Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danishm99
New Contributor

Unable to access virtual service on Fortigate firewall

I have followed all the steps as given in Fortinet article to create a virtual service for loadbalancing. But I am unable to access the virtual service IP from Internet or Outside. I see hits on virtual service but not on Firewall policy. I am using the same IP for virtual service as of Outside Interface IP. Hope that is allowed.

 

Please advise experts

3 REPLIES 3
AEK
Honored Contributor

Probably your policy is not correct.

Can we see policy configuration?

AEK
AEK
seshuganesh
Staff
Staff

Hi Team,

 

 

Please focus on the external interface configuration in firewall policy and virtual service, may it would not be same. 

Please check and if possible provide us screenshots.

 

nithincs
Staff
Staff

Hi,

Please do below test to identify the issue.

1. Please run the below command and see if the traffic is hitting the correct vip and policy.

dia de reset
dia de flow filter addr x.x.x.x >>> replace x.x.x.x with test user public ip
dia de flow trace start 10000
dia de en

When traffic hit the fortigate interface you will see the logs as below

oxygen-kvm42 # id=20085 trace_id=1 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=6, 172.26.137.89:57243->10.5.23.171:8080) from port1. flag [S], seq 321468156, ack 0, win 64896" <<<<<<< This shows that traffic is hitting the fortigate
id=20085 trace_id=1 func=init_ip_session_common line=5898 msg="allocate a new session-005a714c"
id=20085 trace_id=1 func=fw_pre_route_handler line=181 msg="VIP-172.31.199.1:8080, outdev-port1" <<<<<<this shows which VIP is triggered
id=20085 trace_id=1 func=__ip_session_run_tuple line=3484 msg="DNAT 10.5.23.171:8080->172.31.199.1:8080"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-172.31.199.1 via port3"
id=20085 trace_id=1 func=fw_forward_handler line=799 msg="Allowed by Policy-3: SNAT" <<<<< Policy mathcing the traffic

 

If it is not hitting the policy configured, then please recheck the configuration.

Labels
Top Kudoed Authors