Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ckhok
New Contributor

Perform Policy Route then DNAT with port forwarding

Hi, Can I apply the VIP address on the destination address on a firewall policy that is using policy route? Will the sample configuration below work? I am running FortiOS 5.0.3 Thanks For example, Config firewall vip edit " vip-10.20.10.200" set extintf " port1" set portforward enable set extip 0.0.0.0/0.0.0.0 set mappedip 10.20.10.200 set extport 80 set mappedport 8081 next end Config router policy edit 1 set input-device " port1" set src 10.141.0.0 255.255.0.0 set dst 0.0.0.0/0.0.0.0 set protocol 6 set start-port 80 set end-port 80 set gateway 1.20.10.1 set output-device " port2" next end Config firewall policy edit 68 set srcintf " port1" set dstintf " port2" set srcaddr " 10.141.0.0" set dstaddr " vip-10.20.10.200" set action accept set schedule " always" set service " HTTP" set logtraffic all next end
7 REPLIES 7
ckhok
New Contributor

I have tested. It doesn' t work. Does anyone know how to configure what I am trying to achieve? Thanks
rwpatterson
Valued Contributor III

What is your overall goal?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ckhok
New Contributor

traffic from 10.141.0.0 to any on port 80 to route to 1.20.10.1, then nat the dst IP to 10.20.10.200 and translate the dst port to 8081. I have a default route config 0.0.0.0/0.0.0.0 gw 20.20.20.90. Need to divert any thing coming from 10.141.0.0 to any on port 80 to different route (10.20.10.1). Thanks
rwpatterson
Valued Contributor III

Sounds like you have a few things going on here. First you need the normal route which you covered with the default. Next you need the normal policy, which I will assume is #68 in your example. The VIP flips the traffic. I believe your issue lies within your policy. Your policy is set to pass HTTP traffic (port 80), but the VIP changes the traffic to port 8080. You need to define a service for port TCP-8080. Source port range 1024-65535, destination port range 8080-8080. Use that in the policy, you should be good to go. (there may be a predefined ' proxy' service that already uses that range)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ckhok
New Contributor

Hi, I configured TCP-8081 service to the firewall policy. But the firewall still do not hit the firewall policy. My vip-address is with port forwarding, so by right we do not need to configure the TSP-8081 service in firewall policy. However, i did tried and failed. As you can see from the debug output below, the router policy is working, but could not find a firewall policy to match it. Thanks Sample debug output below Fu-PSCN-FG-01 # id=13 trace_id=1875 msg=" vd-root received a packet(proto=6, 10.141.0.11:37002->157.166.249.11:80) from port1." id=13 trace_id=1875 msg=" allocate a new session-000d163f" id=13 trace_id=1875 msg=" Match policy routing: to 10.20.10.1 via ifindex-61" id=13 trace_id=1875 msg=" find a route: gw-10.20.10.1 via port2" id=13 trace_id=1875 msg=" Denied by forward policy check" id=13 trace_id=1876 msg=" vd-root received a packet(proto=6, 10.141.0.11:37002->157.166.249.11:80) from port1." id=13 trace_id=1876 msg=" allocate a new session-000d1640" id=13 trace_id=1876 msg=" Match policy routing: to 10.20.10.1 via ifindex-61" id=13 trace_id=1876 msg=" find a route: gw-10.20.10.1 via port2" id=13 trace_id=1876 msg=" Denied by forward policy check" id=13 trace_id=1877 msg=" vd-root received a packet(proto=6, 10.141.0.11:51044->202.3.237.214:80) from port1." id=13 trace_id=1877 msg=" allocate a new session-000d1645" id=13 trace_id=1877 msg=" Match policy routing: to 10.20.10.1 via ifindex-61" id=13 trace_id=1877 msg=" find a route: gw-11.20.10.1 via port2" id=13 trace_id=1877 msg=" Denied by forward policy check"
rwpatterson
Valued Contributor III

In a VIP policy, the forwarded IP address is the one that needs the service. Have you tried using the ' all' service as a test?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ckhok
New Contributor

Thanks for your help and support. I have raised the issue with Fortinet support and they are looking at reproducing the setup. Thanks
Labels
Top Kudoed Authors