- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIP port forwarding policy problem
Hello,
Fortigate 60f v7.2.4 Policy-based NGFW.
I am trying to set VIP port forwarding (https://community.fortinet.com/t5/FortiGate/Technical-Tip-Virtual-IP-VIP-port-forwarding-configurati...) but the VIP object is not listed in Destination ?
Any ideas ?
Thanks ,
T
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there is also a known bug with vip nt beeing displayedin policy manager when the ipv6 settings are incorrect. FGT and FMG do accept these settings (and do not accept the default Fortinet puts in there when you create a VIP) but the VIP is not displayed in policy manager afterwards.
This can be resolved by clearing out the ip v6 addresses in the vip and save it.
Unfortunately there is no switch to completely disable v6 in a vip :(
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the interface in the policy correct?
First select the interface from where you come and then the interface where you want to go.
Then the target system should be selectable.
Created on 02-09-2023 06:23 AM Edited on 02-09-2023 06:24 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only limited list of addresses appear in Destination, there is no single member of VIP.
Incoming and outgoing interfaces are OK.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Tanaki,
Since you are using FGT in policy mode I suppose you already have central NAT enabled, right?
When Central NAT is enabled, it is not necessary to add the VIP object into the firewall policy as the destination address. This is normal behaviour due to the fact that, in a Central NAT status, the DNAT is injected into the kernel since the object is created into the Policy & Objects -> DNAT & Virtual IPs.
You can refer to the below KB for VIP configuration:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-firewall-policies-for-a-VIP-when...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you,
I think Central NAT is disabled, how is it possible to check its status?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Central NAT should already be enabled by default in case your device is in Policy Mode.
Should be visible under Policy & OBjects > Central NAT in the GUI or by running the below command in the CLI:
show full system settings | grep "central-nat"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, it's visible in the GUI , but CLI command result is empty.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there is also a known bug with vip nt beeing displayedin policy manager when the ipv6 settings are incorrect. FGT and FMG do accept these settings (and do not accept the default Fortinet puts in there when you create a VIP) but the VIP is not displayed in policy manager afterwards.
This can be resolved by clearing out the ip v6 addresses in the vip and save it.
Unfortunately there is no switch to completely disable v6 in a vip :(
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quite odd TBH, I am new to Fortinet, 've been using Cisco, pFsense, Wrt etc. for years no such generic flaws
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not completely related to your question but may I ask what the decision was behind using Policy-based NGFW? It's generally recommended to run FortiGate as Profile-based.
Graham