Description
Background:
Incoming traffic matching a firewall VIP is considered destination
NAT. In this scenario, Routing / Policy lookup is executed after
destination NAT has been performed.
For information on the order in which inspection is car
http://docs.fortinet.com/uploaded/files/2019/fortigate-firewall-52.pdf
How Packets are handled by FortiOS
Implication for Port-forwarding VIPs:
If the VIP modifies the destination port (as in the case of a
port-forwarding VIP), it is the mappedport which needs to be
allowed on firewall policy.
Solution
[Topology or network layout]
PC(.158)---45.45.45.0/24----(.252)internal-FGT60C-wan1(.108)
--10.130.209.0/24---(.4) Sever
[Configuration]
FGT60C3G12010757 #
config firewall vip
edit "ticket-1221355"
set extip 45.45.45.100
set extintf "any"
set portforward enable
set mappedip "10.130.209.4"
set extport 80
set mappedport 5080
next
end
config firewall policy
edit 8
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "ticket-1221355"
set action accept
set schedule "always"
set service "ticket-1221355"
set comments "ticket-1221355"
set nat enable
next
end
FGT60C3G12010757 # show firewall service custom
ticket-1221355
config firewall service custom
edit "ticket-1221355"
set tcp-portrange
5080
next
end
[Output of debug flow illustrating behavior]
FGT60C3G12010757 # 2014-10-07 15:29:01 id=20085 trace_id=55
func=print_pkt_detail line=4368 msg="vd-root received a
packet(proto=6, 45.45.45.158:4457->45.45.45.100:80) from
internal. flag [S], seq 1244579274, ack 0, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=55
func=init_ip_session_common line=4517 msg="allocate a new
session-0000a77c"
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_pre_route_handler
line=174 msg="VIP-10.130.209.4:5080, outdev-internal"
2014-10-07 15:29:01 id=20085 trace_id=55
func=__ip_session_run_tuple line=2532 msg="DNAT
45.45.45.100:80->10.130.209.4:5080" ----> Destination-NAT
2014-10-07 15:29:01 id=20085 trace_id=55 func=vf_ip4_route_input
line=1596 msg="find a route: flags=00000000 gw-10.130.209.4 via
wan1" ----> Routing
2014-10-07 15:29:01 id=20085 trace_id=55 func=fw_forward_handler
line=671 msg="Allowed by Policy-8: SNAT" -----> Policy
Lookup
2014-10-07 15:29:01 id=20085 trace_id=55
func=__ip_session_run_tuple line=2518 msg="SNAT
45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=56 func=print_pkt_detail
line=4368 msg="vd-root received a packet(proto=6,
45.45.45.158:4457->45.45.45.100:80) from internal. flag [.], seq
1244579275, ack 3874100923, win 64240"
2014-10-07 15:29:01 id=20085 trace_id=56 func=resolve_ip_tuple_fast
line=4427 msg="Find an existing session, id-0000a77c, original
direction"
2014-10-07 15:29:01 id=20085 trace_id=56
func=__ip_session_run_tuple line=2532 msg="DNAT
45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=56
func=__ip_session_run_tuple line=2518 msg="SNAT
45.45.45.158->10.130.209.108:64873"
2014-10-07 15:29:01 id=20085 trace_id=57 func=print_pkt_detail
line=4368 msg="vd-root received a packet(proto=6,
45.45.45.158:4457->45.45.45.100:80) from internal. flag [F.],
seq 1244579351, ack 3874101223, win 63940"
2014-10-07 15:29:01 id=20085 trace_id=57 func=resolve_ip_tuple_fast
line=4427 msg="Find an existing session, id-0000a77c, original
direction"
2014-10-07 15:29:01 id=20085 trace_id=57 func=ipv4_fast_cb line=50
msg="enter fast path"
2014-10-07 15:29:01 id=20085 trace_id=57
func=ip_session_run_all_tuple line=5501 msg="DNAT
45.45.45.100:80->10.130.209.4:5080"
2014-10-07 15:29:01 id=20085 trace_id=57
func=ip_session_run_all_tuple line=5489 msg="SNAT
45.45.45.158->10.130.209.108:64873"