Hello Experts,
Can someone please confirm that if we have a regular VIP with an Public IP address, other than the Firewall external interface IP, will return traffic from the exposed server will use the same Public IP from the VIP? If not, do I need to create an IP pool with the same Public IP and then use that to NAT Internet bound traffic from server?
Also what IP will be used by server if it initiates the traffic out to Internet in case of exposed server with VIP setup?
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
G'day.
The VIP will be used for outbound traffic if you are not using port forwarding. If you are only applying inbound VIP to a specific range of inbound ports then only traffic that matches that same traffic will use the VIP on outbound.
i.e. You will need to create an outbound IP pool policy for all traffic to use the VIP address unless you have the VIP policy forwarding all traffic to the destination.
Hope this clears things up!
G'day.
The VIP will be used for outbound traffic if you are not using port forwarding. If you are only applying inbound VIP to a specific range of inbound ports then only traffic that matches that same traffic will use the VIP on outbound.
i.e. You will need to create an outbound IP pool policy for all traffic to use the VIP address unless you have the VIP policy forwarding all traffic to the destination.
Hope this clears things up!
Thank you so much for your advice and confirmation. I was confused as to what will be the outbound Public IP if the server in question initiates the traffic. And as per your clarification, if it is 1:1 map, then it will use the same VIP. For port forwarding situation, we will need to create an IP pool using the VIP as the only address in that pool and apply that to the outbound policy for NAT to this VIP pool. If this is not done, then server will use the regular interface NAT if that is set up for the subnet the server is on.
Appreciate again.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1661 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.