Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnie
New Contributor

Created on ‎06-19-2024 12:34 AM

How to route traffic to virtual server in fortigate on azure

I would like to ask some questions about "virtual servers" in FortiGate. I deployed my firewall on azure with three subnets: 

1) External Subnet: 192.168.200.0/24

2) Internal Subnet: 192.168.90.0/24

3) Protected Subnet: 192.168.100.0/24

My two database servers are deployed on Protected subnet 192.168.100.10 and 192.168.100.11. They are listening Port TCP 1521. I would like to load balancing these two servers in FortiGate. The virtual ip will be 192.168.100.240. 

My configuration cannot route TCP port-1521 from client to this virtual Ip. I can access from client VM to each server with TCP port 1521. Any suggestion?

 

 

Untitled Diagram.drawio.png

 

My firewall Rules:

Screenshot (1).png

Labels:
1599
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎06-19-2024 04:15 AM

Can yry enable all log in the policy (and in the implicit deny policy) and check if you see any related traffic log?

AEK
AEK
1572
johnie
New Contributor
In response to AEK

Created on ‎06-19-2024 07:32 PM

Yeah, but no traffic is found.no deny log found. upload1.PNG

1505
0 Kudos
AEK
SuperUser
SuperUser
In response to johnie

Created on ‎06-20-2024 12:21 AM

Client's packets are probably not reaching FGT.

You can confirm with packet sniffer as suggested by @hbac .

If this is confirmed you may check routing from client to FGT.

AEK
AEK
1486
0 Kudos
johnie
New Contributor
In response to AEK

Created on ‎06-23-2024 07:39 PM

When I do WAN to LAN virtual server configuration, it was working well. But for Lan-to-Lan virtual server configuration, the traffic could not pass to this virtual lan ip. 

I  have two database server in lan network (192.168.100.4 and 192.168.100.5) and then i created virtual server with virtual ip 192.168.100.240 and put these two server into the backend. But the Lan client (192.168.100.0/24) cannot access the virtual ip address.vip.PNG

1397
0 Kudos
johnie
New Contributor
In response to johnie

Created on ‎06-23-2024 07:40 PM

This Firewall is running on azure.

1395
0 Kudos
johnie
New Contributor
In response to AEK

Created on ‎06-23-2024 07:25 PM

I did enable deny policy.There is no traffic flow through.

1402
0 Kudos
hbac
Staff
Staff

Created on ‎06-19-2024 07:13 AM

Hi @johnie,

 

You can run packet sniffer to see if the traffic even hits the FortiGate: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...

 

Regards, 

1543
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.