid 3acb6a34-b282-51ed-77eb-bf23ffe194a5 set extip 172.16.16.110 set mappedip "192.168.1.2" set extintf "any" set portforward enable set extport 80 set mappedport 80 next end
In the GUI:
2) Configure an internal firewall policy to use the WAN interface for internet traffic.
# config firewall policy edit 1 set name "Server to Internet" set uuid 09547506-b29e-51ed-5d35-c1a7794eccd6 set srcintf "lan" set dstintf "wan" set action accept set srcaddr "server_ip-address" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set nat enable next end
3) Configure a LAN to LAN firewall policy with the VIP as a destination. Since 'match-vip enable' is obsolete, attach 'vip-server' to the destination field of LAN to LAN traffic. See the following document for more information: https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/856642/configuring-hair-pinning-on-a-for....
In the CLI:
# config firewall policy edit 2 set name "Hairpin-VIP_Server" set uuid 82ca4cea-b333-51ed-dea0-e45fbd681fe4 set srcintf "lan" set dstintf "lan" set action accept set srcaddr "server_ip-address" set dstaddr "hairpin-vip" set schedule "always" set service "ALL" set logtraffic all next end
In the GUI:
Traffic flow of the network hairpin:
Related hairpinning article for different internal subnets: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448
Article content by Bijay Prakash Ghising. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.