Hello,

I'm playing with virtual servers that load balance https servers and running under FortiOS 7.2.3.

I configured an internal virtual server like this:

VIP_LB_INT --- HTTPS checks --- Real servers

Internal people access the VIP directly from the LAN and everything is working smoothly.

The need changed. I need to give external people access to this load balancer.

So now I have configued a static NAT from one of my public IP to my VIP_LB_INT IP.

Unfortunately this is not working and I don't know why it couldn't work.

I tried to diagnose and I can see that the Fortigate send an ARP request on my VIP_LB_INT interface, asking who is VIP_LB_INT. Of course, no one is answering because this is itself.

why it does even try. the fortigate is not aware of his own virtual IP ?

From Outside:

6.290750 PORT1 in 178.****.51856 -> 80.*.*.*.443: syn 3730813839
6.290769 INTERNAL out arp who-has 172.28.26.90 tell 172.28.27.100
6.290769 LAGG0 out arp who-has 172.28.26.90 tell 172.28.27.100
6.290770 x2 out arp who-has 172.28.26.90 tell 172.28.27.100

From inside:

445.345921 INTERNAL in arp who-has 172.28.26.90 tell 172.28.26.83
445.345925 INTERNAL out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.345926 LAGG0 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.345926 x2 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.346031 INTERNAL in 172.28.26.83.53126 -> 172.28.26.90.443: syn 3757113778

Legend:

PORT1 is my WAN

INTERNAL my LAN

LAGG0 my aggregate

x2 one member of my aggregate

Is it possible to do what i'm trying to do or do i simply need to create a second virtual server for my outside access ?

Thanks

RDM