I have the following design in which users with mobile devices have to access the 192.168.11.173 server going through the 172.16.17.1 fgt interface. I used to use VIP for such kind of publishing behind one fortigate but in this situation with two fortigates, I am a little bit confused, do I have to do double nat? how?
principally, you can use routing or NAT to let traffic in through a firewall.
The main advantage of NAT is that the destination address is concealed; your external user will never know it's real (private) address. Besides, you would not be able to access a private address from the internet.
So, for the gateway firewall, DNAT using a VIP is mandatory. For the second FGT you can use routing or NAT.
A second VIP is a bit more effort than setting up a static route, so I'd go with routing.
On FGT1 (WAN facing), create a VIP for the final private address of your server (192.168.x.y). Additionally, you have to create a static route on this FGT to point to FGT2 (internal), with gateway address being the WAN interface of FGT2. Otherwise, FGT1 wouldn't know where to send the traffic.
As now the incoming traffic on FGT2 has a source address from the WAN (it's unchanged by DNAT), FGT2's default route is used to route the reply traffic. This is most probably already in place.
On egress, FGT1 will additionally exchange the private source address of the server's reply to the public address stated in the VIP. This is done automatically in newer releases of FortiOS.
- Mobile device don't have an interface for 192.168.11.0/24 so will forward via default route which I suppose goes to router.
- Router don't have an interface for 192.168.11.0/24 so will forward via defáult route unless it has a static route to 192.168.11.0/24
So you probably don't have to change anything on your router but the external Firewall should have a route to 192.168.11.0/24 pointing to your internal one. Internal Firewall would either have to do snat or have a route back to the external firewall. So packes can go back and forth.
Diag debug flow on FGT cli might show you where you packets go and if there is an answer.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.