Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Not successful with Virtual IP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 07-29-2011 12:15 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not successful with Virtual IP
I am having a problem creating a publicly accessible server using a new Fortigate 200B. I am new to Fortinet equipment but have been successfully using Cisco gear for a number of years and am frustrated being a new user again. I hope you might be able to point out what stupid thing I am doing wrong.
Short story:
I create a Virtual IP and corresponding Firewall Policy for a server on the DMZ. Clients on the LAN can see the server. Clients on the Internet cannot. Bypassing the Fortigate and putting the server directly on the cable modem works fine. From the documentation and tech notes this seems like it should be an easy thing to do. What am I missing?
Long story:
I have done a factory reset on the Fortigate and tried to create the bare minimum configuration to aid in troubleshooting.
I am running “v4.0,build6539,110520 (MR2)†which is the special build of MR2 patch 7 that supports FortiAP’s. I am running in Interface mode (not Switch mode). (This also means I have removed the default DHCP server and default Firewall Policy because they referred to “Switch†as the interface.) I am running in NAT mode.
I have created 3 interfaces: WAN, DMZ, and LAN on interfaces 10, 11, and 12. For each interface, I have entered an alias, the IP address and subnet mask (x.x.x.x/y.y.y.y) for that interface, and selected Ping for Administrative Access. On the LAN interface I have also selected HTTPS. Interfaces 3 and 4 are setup as heartbeat interfaces but are not in use.
The address I used for the WAN interface is one of the static IP addresses assigned by our ISP.
I have created a single static default route to the WAN interface using the gateway address that the ISP assigned as our default gateway address (which is the address of the cable modem).
On the Fortigate, in Network - Options, I have added our two internal DNS servers and specified a local domain name.
I have created two firewall policies to allow all traffic from the LAN to the WAN and from the LAN to the DMZ. Both of these are “Enable NAT†and “Log allowed trafficâ€. On the implicit policy, I have selected “Log violation traffic.â€
Fortiguard definitions are updating. Users on the LAN can reach the Internet.
I have placed a test server (JetDirect print server with a Web administrative interface) on the DMZ network. I have set the server’s default gateway address to point to the DMZ interface on the Fortigate. Users on the LAN can reach the test server using its DMZ address.
I have created a Virtual IP entry for the test server as follows: Interface is WAN. A different static IP addresses (not the gateway or interface address) assigned by our ISP is the “External IP address†(leaving the second box on that line blank). The DMZ address of the server is the “Mapped IP Address†(again leaving the second box on that line blank). I did not check the port forwarding box.
I have created a Custom Service entry for port 80. It allows ports 1-65535 to get to ports 80-80. (This was following the steps in a tech note. I have also tried “ANY†and the built-in HTTP service as destination services.)
I have created a Firewall Policy allowing all hosts on the WAN to connect to the test server using the Custom Service. “Enable NAT†is not checked. “Log Allowed Traffic†is checked.
Users on the LAN can reach the server using either its DMZ address or its public address.
Users on the Internet cannot see the server.
I have changed the logging level to Debug. I don’t see anything of interest in the Traffic log on the Fortigate; in fact we don’t see any outside traffic on the log.
Although it doesn’t seem like it would be needed, I have created a second Firewall Policy to allow the test server on the DMZ to access Any/Any on the WAN. I have tried both checking and not checking “Enable NAT†for that policy. “Log allowed traffic†is selected.
Reconfiguring the server with a public IP address and moving it to the cable modem (bypassing the Fortigate) works fine.
We have tried a lot of variations on this theme. It seems pretty basic but isn’t working. What am I missing?
Thank you for any light you can shed into my darkness.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums! Nice move from Cisco to Fortinet. You' ll enjoy it eventually.
You seem to have a routing problem. All of your steps are well thought of and reasonable. One can see that you have experience in routers and firewalls. But it looks like that the NAT feature on the FGT is not yet clear to you.
There are 2 NAT methods available: source NAT (most commonly used) which is enabled in a policy by checking the NAT option, and destination NAT via Virtual IPs. Both can be combined if necessary.
To address incoming traffic to an internal host using a public IP on the WAN interface you employ a VIP. You create the VIP object and then use it as the destination address in a policy from the interface on which the VIP is defined to the target interface (where the target server is located).
A VIP changes the destination IP address ONLY - packets are routed to a different address but keep their source IP. If the public host responds to this private IP address traffic gets lost.
I have created a Firewall Policy allowing all hosts on the WAN to connect to the test server using the Custom Service. “Enable NAT†is not checked.And if your DMZ server runs with a private IP address like ' 192.168.x.y' , how would a host on the internet determine the route back to it? You definitively need to check the NAT option in the outgoing policy here. There is one special case here: if traffic is coming in to a VIP, and the VIP is NOT port forwarding, then the return traffic will be source NAT' ted automatically when traversing the VIP. But in no case will traffic originating from the DMZ server be NAT' ted unless you enable the NAT option.
I have created two firewall policies to allow all traffic from the LAN to the WAN and from the LAN to the DMZ. Both of these are “Enable NAT†and “Log allowed trafficâ€.The traffic from LAN to DMZ does not need (source) NAT as the route back to the LAN is well known to the FGT - it' s directly connected. As it is configured now all traffic from LAN to DMZ appears to come from the LAN' s interface IP. You don' t need a custom service definition for an allready predefined service. HTTP will do. Please delete the ' wan->wan' policy immediately if not already done. Please try to change your config accordingly and report back. If you do, please include the VIP definition, the static routes and the policy (get them from the CLI). The Traffic log is not the appropriate tool to debug this. Fortigates come with a built-in sniffer (tcpdump alike). But you probably won' t need it now. Do you have the FortiOS Handbook for your FortiOS version? You get it at http://docs.fortinet.com . All the major concepts are clearly laid out there and a lot of realworld examples given. If unsure come back to the forum.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Not applicable
Created on 08-01-2011 12:11 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ede,
Thank you very much for the thorough reply.
I was fortunate enough to be able to spend some time with a Fortinet engineer on Friday. It does not seem like the config was the problem. For whatever reason, the Fortigate was just not responding to packets destined to the Virtual IP address. After much fooling around, the Fortinet engineer changed the address of the Fortigate WAN interface to be the same as the WAN address of the test server Virtual IP. Once this was done, the Fortigate started to pass traffic to the server. When the interface address was returned to its original value, the Fortigate continued to pass traffic.
It isn' t clear what caused the problem. Perhaps the Fortigate was failing to respond to ARP requests for the Virtual IP address, or perhaps there was some sort of compatability snag between the Fortigate and the SMC Cable Modem, or perhaps we will never know...
As of this morning, both the cable modem and Fortigate have been restarted and they are continuing to pass traffic. I' m going to build out the config on the Fortigate adding other servers and features. Hopefully this was just a one-time oddity.
Thank you again for your response. It is truly appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the follow-up. I' m glad you got it working. These things should not happen at all - you do everything according to the book and the box just doesn' t do it. Happened to me too, but that was a long time ago (v2.80MR8). I bet the Fortinet SE has had quite a difficult time (or humor).
While you' re at building your configuration please consider the points I' ve made in my previous post. The non-forwarding VIP saves you the effort to check NAT on the outgoing policy but please be aware that this is a special case. If you forward certain ports only you' ll have to have NAT checked.
And NAT un-checked on the LAN->DMZ policy.
And the custom service. I know that sometimes while debugging you put everything into question, even standard port 80 service definitions. I would' ve done the same probably. But it' s not the culprit here. Using the standard service definition has the advantage that you may assign the HTTP proxy to a non-standard port, and it' ll still work (though I haven' t tested this yet).
If you need starting hints come back to the forums, there are a lot of skilled and helpful colleagues around who will help you out.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,732 -
FortiClient
1,772 -
5.2
801 -
FortiManager
734 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
473 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1731 | |
| 1099 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.