Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
georgeWong
New Contributor

Created on ‎03-21-2022 09:25 PM

VIP hairpin access

Hi , these days i am studing FGT, i am confused at this case-

The VIP is set extintf 'port10', but now 10.10.10.2 accesses 10.10.10.100 port 21, the packet is entering in port9, not in port10,can this activate the DNAT(VIP)?How the FGT works at this scene?

I searched many documents but no answer.  Thank you in advance!

georgeWong_0-1647918516860.pnggeorgeWong_1-1647918555943.png

 

georgeWong_2-1647918883660.png

 

Labels:
4447
0 Kudos
13 REPLIES 13
ede_pfau
SuperUser
SuperUser

Created on ‎03-22-2022 11:41 AM

Is the VIP defined on the 'any' interface or on 'port10'?

The SNAT issue is interesting. Hard to tell if the config is missing from your post (VIP, policy)...do you use Central NAT?


Ede


"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
1124
0 Kudos
Debbie_FTNT
Staff
Staff
In response to ede_pfau

Created on ‎03-23-2022 01:31 AM Edited on ‎03-23-2022 01:33 AM

Hey ede, George,

-> from the screenshot with configuration snippets, the VIP is configured with extintf port10, correct?
-> you have two policies, 2(from port10 to port9, with VIP as destination, no NAT) and 1(from port9 to port10, with NAT to interface IP enabled)?

 

Technically, traffic from internal host 10.10.10.2 to 202.106.1.100 (public IP of VIP) would initially match policy 1 (go from port9 to port10 and have NAT applied) and then immediately match policy 2 (VIP), right?

It looks to me a bit as if FortiGate is applying both policies at the same time (matching VIP based on policy 2, applying NAT based on policy 1).

For testing, can you turn off NAT in policy 1 and check if the 'SNAT' bit in debug goes away?

 

Your setup does mirror scenario 1 as outlined in the KB shared by Patterson:

https://community.fortinet.com/t5/Fortinet-Forum/VIP-hairpin-access/td-p/207277

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1053
0 Kudos
georgeWong
New Contributor
In response to Debbie_FTNT

Created on ‎03-24-2022 05:18 AM

Hi Debbie, settings were as you said. I think the Policy-2 SNAT is for traffic to Internet.

"traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy."--This automatically SNAT will be for the hairpin traffic I think.

925
0 Kudos
georgeWong
New Contributor
In response to ede_pfau

Created on ‎03-24-2022 05:09 AM

Yes Ede, defined on port10. And I don't use Central NAT.  All the main settins were on the post.  Thank you.

928
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.