Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
freddymanullang
New Contributor

Fortigate Forward to Virtual Server

Hi,

I have only 1 IP Public. I want to forward traffic based on source IP to specific Virtual Server.

My scenario: 
- If source IP from 1.2.3.4 &1.2.3.5 hit my IP Public 5.6.7.8 with port service 800 will forward to Virtual Server A with real server 172.16.1.5:800 and 172.16.1.6:800

- If source IP from 2.3.5.6 & 2.3.4.7hit my IP Public 5.6.7.8 with port service 800 will forward to Virtual Server B with real server 172.16.1.7:800 and 172.16.1.8:800

I created 2 policies
- Policy 1 with id 126
Name: Service-800-Region-US
Incoming Port: WAN
Outgoing Port: LAN172

Source & Destination
-----------------
Source: 1.2.3.4 & 1.2.3.5
Destination: Virtual Server A. Mapped From: 5.6.7.8. External Service Port: 800. Real Server: 172.16.1.5:800 and 172.16.1.6:800
Service: Service800

Firewall/Network Options
---------
Inspection mode: Proxy Based
Proxy HTTP(S) traffic : disable
NAT: disable
Protocol options: default


- Policy 2 with id 128
Name: Service-800-Region-EU
Incoming Port: WAN
Outgoing Port: LAN172

Source & Destination
-----------------
Source: 2.4.5.6 & 2.4.5.7
Destination: Virtual Server B. Mapped From: 5.6.7.8. External Service Port: 800. Real Server: 172.16.1.7:800 and 172.16.1.8:800
Service: Service800

Firewall/Network Options
---------
Inspection mode: Proxy Based
Proxy HTTP(S) traffic : disable
NAT: disable
Protocol options: default

When both policy 1 and 2 enable. Why only policy 1 with id 126 works ? IP from 1.2.3.4 & 1.2.3.5 can access Virtual Server A with real server 172.16.1.5:800 and 172.16.1.5:800.
I try move position policy 2 with id 128 to up of policy 1 with id 126. Still only policy 1 works.

But, if i disable Policy 1. Policy 2 will works.

Need your advice please. Your help very appreciate. Thank you.


3 REPLIES 3
AEK
SuperUser
SuperUser

AEK
toshi-esumi
New Contributor II

The bottom line is FGTs process VIPs first before looking up policies. If the first VIP isn't specific enough, not having source filters, all would match the first one then be forwarded to the destination if a policy allows. If not, would be dropped.

 

Toshi

sjoshi
Staff
Staff

Can you share the virtual server configuration and the policy configuration

show firewall policy >> share config of only those 2 policy ID

show firewall vip >> only those virtual server

If you have found a solution, please like and accept it to make it easily accessible to others.
Fortinet Certified Expert (FCX) | #NSE8-003459
Salon Raj Joshi
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors