Hi , these days i am studing FGT, i am confused at this case-
The VIP is set extintf 'port10', but now 10.10.10.2 accesses 10.10.10.100 port 21, the packet is entering in port9, not in port10,can this activate the DNAT(VIP)?How the FGT works at this scene?
I searched many documents but no answer. Thank you in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is the VIP defined on the 'any' interface or on 'port10'?
The SNAT issue is interesting. Hard to tell if the config is missing from your post (VIP, policy)...do you use Central NAT?
Created on 03-23-2022 01:31 AM Edited on 03-23-2022 01:33 AM
Hey ede, George,
-> from the screenshot with configuration snippets, the VIP is configured with extintf port10, correct?
-> you have two policies, 2(from port10 to port9, with VIP as destination, no NAT) and 1(from port9 to port10, with NAT to interface IP enabled)?
Technically, traffic from internal host 10.10.10.2 to 202.106.1.100 (public IP of VIP) would initially match policy 1 (go from port9 to port10 and have NAT applied) and then immediately match policy 2 (VIP), right?
It looks to me a bit as if FortiGate is applying both policies at the same time (matching VIP based on policy 2, applying NAT based on policy 1).
For testing, can you turn off NAT in policy 1 and check if the 'SNAT' bit in debug goes away?
Your setup does mirror scenario 1 as outlined in the KB shared by Patterson:
https://community.fortinet.com/t5/Fortinet-Forum/VIP-hairpin-access/td-p/207277
Hi Debbie, settings were as you said. I think the Policy-2 SNAT is for traffic to Internet.
"traffic enters and leaves FortiGate via the same interface. This causes FortiOS to automatically perform SNAT, even if NAT is not configured in the firewall policy."--This automatically SNAT will be for the hairpin traffic I think.
Yes Ede, defined on port10. And I don't use Central NAT. All the main settins were on the post. Thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.