My understanding is that if I NAT something inbound then it should use the same external IP on the VIP to go outbound?This is an incorrect preconception. What interface and what IP your server has for flows (sessions) it initiates itself is controlled by the routeing/routing table. The IP you present, per interface is most dominantly impacted by whether the Virtual-IP you' ve configured is shared (by specifying ports or port ranges) or dedicated (1:1 NAT). IP Pools can give you a certain internet identity but this isn' t an ideal configuration if you mention your Virtual-IP in your Virtual-IP-Pool. If you want your inbound VIP to be used to present your public IP identity on outbound streams then configuring your VIP as a 1:1 NAT is best. Then simply don' t allow Internet->DMZ connectivity beyond what you want to expose for inbound flows from the general public. Of course you' ll burn more public IPs this way but you may regret trying to mix SNAT (outbound flows using a pool) with DNAT (inbound flows using VirtualIP) where the public IP is the same address. In FortiOS it seems consistently bad practice to try this. Static routes (be they enhanced or not by the features of ECMP with its optional biasing (weighting, spillover) and PBR) dictate whether you' ll initiate a flow from your server over one line or another. It would be nice if PBR was another bias option that could have multiple entries to steer the ECMP/load-balance engine but adding features like this would probably take some convincing for the Fortinet engineers. Most routeing/forwarding features we have here seem to be present only when they also have some representation in Linux/BSD or Windows in order to appear in FortiOS. There are some exceptions where commercial load balancer philosophies/paradigms have been made equivalent in FortiOS and implemented quite well. Nevertheless, configuration of forwarding to the utmost extremes of flexibility isn' t where these platforms are at currently. For example, being able to control how the forwarding cache ages out isn' t in the current bag of tools.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.