Hello experts,
I have a question regarding configuring PBR and mapping the destination IP to virtual server load balance.
We configured yesterday a Virtual Server to load balance traffic to two proxy servers. And then configured a PBR that says that who ever want to surf the internet to go to the Virtual server IP address.
Source: clients lan
Destination: 0.0.0.0/0
Outgoing Interface: Proxy's gateway interface
Gateway address: virtual server IP address
And that didn't work.
We thought it might be because that fortigate is searching for the virtual server IP address behind that interface without looking into the virtual server configuration , so we configured the virtual server IP address as secondary IP address on the relevant interface. we tried also to configure it as VIP . we tried also to configure it as proxy-arp. non of those helped to solve the problem.
in diagnose debug we saw that when client tried to surf the internet, the PBR mapped the traffic to relevant interface , but then policy denied because destination IP address was not the virtual server IP address.
id=20085 trace_id=13743 func=print_pkt_detail line=5348 msg="vd-root received a packet(proto=1, 10.30.255.250:4->8.8.8.8:2048) from 664. type=8, code=0, id=4, seq=49676."
id=20085 trace_id=13743 func=init_ip_session_common line=5507 msg="allocate a new session-be0cdbaf"
id=20085 trace_id=13743 func=vf_ip_route_input_common line=2565 msg="Match policy routing: to 172.19.1.18 via ifindex-45"
id=20085 trace_id=13743 func=vf_ip_route_input_common line=2574 msg="find a route: flag=80000000 gw-172.19.1.18 via root"
id=20085 trace_id=13743 func=fw_local_in_handler line=402 msg="iprope_in_check() check failed on policy 0, drop"
172.19.1.18 (virtual server ip address)
10.30.255.250 (client ip address)
ifindex-45 (proxy gw interface)
It looks like PBR cannot map traffic to virtual server . Is that correct ?
Please advise
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1789 | |
1120 | |
768 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.