Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum this December to earn your exclusive Holiday Badge! Become a member today.
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- When using Port-forwarding VIP, policy matches the...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
Background:
Incoming traffic matching a firewall VIP is considered destination NAT. In this scenario, Routing / Policy lookup is executed after destination NAT has been performed.
For information on the order in which inspection is car
http://docs.fortinet.com/uploaded/files/2019/fortigate-firewall-52.pdf
How Packets are handled by FortiOS
Implication for Port-forwarding VIPs:
If the VIP modifies the destination port (as in the case of a port-forwarding VIP), it is the mappedport which needs to be allowed on firewall policy.
Solution
[Topology or network layout]
PC(.158)---45.45.45.0/24----(.252)internal-FGT60C-wan1(.108) --10.130.209.0/24---(.4) Sever
[Configuration]
FGT60C3G12010757 #
config firewall vip
edit "ticket-1221355"
set extip 45.45.45.100
set extintf "any"
set portforward enable
set mappedip "10.130.209.4"
set extport 80
set mappedport 5080
next
end
config firewall policy
edit 8
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "ticket-1221355"
set action accept
set schedule "always"
set service "ticket-1221355"
set comments "ticket-1221355"
set nat enable
next
end
FGT60C3G12010757 # show firewall service custom ticket-1221355
config firewall service custom
edit "ticket-1221355"
set tcp-portrange 5080
next
end
[Output of debug flow illustrating behavior]
FGT60C3G12010757 # 2014-10-07 15:29:01 id=20085 trace_id=55 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [S], seq 1244579274, ack 0, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=55 func=init_ip_session_common line=4517 msg="allocate a new session-0000a77c"
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_pre_route_handler line=174 msg="VIP-10.130.209.4:5080, outdev-internal"
2014-10-07 15:29:01 id=20085 trace_id=55 func=__ip_session_run_tuple line=2532 msg="DNAT 45.45.45.100:80->10.130.209.4:5080" ----> Destination-NAT
2014-10-07 15:29:01 id=20085 trace_id=55 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.130.209.4 via wan1" ----> Routing
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_forward_handler line=671 msg="Allowed by Policy-8: SNAT" -----> Policy Lookup
2014-10-07 15:29:01 id=20085 trace_id=55 func=__ip_session_run_tuple line=2518 msg="SNAT 45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=56 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [.], seq 1244579275, ack 3874100923, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=56 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-0000a77c, original direction"
2014-10-07 15:29:01 id=20085 trace_id=56 func=__ip_session_run_tuple line=2532 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=56 func=__ip_session_run_tuple line=2518 msg="SNAT 45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=57 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [F.], seq 1244579351, ack 3874101223, win 63940"
2014-10-07 15:29:01 id=20085 trace_id=57 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-0000a77c, original direction"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ipv4_fast_cb line=50 msg="enter fast path"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ip_session_run_all_tuple line=5501 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ip_session_run_all_tuple line=5489 msg="SNAT 45.45.45.158->10.130.209.108:64873"
Background:
Incoming traffic matching a firewall VIP is considered destination NAT. In this scenario, Routing / Policy lookup is executed after destination NAT has been performed.
For information on the order in which inspection is car
http://docs.fortinet.com/uploaded/files/2019/fortigate-firewall-52.pdf
How Packets are handled by FortiOS
Implication for Port-forwarding VIPs:
If the VIP modifies the destination port (as in the case of a port-forwarding VIP), it is the mappedport which needs to be allowed on firewall policy.
Solution
[Topology or network layout]
PC(.158)---45.45.45.0/24----(.252)internal-FGT60C-wan1(.108) --10.130.209.0/24---(.4) Sever
[Configuration]
FGT60C3G12010757 #
config firewall vip
edit "ticket-1221355"
set extip 45.45.45.100
set extintf "any"
set portforward enable
set mappedip "10.130.209.4"
set extport 80
set mappedport 5080
next
end
config firewall policy
edit 8
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "ticket-1221355"
set action accept
set schedule "always"
set service "ticket-1221355"
set comments "ticket-1221355"
set nat enable
next
end
FGT60C3G12010757 # show firewall service custom ticket-1221355
config firewall service custom
edit "ticket-1221355"
set tcp-portrange 5080
next
end
[Output of debug flow illustrating behavior]
FGT60C3G12010757 # 2014-10-07 15:29:01 id=20085 trace_id=55 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [S], seq 1244579274, ack 0, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=55 func=init_ip_session_common line=4517 msg="allocate a new session-0000a77c"
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_pre_route_handler line=174 msg="VIP-10.130.209.4:5080, outdev-internal"
2014-10-07 15:29:01 id=20085 trace_id=55 func=__ip_session_run_tuple line=2532 msg="DNAT 45.45.45.100:80->10.130.209.4:5080" ----> Destination-NAT
2014-10-07 15:29:01 id=20085 trace_id=55 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.130.209.4 via wan1" ----> Routing
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_forward_handler line=671 msg="Allowed by Policy-8: SNAT" -----> Policy Lookup
2014-10-07 15:29:01 id=20085 trace_id=55 func=__ip_session_run_tuple line=2518 msg="SNAT 45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=56 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [.], seq 1244579275, ack 3874100923, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=56 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-0000a77c, original direction"
2014-10-07 15:29:01 id=20085 trace_id=56 func=__ip_session_run_tuple line=2532 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=56 func=__ip_session_run_tuple line=2518 msg="SNAT 45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=57 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from internal. flag [F.], seq 1244579351, ack 3874101223, win 63940"
2014-10-07 15:29:01 id=20085 trace_id=57 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-0000a77c, original direction"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ipv4_fast_cb line=50 msg="enter fast path"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ip_session_run_all_tuple line=5501 msg="DNAT 45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ip_session_run_all_tuple line=5489 msg="SNAT 45.45.45.158->10.130.209.108:64873"
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.