I have 4 real DNS servers behind a common Virtual Server using UDP forwarding on port 53 on our FortiGate that has been working for several years. I now have the requirement for the client IP to be preserved for the DNS servers so they can apply their own policies to the client traffic based on source IP. It is currently being replaced by the FortiGate's IP.
Any suggestions on how to achieve this?
Cheers - Mike
SOLVED: it was easier than NAT(which was not on) it was the flow/proxy setting - oops
Solved! Go to Solution.
Hello,
Try disabling NAT on the FW policy first.
Or in the Virtual Server configuration you should have an option in the GUI.
"Preserve client IP". By default it is disabled. Toggle it and enable.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Preserving-the-original-source-IP-wh....
Are you doing NAT in the related firewall policy?
You should remove it.
Hello,
Try disabling NAT on the FW policy first.
Or in the Virtual Server configuration you should have an option in the GUI.
"Preserve client IP". By default it is disabled. Toggle it and enable.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Preserving-the-original-source-IP-wh....
Hello friend. The "preserve client IP" function is not available when using type for UDP and DNS port 53. Not even CLI is available. I need this in my environment. What would be the way out?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.