Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
udid
New Contributor

FortiManager Virtual IP Objects

Hey.

AFAIK, if I have a rule with "Virtual IP" object in its destination, and the action is "Accept" - if this rule matches, effectively the gateway performs destination NAT, translating the external IP in the associated "Virtual IP" object to the "Mapped IP" in the associated "Virtual IP" object.

What happens if the action of such rule is "Deny"? Is it even a valid configuration? It doesn't make sense to translate a packet's destination IP, and then drop it before forwarding it out. Thanks.

4 REPLIES 4
SJFriedl
New Contributor II

Perhaps a reasonable use case for this could be preceding another rule that does an Accept All: block telnet, but allow everything else? I would imagine that the Fortigate would do the efficient thing and shortcut the parts of the NAT translation that were not needed.

udid
New Contributor

But if a rule matches (in our case, a rule with "Virtual IP" object and "Deny" action), subsequent rules aren't processed - or am I missing something?

SJFriedl
New Contributor II

A rule that matches the Deny does stop processing, yes, but imagine this made-up scenario:

 

Rule #1: Source=Any Target=YourVIP Service=SSH  Action=Deny

Rule #2: Source=Any Target=YourVIP Service=Any  Action=Accept

 

Inbound traffic to port 22/tcp will match the first rule and be dropped, but inbound to any other service (say, http) will skip past the Deny and be accepted by rule #2

 

OR:

 

Rule #1: Source=BadGuy Target=YourVIP Service=http  Action=Deny

Rule #2: Source=Any Target=YourVIP Service=http  Action=Accept

 

This effectively blocks the bad guy from your service, allowing everybody else.

 

But if you just find the Deny without any of the related records, it could be superfluous.

 

Do you have a specific configuration you're looking at which you could share?

udid
New Contributor

No, I just wanted to clarify the behavior of rule with VIP object and "Deny" action, and it's now clear.

It'll be like any other deny rule that has some address object in the destination - only the external IP of the VIP object is considered for matching criteria, and the traffic isn't NATed to the mapped IP, it's just denied.

Only when the action is "Accept", the mapped IP of the VIP object is used to NAT the external IP.

 

To achieve the same scenario you described above, I could also used a regular address object in the deny rule, instead of the VIP object (just to clarify).

 

Thanks.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors