Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Yesolo
New Contributor II

Custmized local in policy doesn't work

Hi guys, I'm trying to make a server accessible from WAN, I configured virtual ip and port for the server, and then  I created a local in policy to test :

 

config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ALL"
set schedule "always"
next
end

 

but I cannot access the server and related traffic still matches policy 0 :

 

id=20085 trace_id=114 func=print_pkt_detail line=5822 msg="vd-root:0 received a packet(proto=6, [my ip]:2084->[FW IP]:50022) from port1. flag [S], seq 2666835964, ack 0, win 64240"
id=20085 trace_id=114 func=init_ip_session_common line=5993 msg="allocate a new session-01e45466"
id=20085 trace_id=114 func=vf_ip_route_input_common line=2615 msg="find a route: flag=80000000 gw-[FW IP] via root"
id=20085 trace_id=114 func=fw_local_in_handler line=447 msg="iprope_in_check() check failed on policy 0, drop"

 

 

Am I doing it wrong? Please help, thanks!

1 Solution
dbu
Staff
Staff

It looks like you did not matched any policy and went to the implicit deny at the end " policy 0, drop" . 


Here is how policy should look like :


set name "internet to server"
set uuid 6584f36c-d22b-51ed-4090-7207acdf3e83
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "vipfac"  <<<<<<here you specify the VIP
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next

 

VIP object

edit "vipfac"
set uuid 33eef826-d22a-51ed-3e64-395817669040
set extip 10.x.x.x
set mappedip "192.168.100.200"
set extintf "port1"
set portforward enable
set extport 11443
set mappedport 443

 

vip1.PNG

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

5 REPLIES 5
bpozdena_FTNT

Hi @Yesolo ,

 

You can't use use local-in policy for forward traffic. If you've already created the VIP on your Fortigate, simply specify it as destination object in your regular (forward) firewall policy.

 

You can find all necessary details with examples in the documentation at: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/510402/static-virtual-ips

HTH,
Boris
hbac
Staff
Staff

Hi @Yesolo,

 

You need to create a firewall policy not local-in policy. You also need to put the VIP in the destination of the firewall policy. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...

 

Regards, 

carlosaleman
Staff
Staff

Hi @Yesolo , just to clarify, "local in" policies are used for traffic that has as destination the interface itself, not for traffic that will flow through the fortigate, or if you want to see it differently, traffic that has an incoming and an outgoing interface. 

 

Best regards.

Fortigate, VoIP
dbu
Staff
Staff

It looks like you did not matched any policy and went to the implicit deny at the end " policy 0, drop" . 


Here is how policy should look like :


set name "internet to server"
set uuid 6584f36c-d22b-51ed-4090-7207acdf3e83
set srcintf "port1"
set dstintf "port2"
set action accept
set srcaddr "all"
set dstaddr "vipfac"  <<<<<<here you specify the VIP
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next

 

VIP object

edit "vipfac"
set uuid 33eef826-d22a-51ed-3e64-395817669040
set extip 10.x.x.x
set mappedip "192.168.100.200"
set extintf "port1"
set portforward enable
set extport 11443
set mappedport 443

 

vip1.PNG

 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
Yesolo
New Contributor II

Hi, thanks for the reply and detailed description.

I did Firewall Policy at the beginning, but I just found that the "Destination" I chose was wrong. It should be the "Virtual IP/Server" object instead of "Address" object.

 

Thank you all for the help!

 

Top Kudoed Authors