I have an on-premise Microsoft Exchange email server on my LAN behind a FortiGate 51E and I also have a SonicWall Virtual Email Security Appliance on the LAN.
Currently there are 2 VIP's that are port forwarding port 25 and 587 to my SonicWall Virtual Email Security Appliance. There is also an IPv4 Policy allowing this traffic from any source address.
I want to create 2 more VIP's that would port forward port 25 and 587 to my Microsoft Exchange email server, using the same public facing WAN IP address as my other 2 VIP's that are going to the SonicWall Virtual Email Security Appliance. However, I have an IPv4 Policy that is looking for specific source IP addresses that would allow the traffic to the 2 new VIP's that I want to create.
Essentially, I want specific traffic coming in on port 25 and 587 to go to my Microsoft Exchange email server, and all other traffic coming in on port 25 and 587 to go to my SonicWall Virtual Email Security Appliance. These would both be using the same WAN IP address.
Is there a way I can do this? From what I have researched it is not possible unless I use a separate WAN IP address, but since there's an IPv4 Policy in place, wouldn't the FortiGate know which VIP to use? When I try to create the new VIP's I get the error "A duplicate entry already exists.".
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You can not do that. You have to use another VIP.
No device can know by itself the "kind" of traffic. The kind of traffic is specified by the port. Different kind of traffic should use different port. I.e. port 25 is smtp, it shouldn't be used for http for example.
When you say specific traffic you mean from a specific source? You might be able to configure that throw sonicwall appliance but i am not sure. At all vendors you cannot do port forward from same ip and port to different destinations. It is not logically right.
You might be able to do what you are trying by using policy routes
Orestis Nikolaidis
Network Engineer/IT Administrator
Such needs can be achieved through ADC not NGFW
ADC can match based on more then port No# ( URI , Host Name ... etc )
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.