First of all - excuse me for my English, it's not my first language.
Hey guys, a total fortigate noob here, inherited FG from the guy who was working here before me, lots of IP Policy rules and other stuff.
I need to NAT 9443->443 from a certain external ip address to a web-server inside, but (I think) traffic keeps hitting wrong IPV4 policy.
Here's my VIP config for this:
edit "NAT to lkbitrix"
set uuid a685993c-79a2-51ea-8d95-fac7819934af
set extip <EXTIP>
set extintf "port1"
set portforward enable
set color 9
set mappedip "192.168.131.7"
set extport 9443
set mappedport 443
Here are my ip policies i created for that rule:
edit 142
set name "SWEB05-NAT-Internet"
set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816
set srcintf "port5"
set dstintf "port1"
set srcaddr "KAM-SWEB05"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
edit 141
set name "A-Internet-SWEB05"
set uuid c3c5364a-7b07-51ea-6e98-064652b0f36e
set srcintf "port1"
set dstintf "port5"
set srcaddr "all"
set dstaddr "KAM-SWEB05"
set action accept
set schedule "always"
set service "ALL"
next
please note that i'm not putting any port/protocols here because i was troubleshooting the rules. I will put specific ports once we go live with this.
Now, what happens I think happens is is that traffic gets redirected to port 443 of the EXTIP, on which another service exists.
Here's debug:
192.168.131.7 is the web-server i need to publish
192.168.131.1 is the web-server published on port 443
2020-04-10 12:33:51 id=20085 trace_id=1 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7ae"
2020-04-10 12:33:51 id=20085 trace_id=1 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=1 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:51 id=20085 trace_id=2 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag, seq 1457575988, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=2 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7af"
2020-04-10 12:33:51 id=20085 trace_id=2 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=2 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:51 id=20085 trace_id=3 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag, seq 3828400667, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=3 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7b0"
2020-04-10 12:33:51 id=20085 trace_id=3 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:33:51 id=20085 trace_id=3 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=3 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:33:51 id=20085 trace_id=3 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:33:51 id=20085 trace_id=3 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=4 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828400668, ack 2004987952, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=4 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=4 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=5 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828400668, ack 2004987952, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=5 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=5 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=6 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401185, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=6 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=6 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=7 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401185, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=7 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=7 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=8 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [F.], seq 3828401192, ack 2004990461, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=8 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=8 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=9 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52911-><EXTIP>:443) from port1. flag [.], seq 3828401193, ack 2004990462, win 2053"
2020-04-10 12:33:51 id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd7b0, original direction"
2020-04-10 12:33:51 id=20085 trace_id=9 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:33:51 id=20085 trace_id=9 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:33:51 id=20085 trace_id=10 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag, seq 2668994186, ack 0, win 8192"
2020-04-10 12:33:51 id=20085 trace_id=10 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7b9"
2020-04-10 12:33:51 id=20085 trace_id=10 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:51 id=20085 trace_id=10 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=11 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag, seq 1457575988, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=11 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd7ff"
2020-04-10 12:33:54 id=20085 trace_id=11 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=11 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=12 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52909-><EXTIP>:9443) from port1. flag, seq 605093863, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=12 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd800"
2020-04-10 12:33:54 id=20085 trace_id=12 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=12 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:33:54 id=20085 trace_id=13 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag, seq 2668994186, ack 0, win 8192"
2020-04-10 12:33:54 id=20085 trace_id=13 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd802"
2020-04-10 12:33:54 id=20085 trace_id=13 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:33:54 id=20085 trace_id=13 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=14 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52910-><EXTIP>:9443) from port1. flag, seq 1457575988, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=14 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd890"
2020-04-10 12:34:00 id=20085 trace_id=14 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=14 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=15 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52909-><EXTIP>:9443) from port1. flag, seq 605093863, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=15 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd891"
2020-04-10 12:34:00 id=20085 trace_id=15 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=15 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:00 id=20085 trace_id=16 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52912-><EXTIP>:9443) from port1. flag, seq 2668994186, ack 0, win 8192"
2020-04-10 12:34:00 id=20085 trace_id=16 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd899"
2020-04-10 12:34:00 id=20085 trace_id=16 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:00 id=20085 trace_id=16 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:12 id=20085 trace_id=17 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag, seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:12 id=20085 trace_id=17 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd9a1"
2020-04-10 12:34:12 id=20085 trace_id=17 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:12 id=20085 trace_id=17 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:12 id=20085 trace_id=18 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag, seq 1420091637, ack 0, win 8192"
2020-04-10 12:34:12 id=20085 trace_id=18 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cd9a2"
2020-04-10 12:34:12 id=20085 trace_id=18 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:34:12 id=20085 trace_id=18 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=18 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:34:12 id=20085 trace_id=18 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:34:12 id=20085 trace_id=18 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=19 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420091638, ack 824278912, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=19 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=19 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=20 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420091638, ack 824278912, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=20 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=20 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=21 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092155, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=21 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=21 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=21 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=22 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092155, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=22 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=22 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=23 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [F.], seq 1420092162, ack 824281421, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=23 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=23 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=23 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:12 id=20085 trace_id=24 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52916-><EXTIP>:443) from port1. flag [.], seq 1420092163, ack 824281422, win 2053"
2020-04-10 12:34:12 id=20085 trace_id=24 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cd9a2, original direction"
2020-04-10 12:34:12 id=20085 trace_id=24 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:12 id=20085 trace_id=24 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:15 id=20085 trace_id=25 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag, seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:15 id=20085 trace_id=25 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda40"
2020-04-10 12:34:15 id=20085 trace_id=25 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:15 id=20085 trace_id=25 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:17 id=20085 trace_id=26 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag, seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:17 id=20085 trace_id=26 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda84"
2020-04-10 12:34:17 id=20085 trace_id=26 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:17 id=20085 trace_id=26 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:17 id=20085 trace_id=27 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag, seq 3545820219, ack 0, win 8192"
2020-04-10 12:34:17 id=20085 trace_id=27 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cda85"
2020-04-10 12:34:17 id=20085 trace_id=27 func=fw_pre_route_handler line=185 msg="VIP-192.168.131.1:443, outdev-port1"
2020-04-10 12:34:17 id=20085 trace_id=27 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=27 func=vf_ip_route_input_common line=2574 msg="find a route: flag=00000000 gw-192.168.131.1 via port5"
2020-04-10 12:34:17 id=20085 trace_id=27 func=fw_forward_handler line=743 msg="Allowed by Policy-75:"
2020-04-10 12:34:17 id=20085 trace_id=27 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=28 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820220, ack 2191388383, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=28 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=28 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=28 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=29 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820220, ack 2191388383, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=29 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=29 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=29 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=30 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820737, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=30 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=30 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=30 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=31 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820737, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=31 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=31 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=31 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=32 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [F.], seq 3545820744, ack 2191390892, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=32 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=32 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=32 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:17 id=20085 trace_id=33 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52918-><EXTIP>:443) from port1. flag [.], seq 3545820745, ack 2191390893, win 2053"
2020-04-10 12:34:17 id=20085 trace_id=33 func=resolve_ip_tuple_fast line=5422 msg="Find an existing session, id-0f7cda85, original direction"
2020-04-10 12:34:17 id=20085 trace_id=33 func=__ip_session_run_tuple line=3268 msg="DNAT <EXTIP>:443->192.168.131.1:443"
2020-04-10 12:34:17 id=20085 trace_id=33 func=ids_receive line=281 msg="send to ips"
2020-04-10 12:34:20 id=20085 trace_id=34 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag, seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:20 id=20085 trace_id=34 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdac4"
2020-04-10 12:34:20 id=20085 trace_id=34 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:20 id=20085 trace_id=34 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:21 id=20085 trace_id=35 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52915-><EXTIP>:9443) from port1. flag, seq 3798766778, ack 0, win 8192"
2020-04-10 12:34:21 id=20085 trace_id=35 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdadd"
2020-04-10 12:34:21 id=20085 trace_id=35 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:21 id=20085 trace_id=35 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
2020-04-10 12:34:26 id=20085 trace_id=36 func=print_pkt_detail line=5347 msg="vd-root received a packet(proto=6, <MYIP>:52917-><EXTIP>:9443) from port1. flag, seq 2146468256, ack 0, win 8192"
2020-04-10 12:34:26 id=20085 trace_id=36 func=init_ip_session_common line=5506 msg="allocate a new session-0f7cdbc9"
2020-04-10 12:34:26 id=20085 trace_id=36 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-<EXTIP> via root"
2020-04-10 12:34:26 id=20085 trace_id=36 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
Any help will be very appriciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
kindly try this configurations
edit "NAT to lkbitrix" set uuid a685993c-79a2-51ea-8d95-fac7819934af set extip <EXTIP> set extintf "port5" <---changed from port 1 to port 5 set portforward enable set color 9 set mappedip "192.168.131.7" set extport 9443 set mappedport 443
edit 142 set name "SWEB05-NAT-Internet" set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816 set srcintf "port5" set dstintf "port1" set srcaddr "all" <---changed from KAM-SWEB05 to All set dstaddr "NAT to lkbitrix" <---changed from All to NAT to lkbitrix set action accept set schedule "always" set service "ALL" set nat enable <----Disabled this next
Fortigate Newbie
You are not redirecting the traffic to your internal server. In policy 141, you need to put the VIP as destination address. That's the way VIPs (destination NAT) work.
Do that and test again.
ede_pfau wrote:thanks, unfortunately that didn't work.You are not redirecting the traffic to your internal server. In policy 141, you need to put the VIP as destination address. That's the way VIPs (destination NAT) work.
Do that and test again.
new debug is in txt attachement
Fullmoon wrote:Thanks for your suggestion.hi,
kindly try this configurations
edit "NAT to lkbitrix" set uuid a685993c-79a2-51ea-8d95-fac7819934af set extip <EXTIP> set extintf "port5" <---changed from port 1 to port 5 set portforward enable set color 9 set mappedip "192.168.131.7" set extport 9443 set mappedport 443
edit 142 set name "SWEB05-NAT-Internet" set uuid 109e0adc-7b08-51ea-a864-b1c9dd70f816 set srcintf "port5" set dstintf "port1" set srcaddr "all" <---changed from KAM-SWEB05 to All set dstaddr "NAT to lkbitrix" <---changed from All to NAT to lkbitrix set action accept set schedule "always" set service "ALL" set nat enable <----Disabled this next
When editing set extintf "port5" on "NAT to lkbitrix" i get:
# set extintf "port5" Cannot change 'extintf' while the VIP entry is used.
in 142 I can't choose NAT to lkbitrix" as it's on the wrong port.
appreciate if you could post your topology most especially which interfaces are facing public and you local network.
attaching link as well for VIP configuration.
https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/657500
Fortigate Newbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.