Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sheerazali
New Contributor II

Created on ‎07-22-2024 09:43 AM Edited on ‎07-22-2024 09:44 AM

Dual Destination Firewall (FortiGate) Issue

Dear Fortinet Community,

We need to verfiy that if there is any policy in FortiGate to route traffic towards two destination with specific ports. For example, we have a source address "192.168.10.10" and we have created a NAT policy towards destination "192.168.20.20". Now we need to route a single service i.e. "SFTP-22" towards another destination like "172.16.30.30". 

Can we create NAT or PAT policy with dual destination in FortiGate?

Sheeraz Ali
Sheeraz Ali
Labels:
535
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎07-22-2024 10:03 AM

Hi Ali

If I understand well your request, you need to NAT the traffic of service TCP 22 with a specific IP pool, right? Unfortunately this is not doable with NAT policy in central SNAT mode, only default NAT mode can do that (configure NAT inside firewall rule).

AEK
AEK
529
adambomb1219
SuperUser
SuperUser

Created on ‎07-22-2024 12:00 PM

Policy based routing?  Not sure I understand the use-case.

507
0 Kudos
HarshChavda
Staff
Staff

Created on ‎07-22-2024 01:42 PM

Hello,

 

As per my understanding routing traffic based on specific services  to different destinations can be accomplished using virtual IPs  and policy routes rather than traditional NAT or PAT policies. Policy routes can be used to direct traffic based on source IP, destination IP, and service and creating VIP for dnat will allow the specific traffic to be forwarded to the new destination.

474
sheerazali
New Contributor II

Created on ‎07-23-2024 03:34 AM

Dear @AEK @adambomb1219 @HarshChavda

I think I need to clarify the scenario more. We are deploying a FortiWeb and migrating a production server behind the WAF. Firstly, we have two different gateways (Two ISP Connections, each with a FortiGate FW). For that, we have created two vServers on FortiWeb with two different Virtual IPs for each ISP connection. For routing, we used PBR (Policy-Based Routing) to route the traffic to its corresponding ISP FW.

Now, the main issue is that we have an IP-Sec tunnel on one of our ISP Connections (FortiGate FW), in which the same Web Server is configured to connect to a remote side server for SFTP Connections. Note that our IP-Sec tunnel is terminated at the FortiGate end, and the firewall performs NAT using an existing NAT policy that directs that traffic to the backend server.

If we migrate services behind FortiWeb, we have to change the NAT Policy on the FortiGate FW by changing the destination from the actual server IP "10.100.50.50" to VIP "10.100.160.50". In this scenario, all the services, including HTTP/HTTPS traffic (coming from website clients) and SFTP Traffic (coming from the tunnel), will terminate at FortiWeb. However, FortiWeb only receives HTTP/HTTPS traffic and drops all other traffic. This situation disrupts and drops our IP-Sec Tunnel traffic at FortiWeb.

To clarify the scenario more, I have created a network diagram pasted below. Please review it and propose a solution that includes which configurations should be changed on FortiGate to segregate the traffic coming from the same public IP address., or in FortiWeb to bypass the SFTP Traffic without Policy Checking towards its BackEndServer. We need to perform double NAT or another method to route SFTP traffic to the actual server IP '10.100.50.50' and HTTP/HTTPS traffic to VIP "10.100.160.50". Remember, we are in a production environment.


FG - Fortinet (1).png

 

Sheeraz Ali
Sheeraz Ali
432
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎07-23-2024 08:33 AM

Dear Ali

I hope now I understood better and I think you have two possible solutions:

  1. Enable firewall at FWB level (feature visibility) and allow port 22
  2. Or forward only HTTP(S) traffic to the VIP (using DNAT port forwarding 80->80 and 443->443), while continue to access server's port 22 directly to the BE server's IP through the firewall (not through the FWB). I always use this solution in my integrations because I think it is more logical and cleanest design (in my opinion)
AEK
AEK
403
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.