Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SaVen
New Contributor

Disable Virtual IP for a specific policy

We have two policies for a source subnet, one for internal and external access with same source and destination interfaces in both policies.

 

There are virtual IP's created for some source address for internal access however these Nat address are overriding the PAT configured for external access and natting to specific virtual IP's instead of PAT. Which is creating access issues. 

 

Is there way I can exclude this virtual IP's being considered for external policy.

 

Thanks,

Saven

3 REPLIES 3
Nicholas_Doropoulos
Contributor

Hi,

 

You should be able to do that by running the following commands:

 

config firewall policy

edit [relevant policy]

set match-vip disable

end

 

Then test to verify results.

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3

NSE5, CCSE, CCNA R&S, CompTIA A+, CompTIA Network+, CompTIA Security+, MTA Security, ITIL v3
SaVen

Hi, 

 

That is already disabled by default. 

 

Thanks

SaVen
New Contributor

any comments on this ?

 

Doesn't this work only as DNAT ? I see that even when traffic is initiating(source) from 100.5.2.5 it is resolving to 100.5.6.9? Cant we force it to be only a DNAT?

 

config firewall vip     edit "some_nat         set id 0         set comment ''         set type static-nat         set extip 100.5.6.9         set extintf "any"         set arp-reply enable         set nat-source-vip disable         set portforward disable         set gratuitous-arp-interval 0         set color 0         set mappedip "100.5.2.5"     next end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors