Hello,
I'm playing with virtual servers that load balance https servers and running under FortiOS 7.2.3.
I configured an internal virtual server like this:
VIP_LB_INT --- HTTPS checks --- Real servers
Internal people access the VIP directly from the LAN and everything is working smoothly.
The need changed. I need to give external people access to this load balancer.
So now I have configued a static NAT from one of my public IP to my VIP_LB_INT IP.
Unfortunately this is not working and I don't know why it couldn't work.
I tried to diagnose and I can see that the Fortigate send an ARP request on my VIP_LB_INT interface, asking who is VIP_LB_INT. Of course, no one is answering because this is itself.
why it does even try. the fortigate is not aware of his own virtual IP ?
From Outside:
6.290750 PORT1 in 178.****.51856 -> 80.*.*.*.443: syn 3730813839
6.290769 INTERNAL out arp who-has 172.28.26.90 tell 172.28.27.100
6.290769 LAGG0 out arp who-has 172.28.26.90 tell 172.28.27.100
6.290770 x2 out arp who-has 172.28.26.90 tell 172.28.27.100
From inside:
445.345921 INTERNAL in arp who-has 172.28.26.90 tell 172.28.26.83
445.345925 INTERNAL out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.345926 LAGG0 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.345926 x2 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12
445.346031 INTERNAL in 172.28.26.83.53126 -> 172.28.26.90.443: syn 3757113778
Legend:
PORT1 is my WAN
INTERNAL my LAN
LAGG0 my aggregate
x2 one member of my aggregate
Is it possible to do what i'm trying to do or do i simply need to create a second virtual server for my outside access ?
Thanks
RDM
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello RDM,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Thanks Anthony.
Let me know if you needs some precision ?
Hello RDM,
Sure, I will come back to you if we need more information.
Regards,
Hello RDM,
Waiting an answer, I found this KB article:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-virtual-server/ta-p/194457
Is that giving any help?
Regards,
Unfortunately no.
I know how to configure a virtual server. But I need my virtual server to be available internally and externally.
Do I need to create two different virtual server or can I create only one (the one internally) and then do a static nat to the internal one (if so how as I can figure a way to make it works) ?
Best
RDM
Hello RDM,
Oh ok!
We will then continue to work on it!
Regards,
maybe the answer is: this is not possible and I need to create two different object for the same "role".
however I just looking for some feedback and be sure it cannot work like this.
Sure!
Makes sense to me.
Regards,
I guess I will end by creating multiple LB...
It could be so simple to have one Internal LB and then a vip to forward port to it, instead of having two different object that make the same thing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.