Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New_Person
New Contributor

Idiot question - NAT Rule

I think I know the answer but here is the daft newbie just wanting someone to say OF COURSE YOU CANT DO THAT

 

I have 2 internal IIS sites with similar purposes secured with a public cert. The sites provide essentially a file upload mechanism that is used on a mobile phone app we use. Servers are separate (for reasons) and have of course different internal IP addresses.  No clever load balancers involved just a simple NAT rule so far.

 

I have 2 separate domain names with A records pointing at a public IP address that will land on my edge fortigate - again all good.

 

Except ...

 

Can I have the 2 different URLs point to the same destination edge NAT IP and somehow the fortigate can send requests that came in via URL-A NAt to InternalServer-A and request in to URL-B NAT and land on InternalServer-B ?

 

I did that sort of thing in my old world of TMG web publishing but I suspect I cannot really do that here in FortiGate world without using a separate Public IP for each NAT'd internal server?

 

 

Any thoughts welcome.

 

thanks

 

 

 

5 REPLIES 5
ede_pfau
SuperUser
SuperUser

OF COURSE YOU CANT DO THAT

 

hi,

and welcome to the forums.

 

No, URL rewriting is beyond the features of a FGT. FortiWeb web firewalls will do that, they are the recommended replacement for TMG.

So the easiest way would be to use 2 different public IPs. Or 2 different ports but that'll be difficult for your users I guess.

 

When you create the VIPs (for destination NAT) make sure you do not use the external public IP elsewhere in the setup, for instance as a secondary IP of wan1. VIPs do (among other things) proxy ARP, they are not only recipes to translate a destination address to another.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Actually you can. It called host headers  switching you would need to define  for example

 

 

www.example1.com ( public_addr x.x.x.x ) -----switch to node1

 

www.example2.com ( public_addr x.x.x.x ) -----switch to node2

 

( cfg )

 

config firewall vip     edit "YOUR_SLB_VIP"         set type server-load-balance         set extip 1.1.1.1    <----single public address         set extintf "wan1"         set ldb-method http-host             config realservers                 edit 1                     set ip 10.0.0.1                     set port 80                     set http-host "www.example1.com"                 next                 edit 2                     set ip 10.0.0.2                     set port 80                     set http-host "www.example2.com"                 next             end     next end

Now I'm not 100% sure the above is doable on a FGT90D but you can look at it and see if that works. You would only need a single firewall rule to the  vip and ensure that the 2x node are up.

 

edit to add

 

in DNS you would have something like this;

 

 

www.example1.com.            IN    A    1.1.1.1

www.example2.com.            IN    A    1.1.1.1

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
New_Person

aha... thanks!

 

Though I should have mentioned its a HTTPS request in rather than just 80. Have tried your handy tips with Port set at 80 initially and then 443 above but bouncing off an error that prevents it being saved. Node check object fail - attribute server-type must be set.  Close. I can feel it but must be missing server-type is that on the RealServer itself

 

thanks again

 

 

ede_pfau

config firewall vip     edit <name_str>         set server-type {http | https | imaps | pop3s | smtps | ssl | tcp | udp | ip}

https: load balance only HTTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure httpmultiplex and set persistence to httpcookie and configure the same http-cookie options as for http virtual servers plus the httpscookie-secure option. You can also set persistence to ssl-session-id. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on. https is available on FortiGate units that support SSL acceleration.

Sorry, I wasn't aware that the load-balancing options were as sophisticated as they are (in v5.2 and v5.4). To avoid the error set the 'server-type' first (to HTTPS) and then proceed. You can even specify the certificate and lots more.

All info quoted from "CLI Reference Guide v5.2" and v5.4 (which is less verbose).

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

On the HTTPS I don't think that's doable unless you had a single UC certificate. You might want to LAB it in a PoC and see what you can do.

 

In reality you should deploy a  SLB ( FTNT , F5LTM,  NScitirix , LVS, Kemp,  Brocade, etc....) if you need that function and leave the  SLB to a ADC appliance imho. Here you can easily manipulate Host-headers switching and SNI

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors