I have a below scenario but not sure how to deal with it I am using V6 OS of fortigate firewall.
I have DMZ,LAN, WAN interfaces
for a web server I need to define VIP which have specific port requriements.
DMZ Access requirement:
For example:
ext:80.80.80.1 Map:10.10.10.1 Orig-service:4443 map-service:443
ext:80.80.80.1 Map:10.10.10.1 Orig-service:80 map-service:8080
WAN access Requirements:
ext:80.80.80.1 Map:10.10.10.1 Orig-service:443 map-service:4443
ext:80.80.80.1 Map:10.10.10.1 Orig-service:2222 map-service:22
LAN access requirements:
ext:80.80.80.1 Map:10.10.10.1 Orig-service:any map-service:any
Problem now I am able to create above DMZ and WAN Vip combinations but not allowing me to create vip without port-forward option enable and saying duplicate exist when i turnoff the port-forward option in VIP just to create as a simple VIP.
Please can someone help me how to deal with this situation as I have lots of rules which require config to use as any service.but it won't let me create as can't specify VIP without port due top above VIP's created.
anyone ?
You can either use port forwarding and redirect ports as you like and even multiple source/destination ports per IP-address pair or you can forward all ports for an ip pair, but then you can't control the ports individually.
Your use case looks very much like a case for port forwarding to me.
What does the ext 80.80.80.1 and Map:10.10.10.1 represent? Is 80.80.80.1 the outside pubic IP for the web server? Is 10.10.10.1 the inside private IP address for same server? And where does this Web server actually located? (Behind the fgt?)
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
yes 80 address representing external address. showed it as a exemplary way....
Also once use static one to one vip for a particular subnet can't specify subnet to subnet vip so very restrictive.
So what does the 10.10.10.1 represents? Is there a 10.10.10.x subnet? IF so, which interface is it on? Or is this IP made up?
If this website has a resolveable DNS name, you might want to look into setting up DNS translation.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
as explained its a made up IP just to make one understand the situation. its represending internal address and currently all vip set to any.
Sounds like you want to configure Hair-pinning - if that link doesn't work try this one.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.