Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pathik_mehta
Staff
Staff

Created on ‎11-20-2024 01:01 AM

Article Id 358834

Troubleshooting Tip: Wrong VIP lookup with the external interface configured

Description This article describes how the VIP lookup is done when the external interface is configured in the VIP configuration.
Scope FortiGate.
Solution

Setup:

 

VIP configuration:

 

Core # show firewall vip
config firewall vip
    edit "VPN-1" ------------------------------------------> VIP ID 1.
        set uuid ea6e0a28-a31c-51ef-b7c2-6a42a7a068df
        set extip 193.1.1.1
        set mappedip "10.51.8.125"
        set extintf "Tunnel-2"
        set arp-reply disable
    next
    edit "VPN-2" -------------------------------------------> VIP ID 2.
        set uuid 4489bd26-a31e-51ef-365b-947e4f17e748
        set extip 193.1.1.1
        set mappedip "10.53.8.125"
        set extintf "Tunnel-1"
        set arp-reply disable
    next
end

 

When traffic is received from the tunnel interface 'Tunnel-1', it matches 'VPN-1' instead of 'VPN-2'.

 

Core # 2024-11-15 19:30:56 id=65308 trace_id=26 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 10.10.1.1:4->193.1.1.1:2048) tun_id=10.5.136.2 from Tunnel-1. type=8, code=0, id=4, seq=0."
2024-11-15 19:30:56 id=65308 trace_id=26 func=init_ip_session_common line=6047 msg="allocate a new session-00114ab1"
2024-11-15 19:30:56 id=65308 trace_id=26 func=iprope_dnat_check line=5281 msg="in-[Tunnel-1], out-[]"
2024-11-15 19:30:56 id=65308 trace_id=26 func=iprope_dnat_tree_check line=824 msg="len=2"
2024-11-15 19:30:56 id=65308 trace_id=26 func=__iprope_check_one_dnat_policy line=5146 msg="checking gnum-100000 policy-1"
2024-11-15 19:30:56 id=65308 trace_id=26 func=get_new_addr line=1213 msg="find DNAT: IP-10.51.8.125, port-0(fixed port)"
2024-11-15 19:30:56 id=65308 trace_id=26 func=__iprope_check_one_dnat_policy line=5236 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000008"
2024-11-15 19:30:56 id=65308 trace_id=26 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000008, vid-1, ret-matched, act-accept, flag-00000104"
2024-11-15 19:30:56 id=65308 trace_id=26 func=fw_pre_route_handler line=184 msg="VIP-10.51.8.125:4, outdev-unknown"
2024-11-15 19:30:56 id=65308 trace_id=26 func=__ip_session_run_tuple line=3455 msg="DNAT 193.1.1.1:8->10.51.8.125:4"

 

Reason behind 'VPN-1' VIP matching:

 

'extintf' is intended to be used as a WebGUI improvement tool. With this configuration, VIP will be available in the WebGUI for selection only if WAN1 is configured as a source interface. 'extintf' will not bind the VIP to the specific interface. That means the VIP shown as an example above will accept connections from every interface.

 

Solution:

 

It is necessary to use 'srcintf-filter' under the VIP configuration to control which interface to use for DNAT translation. This configuration will make sure that the VIP will accept connections only from the interface defined under srcintf-filter.

 

Updated VIP config:

 

config firewall vip
    edit "VPN-1" ------------------------------------------> VIP ID 1.
        set uuid ea6e0a28-a31c-51ef-b7c2-6a42a7a068df
        set extip 193.1.1.1
        set mappedip "10.51.8.125"
        set extintf "Tunnel-2"
        set arp-reply disable

           set srcintf-filter "Tunnel-2"
       next
       edit "VPN-2" -------------------------------------------> VIP ID 2.
           set uuid 4489bd26-a31e-51ef-365b-947e4f17e748
           set extip 193.1.1.1
           set mappedip "10.53.8.125"
           set extintf "Tunnel-1"
           set arp-reply disable

        set srcintf-filter "Tunnel-1"
    next
end

 

Debug logs: 

 

Core # 2024-11-20 18:43:47 id=65308 trace_id=41 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 10.10.1.1:7->193.1.1.1:2048) tun_id=10.5.136.2 from Tunnel-1. type=8, code=0, id=7, seq=0."
2024-11-20 18:43:47 id=65308 trace_id=41 func=init_ip_session_common line=6047 msg="allocate a new session-00bb5a50"
2024-11-20 18:43:47 id=65308 trace_id=41 func=iprope_dnat_check line=5281 msg="in-[Tunnel-1], out-[]"
2024-11-20 18:43:47 id=65308 trace_id=41 func=iprope_dnat_tree_check line=824 msg="len=2"
2024-11-20 18:43:47 id=65308 trace_id=41 func=__iprope_check_one_dnat_policy line=5146 msg="checking gnum-100000 policy-1"
2024-11-20 18:43:47 id=65308 trace_id=41 func=__iprope_check_one_dnat_policy line=5146 msg="checking gnum-100000 policy-2"
2024-11-20 18:43:47 id=65308 trace_id=41 func=get_new_addr line=1213 msg="find DNAT: IP-10.53.8.125, port-0(fixed port)"
2024-11-20 18:43:47 id=65308 trace_id=41 func=__iprope_check_one_dnat_policy line=5236 msg="matched policy-2, act=accept, vip=2, flag=104, sflag=2000008"
2024-11-20 18:43:47 id=65308 trace_id=41 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000008, vid-2, ret-matched, act-accept, flag-00000104"
2024-11-20 18:43:47 id=65308 trace_id=41 func=fw_pre_route_handler line=184 msg="VIP-10.53.8.125:7, outdev-unknown"
2024-11-20 18:43:47 id=65308 trace_id=41 func=__ip_session_run_tuple line=3455 msg="DNAT 193.1.1.1:8->10.53.8.125:7"

 

371
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.