- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: PAT via VIP occurring without policy match
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PAT via VIP occurring without policy match
Fortigate 5.4.5 needs to PAT (or not) based on source IP address.
host-1.1.1.1 needs to connect to 10.0.49.1 port 22 and be pushed through as is to 10.0.49.1 port 22 host-2.2.2.2 needs to connect to 10.0.49.1 port 22 but be PATed so that the connection forwards to 10.0.49.1 port 2222
So we have; config firewall policy edit 1 set srcintf "any" set dstintf "any" set srcaddr "host-1.1.1.1" set dstaddr "h-10.0.49.1" set action accept set service "ssh" set logtraffic all next edit 2 set srcintf "any" set dstintf "any" set srcaddr "host-2.2.2.2" set dstaddr "vip-10.0.49.1-tcp2222" set action accept set service "tcp2222" set logtraffic all next
and the vip is config firewall vip edit "vip-10.0.49.1-tcp2222" set extip 10.0.49.1 set extintf "any" set arp-reply disable set portforward enable set mappedip "10.0.49.1" set extport 22 set mappedport 2222 next
With this configuration, when h-1.1.1.1 attempts its connect to 10.0.49.1, it fails;
id=20085 trace_id=4 func=print_pkt_detail line=4903 msg="vd-blah received a packet(proto=6, 1.1.1.1:45721->10.120.49.1:22) from port11-97. flag , seq 3745010954, ack 0, win 5840"
id=20085 trace_id=4 func=init_ip_session_common line=5047 msg="allocate a new session-002bac70"
id=20085 trace_id=4 func=fw_pre_route_handler line=182 msg="VIP-10.0.49.1:2222, outdev-unkown"
id=20085 trace_id=4 func=__ip_session_run_tuple line=2894 msg="DNAT 10.0.49.1:22->10.0.49.1:2222"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-10.0.49.1 via port11-2105"
id=20085 trace_id=4 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)"
Coming from a checkpoint background, I expected that the connection attempt would be processed by policy 1 and passed through as is. Can anyone explain what's happening here?
I can get this to work by adding "set src-filter 2.2.2.2" to the VIP, but that seems hacky and will be difficult in the real world (there will be many entries, and its opaque) operationally.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adam,
Wow, this makes my head hurt. I've never heard of a non-NAT port forward, ha. Thinking about how the firewall processes packets (see here: https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-life-of-packet-54/lop-packet-flow-in...), Destination NAT happens before any routing or policies, so I think that's your why. I'm initially inclined to think there's no way around it, but I think there may be. You need to create another VIP for traffic from 1.1.1.1 instead of using a normal address object. "forward" port 22 to port 22 (why not, since you're forwarding the same IP to the same IP, ha) and see if that solves the issue.
Basically once you create a VIP, that object "owns" the IP address in the firewall unless you have more than one with different port forwarding. I actually ran into this when I was trying to prep for an IP change on a server and created the VIP for it's old (current) IP ahead of time. No policies were even pointing at it yet, but all of a sudden all traffic to the server was dropped. I deleted the object and was back in business.
Hope this helps! - Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Daniel. The concept of "owning" the ip makes sense and a colleague and I were speculating that might be how fortios is working. I tried configuring a new VIP as you suggest (see below) and using it for the dstaddr in policy 1, but it didnt help.
edit "vip-10.0.49.1-tcp22" set extip 10.0.49.1 set extintf "any" set arp-reply disable set portforward enable set mappedip "10.0.49.1" set extport 22 set mappedport 22 next
The debug message was pretty much identical to before, so it looks like the VIP that was created first still owns the IP. FWIW it looks like other flows to 10.0.49.1 were working, but i'll need to confirm that with the server team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I think a solution can be to set a source filter in the VIP configuration
edit "vip-10.0.49.1-tcp22"
set src-filter 2.2.2.2
next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I guess it goes back to the fact that destination NAT happens first. If I get a packet destined for a VIP on a given port, I need to translate it before I can determine where to send it (routing) and only then can I figure out whether it is allowed by policy (source IP comparison).
Seems the only workaround is to set that src-filter attribute. It does allow multiple entries including subnets and ranges, so it seems like you'll just need to update that field with any addresses you use in policy 2. (Use command append src-filter <address> to add more to the existing list.)
Or you could just configure whatever system is supposed to access port 2222 to *actually* access port 2222....but ya know. :)
Related Posts
- IPS and WAF security events are... 89 Views
- ZTNA not working. Help please. 59 Views
- IPSec client is blocked by implicit... 233 Views
- Automatically Ban Malicious Inbound IPs using... 111 Views
- FortiMangaer and FGT Hub migration issues... 58 Views
Labels
-
FortiGate
6,461 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
55 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.