Hi,
I have only 1 IP Public. I want to forward traffic based on source IP to specific Virtual Server.
My scenario:
- If source IP from 1.2.3.4 &1.2.3.5 hit my IP Public 5.6.7.8 with port service 800 will forward to Virtual Server A with real server 172.16.1.5:800 and 172.16.1.6:800
- If source IP from 2.3.5.6 & 2.3.4.7hit my IP Public 5.6.7.8 with port service 800 will forward to Virtual Server B with real server 172.16.1.7:800 and 172.16.1.8:800
I created 2 policies
- Policy 1 with id 126
Name: Service-800-Region-US
Incoming Port: WAN
Outgoing Port: LAN172
Source & Destination
-----------------
Source: 1.2.3.4 & 1.2.3.5
Destination: Virtual Server A. Mapped From: 5.6.7.8. External Service Port: 800. Real Server: 172.16.1.5:800 and 172.16.1.6:800
Service: Service800
Firewall/Network Options
---------
Inspection mode: Proxy Based
Proxy HTTP(S) traffic : disable
NAT: disable
Protocol options: default
- Policy 2 with id 128
Name: Service-800-Region-EU
Incoming Port: WAN
Outgoing Port: LAN172
Source & Destination
-----------------
Source: 2.4.5.6 & 2.4.5.7
Destination: Virtual Server B. Mapped From: 5.6.7.8. External Service Port: 800. Real Server: 172.16.1.7:800 and 172.16.1.8:800
Service: Service800
Firewall/Network Options
---------
Inspection mode: Proxy Based
Proxy HTTP(S) traffic : disable
NAT: disable
Protocol options: default
When both policy 1 and 2 enable. Why only policy 1 with id 126 works ? IP from 1.2.3.4 & 1.2.3.5 can access Virtual Server A with real server 172.16.1.5:800 and 172.16.1.5:800.
I try move position policy 2 with id 128 to up of policy 1 with id 126. Still only policy 1 works.
But, if i disable Policy 1. Policy 2 will works.
Need your advice please. Your help very appreciate. Thank you.
Hi Freddy
I think you are looking for source filter.
The bottom line is FGTs process VIPs first before looking up policies. If the first VIP isn't specific enough, not having source filters, all would match the first one then be forwarded to the destination if a policy allows. If not, would be dropped.
Toshi
Can you share the virtual server configuration and the policy configuration
show firewall policy >> share config of only those 2 policy ID
show firewall vip >> only those virtual server
User | Count |
---|---|
2431 | |
1304 | |
778 | |
561 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.