FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to set up site design where a real server is behind the firewall and a VIP is created for incoming traffic and another VIP is configured where the same IP addresses are inverted i.e. the internal IP of vip1 is the external IP of vip2 while the external IP of vip1 is the internal IP of vip2.
Scope
FortiGate.
Solution
config firewall vip
edit vip1
set extip 192.168.1.1
set extintf any
set mappedip 10.1.1.1
edit vip2
set external ip 10.1.1.1
set extintf any
set mappedip 192.168.1.1
next
end
An IP pool is also created for other purposes, and has an external IP on the same subnet as the external IP of one of the vips:
config firewall ippool
edit ipp1
set startip 192.168.1.1
set endip 192.168.1.1
next
end
in FortiOS 7.0.14 and 7.2.6 or later, both IP pools and VIPs are detected as internal address objects. Arp-reply is by default enabled on the VIPs and IP pools. The scenario mentioned here creates behavior where FortiGate traffic meant for the mapped IP addresses on the VIPs is considered local traffic and therefore will not be routed by FortiGate to the real server IP. An additional element that makes this problem more complicated is that there are 2 VIPs with matching IP addresses in opposite directions. Disabling the arp-reply in the IP pool only will not resolve the problem, as the second VIP will induce the same behavior through the IP pool.
To better understand FortiOS behavior with IP pools and VIPs, consult this article.
This issue can be resolved with the following steps:
