Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ispcolohost
Contributor

Trying to get better understanding of 'virtual server'

Hey all, doing a first time use of the virtual server feature on 5.4.x series.  Finding some odd behavior and hoping to get a better explanation of how it's intended to work then what the documentation provides.  Here's the setup:

 

interface port1 172.16.0.1/24

Created virtual server 172.16.0.105, service type https, port 443, interface port1, ssl cert chosen

Created real server 172.16.0.106, port 80, active

 

Now here's where it gets weird.  I start to add a rule:

 

Source interface: vpn1 (a site to site vpn end point)

Dest interface: port1

Source address: 10.0.0.0/24 subnet from the other side of the vpn

Dest address:...... hmm, I'm not able to pick my virtual server that was just defined.

 

After a long time tinkering with settings, I discovered that if I set the virtual server's interface to 'any' then all the sudden I'm allowed to pick it as a valid destination address in the rule I was trying to create.  Alternatively, if I leave it set to port1 and set the rule to dest interface any, then I'm also allowed to pick it.

 

So question one is obviously what can of worms am I opening up by having the virtual server set to the any interface since I obviously don't want the policy rule to be set to any?  I would expect this to mean that the firewall could potentially accept packets destined for the virtual server IP from an unintended interface?

 

 

Next oddity is once I did get the policy entry in, it still wouldn't work.  I did a diag and found it hitting the policy 0 implicit deny.  I noticed before the deny that there was reference to a DNAT going from the virtual server IP to the real server IP.  I theorized that maybe it was the port.  I changed the real server to 443 just like the virtual server, then things started working.  I found that to also be peculiar.  Is the Fortigate doing the proxying before applying the rules, but then still applying the rules to the original source IP?  

 

So I'd really like to understand the consequences of having the virtual server set to any, why that was needed to begin with, and why the rule application seems to ports on the other side of the proxying instead of just the client to virtual server conversation.

 

Thanks for any advice!

0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors