Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VLAN external to LAN not allowed


I have a Vlan configured which is only allowed to use http/https en dns to for internet. There is a webserver on the lan they need to contact and is also reachable from the outside. When they try to connect to this website they get the out-site address from the DNS and in the firewall we get a not allowed. I created a security policy, but no effect.

The web server is available with a VIP from outside to lan port 80 and 443 interface set to any.

Any idea how to solve this?


Lan is


 try to goto

on the lan is this

on the ouside this is (example)

DNS on the vlan gets and in the logging we see deny policy violation implicit deny


Fortigate 51E with 5.4.0 tonight I am update it to the latest IOS



Valued Contributor

Do you have a VLAN to internal policy to allow that traffic. It might be doing some hair-pinning and wanting the policy to allow it even though the outside policy is there.


Hi Mike,

Thank you for the quick reply.

Yes there is a policy for VLAN to Lan (nat disabled)

How to hair-pin this?




Valued Contributor III

Try enabling NAT

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:


You could try using a VIP for the external address that forwards to the internal address. I have had to do this before in environments setup the way yours is.


Setting to NAT made no difference.

I was already using a VIP from external to lan.

Problem is that the vlan needs to goto the lan but is getting the external ip


New Contributor

Yes I can ping from vlan to lan.

The VLAN is using the fortigate DNS which is set to the providers DNS servers.

I already find that  this was the problem, but I do not know how to solve this.

I tried to create a DNS Database and pointed the VLAN to this server and created an A record for the internal server but I still got the external ip-address?

I cannot find how setup the DNS Database in the fortigate which I think is the solution.




I am now using the internal DNS servers and this solved the problem.

Thanks to all of you helping me out.