We have a Fortigate 200D that is running code 6.0.14.
Is it possible to create a FQDN VIP that maps to a server on the inside? Much like a static VIP?
we have a PBX that uses a Static VIP, we want to convert that to a FQDN.
Our idea is we have three WAN interfaces we want to add each WAN IP to the FQDN and program the phones instead of using the external IP use a FQDN with all three static IP assigned to it and when a interface goes down it will connect using the other IP's on the FQDN and not have any loss or little of.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
HI Team,
As per your requirement, you need to create three VIP with all three external interface IP address.
If one is not reachable, phone should have ability to go for secondary.
Its better if your phone has ability to check whether IP is up or down like link monitor in fortigate.
Accordingly you can achieve it
thank you for the reply,
What would be the CLI commands to create a FQDN VIP that points to a private server?
When I created one the Mapped address is the FQDN and the external is 0.0.0.0 shouldn't the external be the FQDN and the mapped address be the internal? unless im missing something or just not understand because the Static VIP is as such.
What would be the CLI commands to create a FQDN VIP that points to a private server?
FQDN should point to the external IP address, not for the private IP as per your requirement.
Its like, there is nothing to do in fortigate, you need to create three VIP for the same private IP with different public IP. Its completely depends on DNS resolution from then and how phone will identify which public IP it should chose to send the request.
Hey beldridge,
to expand a bit on my colleagues:
- You need some kind of DNS setup that resolves the FQDN you want to use to one or more public IPs
-> those public IPs need to be associated with the FortiGate interfaces for the traffic to even reach the FortiGate
-> at that point you could do FQDN VIPs or regular VIPs with the public IPs in question
Do you anticipate the public IPs changing and don't want to use static IPs in the VIP configuration for that reason?
Hi belridge,
The CLI commands to create an FQDN-based VIP look like this:
config firewall vip
edit "my_test_vip"
set type fqdn
set extaddr <fqdn-type-address-object>
set mapped-addr <fqdn-type-address-object>
set extintf <external-interface>
...
end
CLI documentation reference is available here. (6.2 link; the 6.0 document is unfortunately incorrect)
Note that for FQDN-type VIPs, the mapped destination is always mandatory to be an FQDN object, whereas the external address is optional (can be FQDN (set extaddr) or IP (set extip)). In other words, if you only need the external address to be an FQDN, you will need to set the internal one as FQDN as well.
Lastly, if you would like to see this in the GUI, the option was added in 6.4.2 (reference).
addendum: It may be worth pointing out, in case it is not clear, that these FQDNs' sole purpose is to provide dynamic updates to what would otherwise be the static-IP extip and mappedip attributes. The FortiGate periodically queries the DNS server for these FQDNs and uses the resulting IPs to internally update the extip/mappedip attributes of the VIP. This is to say, these FQDNs do not provide any sort of domain-based reverse-proxy functionality, nor any other "magic".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.