Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CHR57
New Contributor III

Created on ‎11-16-2023 11:41 PM Edited on ‎11-16-2023 11:48 PM

VIP to virtual server

I have a problem getting a WAN connection through VIP to a virtual server (with Roundrobin).

The virtual server works internally.

If I point the VIP to one of the servers in the Virtual server it works.

The policy for the Virtual server also includes the wan interface as the source.

 

Could it be a flow/proxy base thing?

 

CR
CR
Labels:
1803
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to CHR57

Created on ‎11-17-2023 08:07 AM

Hey CR, perhaps I expressed myself a bit badly.

I essentially meant this setup:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

Can you try the VIP configuration via CLI and if the object allows itself to be configured, create a policy with that object as destination?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

1733
7 REPLIES 7
abarushka
Staff
Staff

Created on ‎11-16-2023 11:55 PM

Hello,

 

"Set the Inspection Mode to Proxy-based. The new virtual server will not be available if the inspection mode is Flow-based."

 

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/713497/virtual-server

 

FortiGate
1787
CHR57
New Contributor III
In response to abarushka

Created on ‎11-16-2023 11:58 PM

Hi, it is in proxy already.

 

CHR57_0-1700207878368.png

 

CR
CR
1785
0 Kudos
Debbie_FTNT
Staff
Staff
In response to CHR57

Created on ‎11-17-2023 04:22 AM

Dear CR,

just to clarify:

- you already have a working setup with a virtual server object in FortiGate set up for internal users

- you are trying to set up a VIP from external to internal, and destination should be the virtual server object?

- this fails, but if you point the VIP to any of the servers BEHIND the virtual server object, access works?

 

If I understand your intended setup correctly, then the issue is probably that you're essentially trying to chain two VIPs; virtual server objects are also treated largely as VIPs in FortiGate, and it may not like that.

Can you try the following instead?
- a new virtual server object
- the VIP's external IP as virtual IP in the server object
- the same target servers as your internal virtual server object
- policy from external to internal, with new virtual server object

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1754
CHR57
New Contributor III
In response to Debbie_FTNT

Created on ‎11-17-2023 05:55 AM Edited on ‎11-17-2023 06:00 AM

Your assumptions are correct.

 

- the VIP's external IP as virtual IP in the server object

So the Virtual server IP is the VIP external IP? Sounds strange and I can't find the SD-WAN interface in the list.
vip.jpg

"The virtual IP is overlapped with another VIP entry..."

CR
CR
1743
0 Kudos
Debbie_FTNT
Staff
Staff
In response to CHR57

Created on ‎11-17-2023 08:07 AM

Hey CR, perhaps I expressed myself a bit badly.

I essentially meant this setup:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

Can you try the VIP configuration via CLI and if the object allows itself to be configured, create a policy with that object as destination?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1734
CHR57
New Contributor III
In response to Debbie_FTNT

Created on ‎11-17-2023 11:57 AM Edited on ‎11-17-2023 11:58 AM

Think I got it, checked on my FGT at home. Will try at work on Monday.

 

Skärmbild 2023-11-17 205510.jpg

CR
CR
1723
0 Kudos
CHR57
New Contributor III
In response to Debbie_FTNT

Created on ‎11-20-2023 12:37 AM

Worked!

Thanks.

A bit confusing to have VIPs on both Virtual IPs and Virtual Servers.

CR
CR
1675
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.