Created on 11-27-2023 05:06 PM Edited on 11-27-2024 10:32 PM By Jean-Philippe_P
Description | This article describes how to resolve cases where traffic is correctly forwarded by the FortiGate but encounters issues such as non-functional traffic or no response from the destination host to the source host. |
Scope | FortiGate v7.2.x. |
Solution |
First, use a 'diag debug flow' or a sniffer to ensure that the traffic is being properly forwarded by the FortiGate.
di de flow filter addr x.x.x.x y.y.y.y and
Here is an example of a debug flow on a successful packet:
In this scenario, two NICs are in place: NIC1 with IP 10.100.100.99 and NIC2 with IP 192.168.1.194. When traffic originates from the internet and follows this path: Internet -----> FortiGate (DNAT) -------> Internal Host (Destination Host). No issues arise because the source IP from the internet does not fall within any of the subnets configured on either of the NICs on the Destination Host. However, complications arise when traffic flows from the internal network, and the destination IP is a public IP routable to the FortiGate via a VIP (with hairpinning):
Internal Host (Source) ------------> FortiGate -------- > Internet ---------- > FortiGate (DNAT) ------> Internal Host (Destination Host). As the traffic remains within the FortiGate and does not exit due to the hairpinning, the source IP would be an internal IP rather than the public IP. This discrepancy occurs because the traffic loopback within the FortiGate does not allow the source IP to appear as the public IP: instead, it retains the internal IP address. NIC1: IP 10.100.100.99. If traffic originates from the 10.100.100.0/24 network and the VIP is set to redirect external traffic to 192.168.1.194, it will reach the destination host on NIC2 (192.168.1.194). However, the server's routing table may pose an issue as it indicates that the 10.100.100.0/24 subnet is accessible via NIC1. Consequently, the server might anticipate traffic from that subnet to arrive through NIC1 rather than NIC2. In such cases, Windows Defender could potentially block inbound traffic. It may be possible to work around this issue by performing SNAT (Source Network Address Translation) within the same policy where DNAT is configured.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.