Description |
This article describes how to set up site design where a real server is behind the firewall and a VIP is created for incoming traffic and another VIP is configured where the same IP addresses are inverted i.e. the internal IP of vip1 is the external IP of vip2 while the external IP of vip1 is the internal IP of vip2. |
Scope | FortiGate. |
Solution |
config firewall vip edit vip1 set extip 192.168.1.1 set extintf any set mappedip 10.1.1.1 edit vip2 set external ip 10.1.1.1 set extintf any set mappedip 192.168.1.1 next end
An IP pool is also created for other purposes, and has an external IP on the same subnet as the external IP of one of the vips:
config firewall ippool edit ipp1 set startip 192.168.1.1 set endip 192.168.1.1 next end
in FortiOS 7.0.14 and 7.2.6 or later, both IP pools and VIPs are detected as internal address objects. Arp-reply is by default enabled on the VIPs and IP pools. The scenario mentioned here creates behavior where FortiGate traffic meant for the mapped IP addresses on the VIPs is considered local traffic and therefore will not be routed by FortiGate to the real server IP. An additional element that makes this problem more complicated is that there are 2 VIPs with matching IP addresses in opposite directions. Disabling the arp-reply in the IP pool only will not resolve the problem, as the second VIP will induce the same behavior through the IP pool.
To better understand FortiOS behavior with IP pools and VIPs, consult this article.
This issue can be resolved with the following steps:
config firewall ippool edit ipp1 set arp-reply disable end
config firewall vip edit vip2 set arp-reply disable end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.