- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple VIP question
I have a below scenario but not sure how to deal with it I am using V6 OS of fortigate firewall.
I have DMZ,LAN, WAN interfaces
for a web server I need to define VIP which have specific port requriements.
DMZ Access requirement:
For example:
ext:80.80.80.1 Map:10.10.10.1 Orig-service:4443 map-service:443
ext:80.80.80.1 Map:10.10.10.1 Orig-service:80 map-service:8080
WAN access Requirements:
ext:80.80.80.1 Map:10.10.10.1 Orig-service:443 map-service:4443
ext:80.80.80.1 Map:10.10.10.1 Orig-service:2222 map-service:22
LAN access requirements:
ext:80.80.80.1 Map:10.10.10.1 Orig-service:any map-service:any
Problem now I am able to create above DMZ and WAN Vip combinations but not allowing me to create vip without port-forward option enable and saying duplicate exist when i turnoff the port-forward option in VIP just to create as a simple VIP.
Please can someone help me how to deal with this situation as I have lots of rules which require config to use as any service.but it won't let me create as can't specify VIP without port due top above VIP's created.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anyone ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can either use port forwarding and redirect ports as you like and even multiple source/destination ports per IP-address pair or you can forward all ports for an ip pair, but then you can't control the ports individually.
Your use case looks very much like a case for port forwarding to me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does the ext 80.80.80.1 and Map:10.10.10.1 represent? Is 80.80.80.1 the outside pubic IP for the web server? Is 10.10.10.1 the inside private IP address for same server? And where does this Web server actually located? (Behind the fgt?)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes 80 address representing external address. showed it as a exemplary way....
Also once use static one to one vip for a particular subnet can't specify subnet to subnet vip so very restrictive.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what does the 10.10.10.1 represents? Is there a 10.10.10.x subnet? IF so, which interface is it on? Or is this IP made up?
If this website has a resolveable DNS name, you might want to look into setting up DNS translation.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as explained its a made up IP just to make one understand the situation. its represending internal address and currently all vip set to any.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you want to configure Hair-pinning - if that link doesn't work try this one.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C