Dear Fortinet Community,
We need to verfiy that if there is any policy in FortiGate to route traffic towards two destination with specific ports. For example, we have a source address "192.168.10.10" and we have created a NAT policy towards destination "192.168.20.20". Now we need to route a single service i.e. "SFTP-22" towards another destination like "172.16.30.30".
Can we create NAT or PAT policy with dual destination in FortiGate?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ali
If I understand well your request, you need to NAT the traffic of service TCP 22 with a specific IP pool, right? Unfortunately this is not doable with NAT policy in central SNAT mode, only default NAT mode can do that (configure NAT inside firewall rule).
Policy based routing? Not sure I understand the use-case.
Hello,
As per my understanding routing traffic based on specific services to different destinations can be accomplished using virtual IPs and policy routes rather than traditional NAT or PAT policies. Policy routes can be used to direct traffic based on source IP, destination IP, and service and creating VIP for dnat will allow the specific traffic to be forwarded to the new destination.
Dear @AEK @adambomb1219 @HarshChavda
I think I need to clarify the scenario more. We are deploying a FortiWeb and migrating a production server behind the WAF. Firstly, we have two different gateways (Two ISP Connections, each with a FortiGate FW). For that, we have created two vServers on FortiWeb with two different Virtual IPs for each ISP connection. For routing, we used PBR (Policy-Based Routing) to route the traffic to its corresponding ISP FW.
Now, the main issue is that we have an IP-Sec tunnel on one of our ISP Connections (FortiGate FW), in which the same Web Server is configured to connect to a remote side server for SFTP Connections. Note that our IP-Sec tunnel is terminated at the FortiGate end, and the firewall performs NAT using an existing NAT policy that directs that traffic to the backend server.
If we migrate services behind FortiWeb, we have to change the NAT Policy on the FortiGate FW by changing the destination from the actual server IP "10.100.50.50" to VIP "10.100.160.50". In this scenario, all the services, including HTTP/HTTPS traffic (coming from website clients) and SFTP Traffic (coming from the tunnel), will terminate at FortiWeb. However, FortiWeb only receives HTTP/HTTPS traffic and drops all other traffic. This situation disrupts and drops our IP-Sec Tunnel traffic at FortiWeb.
To clarify the scenario more, I have created a network diagram pasted below. Please review it and propose a solution that includes which configurations should be changed on FortiGate to segregate the traffic coming from the same public IP address., or in FortiWeb to bypass the SFTP Traffic without Policy Checking towards its BackEndServer. We need to perform double NAT or another method to route SFTP traffic to the actual server IP '10.100.50.50' and HTTP/HTTPS traffic to VIP "10.100.160.50". Remember, we are in a production environment.
Dear Ali
I hope now I understood better and I think you have two possible solutions:
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.