Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ydaew
New Contributor III

Fortigate VIPs behaviour

Hello,

We have a server (Server A) in our internal network which needs to be reached out over port 443, which is OK, but we need also to forward all the traffic that hits that server over port 3389 into another server (Server B).

We've tried to configure DNAT rule with port forwarding, but this caused the HTTPS traffic to be lost.

Can someone help understanding why other traffic to Server A is being lost when having the NAT rule in place ?

Below diagram to clarify the traffic flow

Screen Shot 2022-07-15 at 6.48.25 PM.png

 

 

4 REPLIES 4
ntaneja
Staff
Staff

Hi Ydaew

 

Please share screenshot of the VIP configured for server A and server B traffic on FGT

Just to confirm the requirement, you want the traffic hitting FW for External IP , port 3389 should be forwarded to server B

you want the traffic hitting FW for External IP , port 443should be forwarded to server A

 

Please correct me if I am wrong here.

Thanks

Ydaew
New Contributor III

Hi @ntaneja 

The diagram might be miss leading a bit. the scenario is to configure only on VIP to forward the traffic that hits Server A IP address over port 3389, to Server B.

While keep other traffic destined to Server A as is without any configured forwarding.

so the VIP should be configured only for the below flow:

Source: Client IP --> Destination port: 3389 --> Destination: Server A IP

Destination NAT for the above flow as the below

Source: Client IP --> Destination port: 3389 --> Destination NAT IP: Server B IP

Which is OK, and working perfectly. But when having the above rule configured, we are losing all other traffic to server A.

As an example we are losing the below flow

Source: Client IP --> Destination port: 443 --> Destination: Server A IP

Please let me know if still not clear.

 

Debbie_FTNT

Hey Ydaew,

I'm a bit confused by this:

"Source: Client IP --> Destination port: 3389 --> Destination: Server A IP"

and

"Source: Client IP --> Destination port: 3389 --> Destination NAT IP: Server B IP"

That sounds a bit as if you want port 3389 to be forwarded to server A and B? Other parts of your comments read as if port 3389 should only be forwarded to server B.

 

Essentially you need two VIPs:

- one for port 3389 (either just to server B, or set as type load-balancing and forward to both server A and B)

- one for port 443 (forward this to server A only)

-> the VIPs would have to restricted to these ports externally as well.

You would then need policies for these VIPs to allow the traffic.
In addition, with port 443 - make sure the FortiGate admin port and SSLVPN ports are different, otherwise this could interfere with the VIP.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
ntaneja
Staff
Staff

Hi Ydaew

 

Can you configure your 3389 rule and then run below commands on FGT for 443 traffic and share:

 

Putty 1:

di de reset

di de di

diag debug console timestamp enable 
diag debug flow filter clear 
diag debug flow filter addr X.X.X.X <<------[Replace X.X.X.X with src IP address] 
diag debug flow filter dport 443
diag debug flow trace start 999

 

Now generate 443 traffic from src client

 

Disable debug using "di de di"

Putty 2:

get router info routing-table details <src ip> 
get router info routing-table details <dst ip>  
get router info routing-table all

 

Thanks

 

Labels
Top Kudoed Authors