I'm playing with virtual servers that load balance https servers and running under FortiOS 7.2.3.
I configured an internal virtual server like this:
VIP_LB_INT --- HTTPS checks --- Real servers
Internal people access the VIP directly from the LAN and everything is working smoothly.
The need changed. I need to give external people access to this load balancer.
So now I have configued a static NAT from one of my public IP to my VIP_LB_INT IP.
Unfortunately this is not working and I don't know why it couldn't work.
I tried to diagnose and I can see that the Fortigate send an ARP request on my VIP_LB_INT interface, asking who is VIP_LB_INT. Of course, no one is answering because this is itself.
why it does even try. the fortigate is not aware of his own virtual IP ?
6.290750 PORT1 in 178.****.51856 -> 80.*.*.*.443: syn 37308138396.290769 INTERNAL out arp who-has 172.28.26.90 tell 172.28.27.1006.290769 LAGG0 out arp who-has 172.28.26.90 tell 172.28.27.1006.290770 x2 out arp who-has 172.28.26.90 tell 172.28.27.100
445.345921 INTERNAL in arp who-has 172.28.26.90 tell 172.28.26.83445.345925 INTERNAL out arp reply 172.28.26.90 is-at 0:9:f:9:0:12445.345926 LAGG0 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12445.345926 x2 out arp reply 172.28.26.90 is-at 0:9:f:9:0:12445.346031 INTERNAL in 172.28.26.83.53126 -> 172.28.26.90.443: syn 3757113778
PORT1 is my WAN
INTERNAL my LAN
LAGG0 my aggregate
x2 one member of my aggregate
Is it possible to do what i'm trying to do or do i simply need to create a second virtual server for my outside access ?
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Let me know if you needs some precision ?
Sure, I will come back to you if we need more information.
Waiting an answer, I found this KB article:
Is that giving any help?
I know how to configure a virtual server. But I need my virtual server to be available internally and externally.
Do I need to create two different virtual server or can I create only one (the one internally) and then do a static nat to the internal one (if so how as I can figure a way to make it works) ?
We will then continue to work on it!
maybe the answer is: this is not possible and I need to create two different object for the same "role".
however I just looking for some feedback and be sure it cannot work like this.
Makes sense to me.
I guess I will end by creating multiple LB...
It could be so simple to have one Internal LB and then a vip to forward port to it, instead of having two different object that make the same thing.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.