I have an issue with VIPs on my FortiGate.
I have a single public IP address. I need to configure two different VIPs with this one public IP address, each using different services and pointing to different internal IPs. I created the two VIPs and used them in two different firewall policies. However, the problem I'm facing is that all traffic is going through just one firewall policy (the one with the first VIP created), even though the client-initiated traffic does not match that firewall policy.
Example:
196.209.90.89:80 -> 172.16.0.1:80
196.209.90.89:443 -> 172.16.0.1:443
196.209.90.89:22 -> 192.168.1.1:22
196.209.90.89:25 -> 192.168.1.1:25
Can you help me resolve this issue?"
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @coumbisskante ,
Can you please try mentioning the port mapping as below:
config firewall vip
edit <name>
set extport 22
set mappedport 22
next
end
- try this for port 80, 443 as well in the VIP entry that you have.
Hi @coumbisskante.,
Your VIPs don't have port forwarding enabled? It should look like below:
config firewall vip
edit "WebServer_VIP"
set extip 196.209.90.89
set mappedip "172.16.0.1"
set extintf "any"
set portforward enable
set extport 80
set mappedport 80
next
end
Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...
Regards,
Hello @coumbisskante ,
Is the port 22 the one you think is not working? If you say yes, can you check your Fortigate SSH port and SSH access on the wan interface?
Also, can you share this command output with us? After entering these commands, you should try to access your service.
diagnose sniffer packet any 'host <Your_WAN_IP> and port 22' 4 a
Second console screen :
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter daddr <Your_WAN_IP>
diagnose debug flow filter dport 22
diagnose debug flow trace start 100
diagnose debug enable
Hi @ozkanaltas
No, the problem is not SSH only.
Can't send capture of the configuration right now but i will try to explain it well:
VIP CONFIGURATIONS:
- VIP 1
config firewall vip
edit "OTHER_TRAFIC"
set service "FTP" "DNS" "PING"
set extip 196.209.90.89
set extintf "any"
set mappedip "192.168.1.1"
next
end
- VIP 2
config firewall vip edit "WebServer_VIP" set service "HTTP" "HTTPS" set extip 196.209.90.89 set extintf "any" set mappedip "172.16.0.1" next end
FIREWALL POLICY CONFIGURATIONS:
- Firewall Policy 1
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "OTHER_TRAFIC"
set action accept
set schedule "always"
set service "FTP" "DNS" "PING"
set nat disable
next
end
- Firewall Policy 2
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "WebServer_VIP"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set nat disable
next
end
After running diagnostics, all HTTP/HTTPS traffic is being redirected to Policy 1, even though these services are not specified in the firewall policy configuration. VIP 1, was the first one to be created.
Created on 04-29-2024 06:46 AM Edited on 04-29-2024 06:47 AM
Hello @coumbisskante ,
I think the problem is the destination interface in the rule.
Your destination IP address is different in the VIP configuration but you selected the same destination interface in the policy.
Are you sure that you selected the right interface in the policy? if you don't use secondary IPs on the same interface, they need to be different.
Hello @ozkanaltas
Yes, I am using the correct interface. I made an error when describing my configurations earlier. The right interface is selected, but I am still experiencing the same problem.
Hello @coumbisskante ,
it's interesting. Can you run debug command and share output wit us? I think this way is easiest way to solve your problem.
If your 1st firewall policy is matching all the traffic that means your firewall policy has "ALL" as Service (destination port).
You should change it to just the required service, i.e.: HTTPS or SMTP, etc
Hi @AEK
This is not the problem.
Find below, the configurations i did:
VIP CONFIGURATIONS:
- VIP 1
config firewall vip
edit "OTHER_TRAFIC"
set service "FTP" "DNS" "PING"
set extip 196.209.90.89
set extintf "any"
set mappedip "192.168.1.1"
next
end
- VIP 2
config firewall vip edit "WebServer_VIP" set service "HTTP" "HTTPS" set extip 196.209.90.89 set extintf "any" set mappedip "172.16.0.1" next end
FIREWALL POLICY CONFIGURATIONS:
- Firewall Policy 1
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "OTHER_TRAFIC"
set action accept
set schedule "always"
set service "FTP" "DNS" "PING"
set nat disable
next
end
- Firewall Policy 2
config firewall policy
edit 1
set srcintf "WAN"
set dstintf "port1"
set srcaddr "all"
set dstaddr "WebServer_VIP"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set nat disable
next
end
After running diagnostics, all HTTP/HTTPS traffic is being redirected to Policy 1, even though these services are not specified in the firewall policy configuration. VIP 1, was the first one to be created.
Hi @coumbisskante.,
Your VIPs don't have port forwarding enabled? It should look like below:
config firewall vip
edit "WebServer_VIP"
set extip 196.209.90.89
set mappedip "172.16.0.1"
set extintf "any"
set portforward enable
set extport 80
set mappedport 80
next
end
Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...
Regards,
Hi @coumbisskante ,
Can you please try mentioning the port mapping as below:
config firewall vip
edit <name>
set extport 22
set mappedport 22
next
end
- try this for port 80, 443 as well in the VIP entry that you have.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.