Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Secretcodrin
New Contributor II

Created on ‎03-13-2024 05:03 AM

Priority between policy and virtual IP translation

Hello,

I have come across a specific situation that made me realize I need to ask something:

The setup description:
I have a couple of source PCs let's say PC1, PC2 and PC3 and needs to connect to PC4, PC5 and PC6 inside a private network behind a fortigate (so NAT needs to be used to translate a public ip address to a private one).
PC1's ip address, let's say, is IP1, PC2 has IP2 and so on.

Now I need to connect from PC1 to a service running on PC4 on port let's say PORT1, from PC2 on a service on PC5 on PORT 2 and so on. Now, the traffic needs to go over the internet so the target IP will be the gateway public address on the fortigate, IP10. The implemented solution is to target the fortigate's public ip address and one unused port, then translate it to the destination private ip address and the corresponding port. So it is something like this:

PC1: IP1:pc1_portS -> Fortigate: IP10:PORT1-1 -> (dNAT) -> PC4:IP4:PORT1
PC2:IP2:pc2_portS -> Fortigate: IP10:PORT2-1 -> (dNAT) -> PC5:IP5:PORT2

The question that I need the answer for:
Now looking at this, and thinking about the firewall policies I realized something. If I make a policy allowing traffic to PC1 to PC4, will I need to specific PORT1-1 then PORT1 or can I simply specify PC1:IP1:pc1_portS -> PC4:IP4:PORT1? 

What has priorirty? The NAT (Virtual IP) or the policy? Will the traffic be allowed then translated or will it be translated then allowed? I'm asking this for my own understanding.
Also if something doesn't make sense there is a slight chance I didn't fully understand the entire situation as I am still a beginner.


Thank you.

296
0 Kudos
5 REPLIES 5
hbac
Staff
Staff

Created on ‎03-13-2024 11:56 AM

Hi @Secretcodrin,

 

I believe you are trying to configure port forwarding. Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-...

 

To understand the packet flow, please refer to https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/p...

 

Regards, 

267
Secretcodrin
New Contributor II
In response to hbac

Created on ‎03-19-2024 07:26 AM

Thank you for the response, the second link was very useful and more or less exactly what I needed. I just have one question that I did not understand from the topic. When exactly is the Port Forwarding happening in the flow? And by flow, I'm referencing this picture from the second link:

 

96fda058a94bb52bb5648813b6523415_No-network-processors.png

 

227
0 Kudos
ezhupa
Staff
Staff
In response to Secretcodrin

Created on ‎03-19-2024 07:53 AM

Hello, 

 

Portforwarding is Destination NAT - DNAT in your case. Mapping an external IP address to an internal resource. 
When running the debug flow you should be able to see the DNAT lookup, so trying to match the traffic to a VIP if there is any VIP config, then after performing DNAT the FGT will check for a policy with said VIP object as destination and try to match it to that. After it matches the policy then if NAT enabled on the policy, it will SNAT depending on the configuration in the policy and forward the packet. 

Hope this helps.

222
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-19-2024 09:20 AM

I think you're particularly looking for a "hairpin NAT/VIP" solution like below:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

Toshi

213
Secretcodrin
New Contributor II
In response to Toshi_Esumi

Created on ‎04-02-2024 05:56 AM

Not quite, but the article was nice to read nevertheless. I learned a new technique today. Thank you!

107
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.