Hi all, I have the following scenario:

Data Center (fortigate 200D):

internal web app at 192.0.2.1:443 no auth required

internal web app firewall at 192.0.2.2:443 which requires certificate auth and reverse proxies traffic to 192.0.2.1:443

FortiGate "Virtual IP" defined where public IP 1.2.3.4:443 maps to 192.0.2.2:443 (the web app firewall)

DNS for this web app points at the public virtual IP, not an internal IP

Office (fortigate 200D):

40+ subnets downstream of the fortigate routed to it over one VLAN port (Downstream, tagged port1) serving as the next hop router

2  wired networks to physical ports

1  wired network serving wifi access points for non-employees and employees personal devices (port4)

The goal is to have all employees who go to the domain name for the web app hit the app server directly at 192.0.2.1.  The reason DNS points at the public IP is because the employee subnets don't all share the same DNS servers, and overriding with the internal IP on all of them would be impossible.  Some employees even use public DNS servers like Google's, etc. so even if we could override on all the internal DNS systems, it would still not be complete.

So, on the office fortigate, I simply have:

config firewall vip

    edit "WebApp Internal Mapping"

    set extip 1.2.3.4

    set extintf "any"

    set mappedip "192.0.2.1"

  next

end

With this in place, problem almost solved.  All users who are remote and have a proper client cert installed type in the domain name for the app, hit the data center fortigate's virtual IP, access app no problem.  All users at the office, regardless of their DNS settings, also have traffic heading towards the public IP, and then the destination NAT occurs and their traffic instead traverses the VPN and hits the internal application server IP.

The problem is that one single wifi network at the office.  That network is guests, and employees' personal devices, I do not want it destination NAT'd.  A guest or personal device on the wifi network should go to the public IP just as they're trying to and certificate auth just like they were on the internet.

The problem is that 'extintf' set to any value other than any doesn't seem to work.  Even if I set it to a given interface and it did work, I can't add a second instance for another valid interface because it says "The virtual IP is overlapped with another VIP entry".  

Next idea, I found the srcintf-filter directive.  It does not appear to work as intended.  I kept my VIP the same and added:

config firewall vip

    edit "WebApp Internal Mapping"

    set extip 1.2.3.4

    set extintf "any"

    set srcintf-filter "Downstream" "port2" "port3"

    set mappedip "192.0.2.1"

  next

end

That did not change things.  It should have meant the destination NAT only occurs for traffic coming from those three ports, or so I thought, leaving the 'port4' wifi users unaffected.  Traffic from wifi users to 1.2.3.4 never makes it out of the fortigate; sniffing it at the fortigate level shows syn packets to the public IP, no translation, but not passing it either.  I'm guessing it's trying to still do the translation, finding that isn't permitted by rule, and dropping.

I have not yet tried the source address filter, and would prefer not to since I don't really want to have to manually define 40+ networks as allowed, and have to keep adding/removing as the downstream networks change.  If I have to I can but ugh.

Any chance of an opposite of the source address filter, where I can somehow tell the virtual IP definition to not act on one source IP range, or not act on one incoming interface? 

Would a VDOM be a workaround for this?  I could try putting the wifi port in its own VDOM, but then would have to make a virtual interface somewhere with the regular firewall interfaces as a next hop to let it get to internet.