I think I know the answer but here is the daft newbie just wanting someone to say OF COURSE YOU CANT DO THAT
I have 2 internal IIS sites with similar purposes secured with a public cert. The sites provide essentially a file upload mechanism that is used on a mobile phone app we use. Servers are separate (for reasons) and have of course different internal IP addresses. No clever load balancers involved just a simple NAT rule so far.
I have 2 separate domain names with A records pointing at a public IP address that will land on my edge fortigate - again all good.
Except ...
Can I have the 2 different URLs point to the same destination edge NAT IP and somehow the fortigate can send requests that came in via URL-A NAt to InternalServer-A and request in to URL-B NAT and land on InternalServer-B ?
I did that sort of thing in my old world of TMG web publishing but I suspect I cannot really do that here in FortiGate world without using a separate Public IP for each NAT'd internal server?
Any thoughts welcome.
thanks
OF COURSE YOU CANT DO THAT
hi,
and welcome to the forums.
No, URL rewriting is beyond the features of a FGT. FortiWeb web firewalls will do that, they are the recommended replacement for TMG.
So the easiest way would be to use 2 different public IPs. Or 2 different ports but that'll be difficult for your users I guess.
When you create the VIPs (for destination NAT) make sure you do not use the external public IP elsewhere in the setup, for instance as a secondary IP of wan1. VIPs do (among other things) proxy ARP, they are not only recipes to translate a destination address to another.
Actually you can. It called host headers switching you would need to define for example
www.example1.com ( public_addr x.x.x.x ) -----switch to node1
www.example2.com ( public_addr x.x.x.x ) -----switch to node2
( cfg )
config firewall vip edit "YOUR_SLB_VIP" set type server-load-balance set extip 1.1.1.1 <----single public address set extintf "wan1" set ldb-method http-host config realservers edit 1 set ip 10.0.0.1 set port 80 set http-host "www.example1.com" next edit 2 set ip 10.0.0.2 set port 80 set http-host "www.example2.com" next end next end
Now I'm not 100% sure the above is doable on a FGT90D but you can look at it and see if that works. You would only need a single firewall rule to the vip and ensure that the 2x node are up.
edit to add
in DNS you would have something like this;
www.example1.com. IN A 1.1.1.1
www.example2.com. IN A 1.1.1.1
Ken
PCNSE
NSE
StrongSwan
aha... thanks!
Though I should have mentioned its a HTTPS request in rather than just 80. Have tried your handy tips with Port set at 80 initially and then 443 above but bouncing off an error that prevents it being saved. Node check object fail - attribute server-type must be set. Close. I can feel it but must be missing server-type is that on the RealServer itself
thanks again
config firewall vip edit <name_str> set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}
• https: load balance only HTTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure httpmultiplex and set persistence to httpcookie and configure the same http-cookie options as for http virtual servers plus the httpscookie-secure option. You can also set persistence to ssl-session-id. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on. https is available on FortiGate units that support SSL acceleration.
Sorry, I wasn't aware that the load-balancing options were as sophisticated as they are (in v5.2 and v5.4). To avoid the error set the 'server-type' first (to HTTPS) and then proceed. You can even specify the certificate and lots more.
All info quoted from "CLI Reference Guide v5.2" and v5.4 (which is less verbose).
On the HTTPS I don't think that's doable unless you had a single UC certificate. You might want to LAB it in a PoC and see what you can do.
In reality you should deploy a SLB ( FTNT , F5LTM, NScitirix , LVS, Kemp, Brocade, etc....) if you need that function and leave the SLB to a ADC appliance imho. Here you can easily manipulate Host-headers switching and SNI
Ken
PCNSE
NSE
StrongSwan
User | Count |
---|---|
1923 | |
1144 | |
769 | |
447 | |
279 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.