Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akushwaha
Staff
Staff

Created on ‎09-16-2025 03:35 AM Edited on ‎09-16-2025 03:35 AM By Moderator

Article Id 410837

Troubleshooting Tip: VIP troubleshooting in Policy-Based Mode (NGFW)

Description This article provides a step-by-step guide on how to verify and troubleshoot a VIP in policy-based mode (NGFW).
Scope FortiGate.
Solution

In this example, VIP is configured to access the internal RDP server through VIP, as shown in the topology below:

 

image (28).png

 

Server: 10.102.0.202:3389.

External IP: 10.5.192.200.


Step 1: Verify the VIP configuration:

config firewall vip
    edit "Server"
        set extip 10.5.192.200
        set mappedip "10.102.0.202"
        set extintf "wan1"
        set portforward enable
        set extport 3389
        set mappedport 3389
    next
end

 

Step 2: Make sure there is an allowed policy under SSL Inspection & AuthenticationGenerally, there will be a ‘Default’ policy that allows any to any. If there is no Default policy, create a new SSL Inspection & Authentication policy from the External Interface to the Internal interface to allow the traffic:

config firewall policy
    edit 2
        set status disable
        set name "VIP_Policy"
        set srcintf "wan1"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
    next
end

 

Step 3: Also, there must be a Security Policy from the External interface to the Internal interface :

 

config firewall security-policy
    edit 1
        set name "Wan-to-Lan"
        set srcintf "wan1"
        set dstintf "LAN"
        set srcaddr "all"
        set dstaddr "10.102.0.202/32"    <-------- This is the Destination Address object.
        set action accept
        set schedule "always"
        set logtraffic all
    next
end

 

Note: With a FortiGate firewall in policy-based mode, it does not need to add the Virtual IP (VIP) to the firewall policy's destination. The firewall will automatically handle the port forwarding as long as the VIP is configured.

 

Step 4: Confirm the traffic is reaching the FortiGate.

 

diagnose sniffer packet wan1 'host 10.5.192.200 and port 3389' 4 0 l
interfaces=[wan1]
filters=[host 10.5.192.200 and port 3389]
2025-09-15 08:49:51.055832 wan1 -- 10.5.255.254.64295 -> 10.5.192.200.3389: syn 2497031367  

 

Step 5: Run debug commands to verify DNAT is happening properly and SSL Inspection & Authentication Policy Match:

 

diagnose debug reset

diagnose debug flow filter addr 10.5.192.200

diagnose debug flow filter port 3389

diagnose debug flow show function-name enable

diagnose debug flow trace start 20

diagnose debug enable


Below is  debug output :

 

id=65308 trace_id=10008 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=6, 10.5.255.254:64441->10.5.192.200:3389) tun_id=0.0.0.0 from wan1. flag [S], seq 3272374413, ack 0, win 64240"
id=65308 trace_id=10008 func=init_ip_session_common line=6070 msg="allocate a new session-0002047d"
id=65308 trace_id=10008 func=get_new_addr line=1265 msg="find DNAT: IP-10.102.0.202, port-3389"
id=65308 trace_id=10008 func=fw_pre_route_handler line=187 msg="VIP-10.102.0.202:3389, outdev-LAN"
id=65308 trace_id=10008 func=__ip_session_run_tuple line=3446 msg="DNAT 10.5.192.200:3389->10.102.0.202:3389"
id=65308 trace_id=10008 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-10.102.0.202 via wan2"
id=65308 trace_id=10008 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=10008 func=fw_forward_handler line=991 msg="Allowed by Policy-2:"

Step 6: Run PME debug to verify the Security Policy Match:

 

To start debugging:

 

diagnose ips pme debug enable
diagnose debug enable

 

The CLI output of the pme debug command confirms a policy match for the specified source and destination IP addresses:

 

PME[482/0] auth query not needed

PME[482/0] current {
PME[482/0] SRC intf= 7 tuple=10.5.255.254:63442    --------------------> Source IP.
PME[482/0] DST intf= 8 tuple=10.102.0.202:3389      --------------------> Destination IP.
PME[482/0] vdom=0 vrf=0 proto=6 time=7772 serial=00013189
PME[482/0] user=0 groups-count=0 groups=[]
PME[482/0] }
PME[482/0] static {
PME[482/0] policy: id=1 "Wan-to-Lan" intf={src_ids: { 7 }, dst_ids: { 8 }} flags=180
PME[482/0] policy: id=2 "LAN_TO_WAN" intf={src_ids: { 8 }, dst_ids: { 7 }} flags=180
PME[482/0] }
PME[482/0] policy 1: static match passed
PME[482/0] policy 2: static match not passed
PME[482/0] session was created
PME[482/0] policies 1 {
01 : 01 Wan-to-Lan
}
PME[482/0] match: app=none url=-1 UNKNOWN
PME[482/0] matching policy "Wan-to-Lan"
PME[482/0] ...matching apps
PME[482/0] ...explicit match
PME[482/0] ...matching actions
PME[482/0] [EXPLICIT PASS] Wan-to-Lan : url=-1
PME[482/0] ...trigger policy 1 Wan-to-Lan      <------------- Matching Security Policy. 
PME[482/0] [DECISION MADE] PASS view=3 policy=1 features={p:0x4 s:0}
PME[482/0] policy=1 action=0 log_traffic=1 isdb_src/dst=0/0

 

To stop debugging:


diagnose debug disable
diagnose ips pme debug disable
60
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.