Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dworf
New Contributor

Created on ‎06-16-2021 01:18 PM

DNAT VIPs and policies

Hi there,

So I've got a 1500D.

The first policy is this one:

Source: subnet1

Destination: a DNAT VIP mapping 70.12.5.7 to 70.12.5.67 (just an example I don't know these IPs)

Port: 465

And the second policy is this one:

Source: all

Destination: 70.12.5.7

Port: 465

 

Problem: when I try to reach 70.12.5.7 with an IP outside of sunbnet1 I am redirected to 70.12.5.67. I don't want that, I want only IPs in subnet1 group trying to reach 70.12.5.7 to be redirected to 70.12.5.67.

I know that the fortigate does the DNAT before the policy lookup, so what do I have to modify ti have the policies working like I want ?

Thanks for your help.  

2136
0 Kudos
2 REPLIES 2
srajeswaran
Staff
Staff

Created on ‎06-17-2021 05:54 AM

Please specify the source address on your VIP config. It can be found under "Optional Filters" on VIP config page.

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Preview file
108 KB
1500
0 Kudos
Andregyn
New Contributor

Created on ‎06-22-2021 04:25 AM

Hey,

To do what you want, you need to specify the source network in your Virtual IP rule.

You can do that under VIP Rule -> optional filters -> Source address, doing this configuration your DNAT will be applied only for the subnet you configured there, in this case, subnet1. 

 

 

CLI:

config firewall vip

edit "your rule"

set src-filter subnet1/24 

end

 

 

1497
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.