Hi everyone. We have an FG200B and I am trying to set up an internal server that can be accessed by a VIP from inside or outside the network. I can access it fine using the local address internally or the VIP externally.
I followed the KB article below and set the VIP to any interface, however it is still not working.
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33976
Any ideas? Do I need to set up Policy Based Routing as well?
Thanks,
RK
You have to issue the command "set match-vip enable" on the firewall policy.
I don't know about the match-vip command, but we had to use policy routes to get this to work.
And of course matching Allow rules and the vip listening to any.
Hello! The thing you want to do is also called NAT-hairpinning. Some routers use this automatically but some don't and FortiGate is one such.
I would personally use policy routes as last resort.
But I have always got such thing working when I create two rules: 1. from untrust to trust (that is, from internet to server's network) and 2. from trust to trust where the destination is that vip that was created, not internal address (that works anyway).
I need to add that in our case with policy routes the point was to access vip in dmz from internal. That might have caused the need for policy routes. Maybe internal/internal is easier.
Oh, then you should add policy from internal to dmz with vip as destination. I have done that too and it works. Doesn't matter which internal network is the destination, you just specify that when creating the policy.
Hey guys, thanks for the replies! So after the answers I did a little more digging. It turns out that if you already have policy route in place for that server to the internet, you need to add a new policy route so that the hairpin works!
http://kb.fortinet.com/kb/documentLink.do?externalID=FD31844
Tested it out and it is working after adding a policy route with source = internal network, destination = internal ip address of that server, outgoing interface = internal.
Thanks again for the insight!
This KB article explains it nicely, and shows debugging commands:
http://kb.fortinet.com/kb....do?externalId=FD33976
You not only have to change the Interface of the VIP to any. You also have to create a policy, for example:
source-interface: internal
source-address: any
destination-interface: internal
destination-address: VIP-object
service: any
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.