Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
georgeWong
New Contributor

Created on ‎03-21-2022 09:25 PM

VIP hairpin access

Hi , these days i am studing FGT, i am confused at this case-

The VIP is set extintf 'port10', but now 10.10.10.2 accesses 10.10.10.100 port 21, the packet is entering in port9, not in port10,can this activate the DNAT(VIP)?How the FGT works at this scene?

I searched many documents but no answer.  Thank you in advance!

georgeWong_0-1647918516860.pnggeorgeWong_1-1647918555943.png

 

georgeWong_2-1647918883660.png

 

Labels:
5781
0 Kudos
13 REPLIES 13
Patterson
Staff
Staff

Created on ‎03-22-2022 01:32 AM

Hi, Please refer the below KB 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448?ex...

Regards,
Patterson
4627
0 Kudos
georgeWong
New Contributor
In response to Patterson

Created on ‎03-22-2022 07:29 AM

Thanks Patterson, but did not not answer my question yet. Why the traffic goes in port9 can activate the DNAT'ed(VIP)? Then  the traffic goes to port9, why "Allowed by policy-2 SNAT"? I did not see any ’NAT enabled' at policy-2.

4612
0 Kudos
Patterson
Staff
Staff
In response to georgeWong

Created on ‎03-23-2022 06:25 AM

Hi,

In this scenario the traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy.

 

Below KB will provide you details and steps to disable SNAT if required.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-disable-source-NAT-to-enable-a-hair...

 

I have tested this in Lab

 

session info: proto=1 proto_state=00 duration=2 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=180/3/1 reply=180/3/1 tuples=4
tx speed(Bps/kbps): 86/0 rx speed(Bps/kbps): 86/0
orgin->sink: org pre->post, reply pre->post dev=5->5/5->5 gwy=10.234.3.199/10.234.3.55
hook=pre dir=org act=dnat 10.234.3.55:1->1.1.1.1:8(10.234.3.199:8)
hook=post dir=org act=snat 10.234.3.55:8->10.234.3.199:8(10.234.3.24:60424)
hook=pre dir=reply act=dnat 10.234.3.199:60424->10.234.3.24:0(10.234.3.55:8)
hook=post dir=reply act=snat 10.234.3.199:8->10.234.3.55:0(1.1.1.1:1)
misc=0 policy_id=9 pol_uuid_idx=14741 auth_info=0 chk_client_info=0 vd=0
serial=0017d318 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
total session 1

Regards,
Patterson
Preview file
40 KB
Preview file
39 KB
4583
0 Kudos
georgeWong
New Contributor
In response to Patterson

Created on ‎03-24-2022 01:26 AM

I appreciate, Patterson! I see the difference from snat-hairpair-traffic enabled and disabled you showed me. 

And my last question is : the VIP  extintf  was set 'port10', Why the traffic enters in 'port9' can activate the DNAT'ed(VIP)? 

4523
0 Kudos
Patterson
Staff
Staff
In response to georgeWong

Created on ‎03-25-2022 01:13 AM

Hi georgeWong, VIP is like a global parameter and associating VIP with exintf will not restrict it from triggering. 

 

Please refer this doc which explains about the VIP exintf on a scenario basis : https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Hairpin-NAT-VIP/ta-p/195448

Regards,
Patterson
4425
0 Kudos
georgeWong
New Contributor
In response to Patterson

Created on ‎03-25-2022 07:13 PM

Got it, thanks Patterson.  I reviewed the traffic working process:

When the data packet enters FGT from port9, 10.10.10.2 accesses 202.106.1.100 and pre-routing triggers DNAT (VIP).   
DNAT:202.106.1.100-->10.10.10.100, now 10.10.10.2-->10.10.10.100,Then view the route and match Policy-2, but how to explain matching "Allowed by policy-2 "?  The srcintf(port10)、dstaddr (VIP-FTP-Server-Port10) of policy-2 looks not the same as the traffic 10.10.10.2(port9)-->10.10.10.100.
4414
0 Kudos
Patterson
Staff
Staff
In response to georgeWong

Created on ‎03-26-2022 06:46 AM Edited on ‎03-26-2022 06:47 AM

Hi georgeWong, Please refer the below order. You can see policy lookup is done twice.

1, init_ip_session
2, iprope_dnat_check ->Trigger
3, iprope_fwd_check -> routing
4, iprope_check_one_policy -> policy
5, fw_pre_route_handler -> VIP DNAT
6, iprope_fwd_check -> routing
7, iprope_check_one_policy ->policy
8, fw_forward_handler -> Allow the traffic SNAT

Regards,
Patterson
4406
0 Kudos
georgeWong
New Contributor
In response to Patterson

Created on ‎03-28-2022 07:05 AM

Hi Patterson, in the scene , total two policies: policy-1 and policy-2. As your order above, Which policy matches at Step 4?  And which policy matches at Step 7?

4322
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.