- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: VIP Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIP Issue
Hi
(edit: 4.0 MR3 on a 200b)
I' m setting up a VIP for an internal server to allow it server http traffic. We already have another server doing the same and it' s working fine.
I cannot get the new server to work. I' ve created the same rules, placed them side by side in order beside the working rule but it will not work.
Once the policy rule for the WAN - WebServer is enabled it even breaks outgoing traffic for the webserver. If I disable the WAN - WebServer policy the outgoing traffic works again. I can get no WAN - WebServer traffic working. We have a range of 4 public IPs so the one I' m using for the WebServer is dedicated.
I did a show for the config and the rules for the new Webserver and the existing working Webserver are the same (minus the slight IP address differences)
Any ideas where I can look? Some of the config is below:
config firewall vip
edit " WorkingServer"
set extip ##.###.##.#2
set extintf " port12"
set mappedip ###.##.##.100
next
edit " NewServer"
set extip ##.###.##.#3
set extintf " port12"
set mappedip ###.##.##.160
next
end
config firewall policy
edit ##
set srcintf " WAN"
set dstintf " LAN"
set srcaddr " all"
set dstaddr " WorkingServer"
set action accept
set schedule " always"
set service " HTTP" " HTTPS"
set logtraffic enable
next
edit ##
set srcintf " WAN"
set dstintf " LAN"
set srcaddr " all"
set dstaddr " NewServer"
set action accept
set schedule " always"
set service " HTTP" " HTTPS"
set logtraffic enable
next
Many thanks
gR
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, following your argumentation, it is the external IP address that makes the difference between working and not working.
Could you please post the external address, with the first 3 bytes obscured, plus
the netmask?
What is the public IP address of the FGT' s WAN port?
What kind of admin access do you have enabled on the WAN port - HTTP, HTTPS, ssh,...?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the " newserver" IP address coincide with the address that all the users are browsing with?
Never mind that question.. cross post.
Perhaps you will need to employ an IP Pool on that server' s outgoing traffic policy so that the VIP address on the incoming traffic matches the outgoing traffic IP address...
By the way,
config firewall vip
edit " WorkingServer"
set extip ##.###.##.#2
set extintf " port12"
set mappedip ###.##.##.100
next
edit " NewServer"
set extip ##.###.##.#3
set extintf " port12"
set mappedip ###.##.##.160
next
end
Those ending digits don' t match:Working Webserver IP - ##.###.###.91/29 New Webserver IP - ##.###.###.92/29
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ede, thanks for the reply.
-The WAN to Webserver never works to the new server.
-For some strange reason when the new WAN to Webserver Firewall Policy is enabled it breaks the Webserver to WAN traffic, if I disable that rule the Webserver to WAN traffic works again
-The Webserver to WAN traffic falls under an existing LAN to WAN rule although I have also tried creating a specific Webserver to WAN rule but it makes no difference.
WAN Settings - ##.###.###.88/29
Fortigate WAN IP - ##.###.###.90/29
Working Webserver IP - ##.###.###.91/29
New Webserver IP - ##.###.###.93/29
HTTPS and SSH admin access on the WAN
Edit - Updated NewServer WAN IP to correct value
Thanks
Gerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gerry,
I could be mistaking but I think your WAN Settings put that addres on the subnet boundary i.e. the subnet address.
Have you tried to put it on x.x.x.89 / 29 ? to see what it does ?
ABB@ProBiblio Fortigate 200D (slave master)
ABB@ProBiblio Fortigate 200D (slave master)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Close reading, Bob!
BTW: if a VIP is in place reply traffic from the internal host will automatically be source NATted to the external address. And even traffic originating from the internal server will be source NATted to it' s external address due to the VIP mapping. A VIP is much more than e.g. an IP pool.
From the address settings, no clue. Double check the address masks in the interface settings. I am assuming you can ping the internal server from the FGT' s CLI (when VIP not defined).
It all that won' t help we' ll have to dig a bit deeper (in the CLI):
Ede
"Kernel panic: Aiee, killing interrupt handler!"
diag deb ena diag sniffer packet any ' icmp and host x.x.x.160' 4 0 a diag sniffer packet any ' icmp and host y.y.y.92' 4 0 a(just learned about the ' a' option - current absolute time stamp). Then of course, ping the external WAN IP.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: ede_pfau BTW: if a VIP is in place reply traffic from the internal host will automatically be source NATted to the external address. And even traffic originating from the internal server will be source NATted to it' s external address due to the VIP mapping. A VIP is much more than e.g. an IP pool.I thought so as well, but I figured overkill couldn' t hurt. At least for a test...
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I can ping the Newserver' s internal, external and FQDN from a Fortigate SSH session and it replies.
When I enable the logging and tried pinging the Newserver WAN IP from an external source nothing was logged.
Just for some historic info, we had a different server and service open to the internet in the past using this WAN IP. That was months ago though and all related entries for that were removed.
Thanks for the help, not sure where to go from here!
gR
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that your ISP is still pointing that traffic your way? I know you' re paying for it, but I would contact them to verify.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fairly sure, a long time ago when I was setting up a VIP I was trying to use ##.###.###.92 and I could not for the life of me get it working, had the same issues I' m having now.
That time I contacted the ISP and they ran their tests and told me it was all set up fine their end and when I set a laptop with that IP and connected direct to the line it worked. For some reason that time I tried the next number ##.###.###.93 and it just worked.
This is the number I' m trying to use now, we decommissioned the previous server mentioned above some time ago.
Thanks for the suggestion
gR
PS- I' ve opened a case with Fortinet so will see what they come back with.
Related Posts
- FortiMail issue ip reputation 75 Views
- VXLAN, Virtual Switch and MTU 69 Views
- Oracle sessions randomly hanging behind fortigate 85 Views
- Issues with activating proxy mode in... 69 Views
- LDAPS issue, 'Can't contact LDAP server' 204 Views
Labels
-
FortiGate
6,525 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.