I enabled ' set ip-forward' on my Fweb, but other protocols as SSH or FTP don' t pass through it.
Requests arrive to the vserver ipaddress, but they are not forwarded to the physical server. Physical and virtual server have different IPs, but they are on the same subnet.
Can anyone explain me better this concept reported on Fortiweb CLI reference: " This example enables forwarding of non-HTTP/HTTPS traffic, based upon whether the IP address matches a route for the physical serversâ€™ subnet, and regardless of HTTP proxy pickup."
In this case, source IP of the requests is on same subnet of physical server (by SNAT contacting a VIP on FG.)
Physical and virtual server have different IPs, but they are on the same subnet.
Humm... do you really need that setup?
sic from admin guide:
Virtual servers can be on the same subnet as real web servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the web server 10.0.0.2.ï€
However, this is not recommended. Unless your networkâ€™s routing configuration prevents it, it could allow clients that are aware of the web serverâ€™s IP address to bypass the FortiWeb appliance by accessing the real web server directly.
anru, as abelio hinted, if pserver and vserver are on the same subnet, have you tried routing SSH and FTP directly to the destination -- NOT through FortiWeb via IP-based forwarding?
FortiWeb cannot scan SSH or FTP. So there is no point in routing these protocols through it if your topology does not require it. The purpose of ' set ip-forward enable' is for when FortiWeb' s vserver is inline between the client and pserver. Vserver normally would only pick up and proxy HTTP/HTTPS, dropping all other protocols. This option is designed to use the static routing table to forward them instead of dropping. But of course this assumes traffic is reaching that point. From your description, I can' t tell if this is happening.
Do you have a little more info on where your FortiGate VIP is relative to the FortiWeb? Your case may not be appropriate for ' set ip-forward enable' . If the FortiGate VIP can port forward SSH/FTP directly to the pserver instead, and avoid FortiWeb for those protocols, you should do that instead.
I try to explain better my configuration:
- client is on the web
- VIP on FG is a public IP address (e.g 188.8.131.52)
- FG has a private IP on the same subnet of virtual server declared on Fweb and physical server (10.10.0.1/24)
- vserver on Fweb has private IP address (10.10.0.2/24)
- FG does a NAT from VIP to Fweb vserver address
- physical server has IP on the same subnet (10.10.0.3/24)
Connection on port 80 by web through VIP and Fweb works fine.
Instead, to contact by web directly the physical server on SSH/FTP service I have to use the VIP on FG and NAT it with private IP address of physical server. But FG doesn' t permit to use same VIP with two different private IPs.
So, now, how I can directly contact my pserver?
I cannot use two different public IPs to solve the problem....