Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Virtual IP inbound NAT using wrong IP going outbo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Virtual IP inbound NAT using wrong IP going outbound
Hello All,
Following a thread I posted recently related to routing the same firewall is giving me problems with a NAT (fortigate 200B, running v4.0,build0639,120906 (MR3 Patch 10)) I am struggling to find a reason why a server with inbound NAT configured using a VIP (for email to flow inbound) is not going out on the same interface it came in on.
My understanding is that if I NAT something inbound then it should use the same external IP on the VIP to go outbound?
So if I have set it to use a specific external IP coming inbound on port 12 it should show that IP as its IP if it makes an outbound connection?
The email server makes outbound connections to mimecast for sending mail and its locked to a specific IP.
I have seen this work fine on other fortigates but this one is showing it as using port 9 going out which shouldn' t happen with a server running on a VIP right?
The weird thing is its still accepting connections inbound for RDP/email etc. just fine but I had to use a policy route to force it to use the correct interface to go out to mimecast and when I do this the IP when you telnet the mimecast servers is the correct one that I have set as the external IP on the VIP.
Here is the setup:
port12 -> internal - this has the VIP on it but when the server goes outbound its using port 9?!
The firewall in question does have multiple routes out to the internet but I am getting reports that the internet speed is not great for users but its just doing source IP based ECMP so perhaps its just hitting port 9 a lot since this is the first route to the internet in its routing table?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My understanding is that if I NAT something inbound then it should use the same external IP on the VIP to go outbound?This is an incorrect preconception. What interface and what IP your server has for flows (sessions) it initiates itself is controlled by the routeing/routing table. The IP you present, per interface is most dominantly impacted by whether the Virtual-IP you' ve configured is shared (by specifying ports or port ranges) or dedicated (1:1 NAT). IP Pools can give you a certain internet identity but this isn' t an ideal configuration if you mention your Virtual-IP in your Virtual-IP-Pool. If you want your inbound VIP to be used to present your public IP identity on outbound streams then configuring your VIP as a 1:1 NAT is best. Then simply don' t allow Internet->DMZ connectivity beyond what you want to expose for inbound flows from the general public. Of course you' ll burn more public IPs this way but you may regret trying to mix SNAT (outbound flows using a pool) with DNAT (inbound flows using VirtualIP) where the public IP is the same address. In FortiOS it seems consistently bad practice to try this. Static routes (be they enhanced or not by the features of ECMP with its optional biasing (weighting, spillover) and PBR) dictate whether you' ll initiate a flow from your server over one line or another. It would be nice if PBR was another bias option that could have multiple entries to steer the ECMP/load-balance engine but adding features like this would probably take some convincing for the Fortinet engineers. Most routeing/forwarding features we have here seem to be present only when they also have some representation in Linux/BSD or Windows in order to appear in FortiOS. There are some exceptions where commercial load balancer philosophies/paradigms have been made equivalent in FortiOS and implemented quite well. Nevertheless, configuration of forwarding to the utmost extremes of flexibility isn' t where these platforms are at currently. For example, being able to control how the forwarding cache ages out isn' t in the current bag of tools.
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- DNAT using VIP for Outbound traffic 68 Views
- Can't see blocked IP and FQDN... 151 Views
- Help with Forti vm home lab... 197 Views
- What FortiOS Event Logs should i... 1434 Views
- Using Fortigate under AWS for SIP... 919 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.