When using Port-forwarding VIP, policy matches the port after NATing

sjhwang · ‎11-24-2014

Description
Background:
Incoming traffic matching a firewall VIP is considered destination NAT. In this scenario, Routing / Policy lookup is executed after destination NAT has been performed.

For information on the order in which inspection is car
http://docs.fortinet.com/uploaded/files/2019/fortigate-firewall-52.pdf
How Packets are handled by FortiOS

Implication for Port-forwarding VIPs:
If the VIP modifies the destination port (as in the case of a port-forwarding VIP), it is the mappedport which needs to be allowed on firewall policy.

Solution
[Topology or network layout]

PC(.158)---45.45.45.0/24----(.252)internal-FGT60C-wan1(.108) --10.130.209.0/24---(.4) Sever

[Configuration]

FGT60C3G12010757 #
config firewall vip
edit "ticket-1221355"
set extip 45.45.45.100
set extintf "any"
set portforward enable
set mappedip "10.130.209.4"
set extport 80
set mappedport 5080
next
end

config firewall policy
edit 8
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "ticket-1221355"
set action accept
set schedule "always"
set service "ticket-1221355"
set comments "ticket-1221355"
set nat enable
next
end

FGT60C3G12010757 # show firewall service custom ticket-1221355
config firewall service custom
edit "ticket-1221355"
set tcp-portrange 5080
next
end

[Output of debug flow illustrating behavior]

FGT60C3G12010757 # 2014-10-07 15:29:01 id=20085 trace_id=55 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [S], seq 1244579274, ack 0, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=55 func=init_ip_session_common line=4517 msg="allocate a new session-0000a77c"
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_pre_route_handler line=174 msg="VIP-10.130.209.4:5080, outdev-internal"
2014-10-07 15:29:01 id=20085 trace_id=55 func=__ip_session_run_tuple line=2532 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"　　----> Destination-NAT
2014-10-07 15:29:01 id=20085 trace_id=55 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.130.209.4 via wan1" ----> Routing
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_forward_handler line=671 msg="Allowed by Policy-8: SNAT" -----> Policy Lookup
2014-10-07 15:29:01 id=20085 trace_id=55 func=__ip_session_run_tuple line=2518 msg="SNAT 45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=56 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [.], seq 1244579275, ack 3874100923, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=56 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-0000a77c, original direction"
2014-10-07 15:29:01 id=20085 trace_id=56 func=__ip_session_run_tuple line=2532 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=56 func=__ip_session_run_tuple line=2518 msg="SNAT 45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=57 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [F.], seq 1244579351, ack 3874101223, win 63940"
2014-10-07 15:29:01 id=20085 trace_id=57 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-0000a77c, original direction"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ipv4_fast_cb line=50 msg="enter fast path"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ip_session_run_all_tuple line=5501 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ip_session_run_all_tuple line=5489 msg="SNAT 45.45.45.158->10.130.209.108:64873"