Hi,
I have created a SD-WAN and put 2 WAN links as members in SD-WAN Zone. I want to have Dnat some of my servers and created a virtual IP pointing from Valid IP address of WAN1 to my internal server. Then I went to firewall policy and created a policy to allow Dnat, but when I want to select WAN1 port as incoming interface, it does not show the wan1 port and only shows the SD-WAN port instead. I should mention that I want to Dnat from valid IPs from my WAN1 to internal servers. what is the problem? Thanks.
Solved! Go to Solution.
Hello Reza ,
When you use SD-WAN, create your FW rules as follow :
edit 1
set name "test"
set uuid f7f38e6e-9352-51ee-5ad5-8f27947d6dff
set srcintf "virtual-wan-link"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "test-vip"
set schedule "always"
set service "ALL"
set logtraffic all
next
My VIP is configured as follow :
config firewall vip
edit "test-vip"
set uuid a3363250-9352-51ee-5588-ff8e8949f99f
set extip 1.1.1.2
set mappedip "192.168.1.1"
set extintf "port2"
next
end
SD-WAN:
config members
edit 1
set interface "port2"
set gateway 1.1.1.2
next
edit 2
set interface "port3"
set gateway 2.2.2.1
next
end
When SD-WAN is used, as incoming interface put into your FW rules the SD-WAN interface, as destination configure your VIP.
Best regards,
Fortinet
Hello
That is the normal behavior.
You don't see the WAN interface in firewall policy but you see SD-WAN interface.
And when you want to add DNAT rule you will select WAN port in there.
Hello Reza ,
When you use SD-WAN, create your FW rules as follow :
edit 1
set name "test"
set uuid f7f38e6e-9352-51ee-5ad5-8f27947d6dff
set srcintf "virtual-wan-link"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "test-vip"
set schedule "always"
set service "ALL"
set logtraffic all
next
My VIP is configured as follow :
config firewall vip
edit "test-vip"
set uuid a3363250-9352-51ee-5588-ff8e8949f99f
set extip 1.1.1.2
set mappedip "192.168.1.1"
set extintf "port2"
next
end
SD-WAN:
config members
edit 1
set interface "port2"
set gateway 1.1.1.2
next
edit 2
set interface "port3"
set gateway 2.2.2.1
next
end
When SD-WAN is used, as incoming interface put into your FW rules the SD-WAN interface, as destination configure your VIP.
Best regards,
Fortinet
we have 6 valid IPs purchased for WAN1 and I set the 1.1.1.1/29 portion on wan1 interface. we need all6 ips for VIP, so should add all 6 ips on interface or should create address list for each of them?
Typically you add a VIP/DNAT rule(s) for each public IP so you can map each to an internal server/service.
Thanks. Should I enable Nat for vip policies?
No, you should not enable NAT.
Hello Reza,
What do you mean by ' enable NAT for VIP policies' ? If you mean SNAT(Source NAT ) , it depend if your 'real' server has a route for the return traffic from public IP addresses which access that VIP.
Best regards,
Fortinet
how my public ip could have route to my internal server?
Hi,
It is expected only if you use SDWAN.
However for your VIP (DNAT) configuration you can map your dedicated interfaces .
Your wan interfaces would be listening to the incoming requests from outside.
Yu can also mention it as 0.0.0.0 as external one and it would act accordingly if you want your VIP to be working in both cases.
Thank you.
EMEA TAC
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.