Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rezafathi
Contributor

WAN Interface not shown in Firewall Policy

Hi,

 

I have created a SD-WAN and put 2 WAN links as members in SD-WAN Zone. I want to have Dnat some of my servers and created a virtual IP pointing from Valid IP address of WAN1 to my internal server. Then I went to firewall policy and created a policy to allow Dnat, but when I want to select WAN1 port as incoming interface, it does not show the wan1 port and only shows the SD-WAN port instead. I should mention that I want to Dnat from valid IPs from my WAN1 to internal servers. what is the problem? Thanks.

Reza F.
Reza F.
1 Solution
syordanov
Staff
Staff

Hello Reza ,

 

When you use SD-WAN, create your FW rules as follow :

 

 

edit 1
set name "test"
set uuid f7f38e6e-9352-51ee-5ad5-8f27947d6dff
set srcintf "virtual-wan-link"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "test-vip"
set schedule "always"
set service "ALL"
set logtraffic all
next

 

My VIP is configured as follow :

 

config firewall vip
edit "test-vip"
set uuid a3363250-9352-51ee-5588-ff8e8949f99f
set extip 1.1.1.2
set mappedip "192.168.1.1"
set extintf "port2"
next
end

 

SD-WAN:

 

config members
edit 1
set interface "port2"
set gateway 1.1.1.2
next
edit 2
set interface "port3"
set gateway 2.2.2.1
next
end

 

When SD-WAN is used, as incoming interface put into your FW rules the SD-WAN interface, as destination configure your VIP.

 

Best regards,

 

Fortinet

.

View solution in original post

9 REPLIES 9
AEK
Honored Contributor

Hello

That is the normal behavior.

You don't see the WAN interface in firewall policy but you see SD-WAN interface.

And when you want to add DNAT rule you will select WAN port in there.

AEK
AEK
syordanov
Staff
Staff

Hello Reza ,

 

When you use SD-WAN, create your FW rules as follow :

 

 

edit 1
set name "test"
set uuid f7f38e6e-9352-51ee-5ad5-8f27947d6dff
set srcintf "virtual-wan-link"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "test-vip"
set schedule "always"
set service "ALL"
set logtraffic all
next

 

My VIP is configured as follow :

 

config firewall vip
edit "test-vip"
set uuid a3363250-9352-51ee-5588-ff8e8949f99f
set extip 1.1.1.2
set mappedip "192.168.1.1"
set extintf "port2"
next
end

 

SD-WAN:

 

config members
edit 1
set interface "port2"
set gateway 1.1.1.2
next
edit 2
set interface "port3"
set gateway 2.2.2.1
next
end

 

When SD-WAN is used, as incoming interface put into your FW rules the SD-WAN interface, as destination configure your VIP.

 

Best regards,

 

Fortinet

.
rezafathi
Contributor

we have 6 valid IPs purchased for WAN1 and I set the 1.1.1.1/29 portion on wan1 interface. we need all6 ips for VIP, so should add all 6 ips on interface or should create address list for each of them?

Reza F.
Reza F.
AEK
Honored Contributor

Typically you add a VIP/DNAT rule(s) for each public IP so you can map each to an internal server/service.

AEK
AEK
rezafathi

Thanks. Should I enable Nat for vip policies?

Reza F.
Reza F.
AEK
Honored Contributor

No, you should not enable NAT.

AEK
AEK
syordanov

Hello Reza,

 

What do you mean by ' enable NAT for VIP policies' ? If you mean SNAT(Source NAT ) , it depend if your 'real' server has a route for the return traffic from public IP addresses which access that VIP.

 

Best regards,

 

Fortinet

.
rezafathi

how my public ip could have route to my internal server?

Reza F.
Reza F.
princes

Hi,

It is expected only if you use SDWAN.

However for your VIP (DNAT) configuration you can map your dedicated interfaces .

Your wan interfaces would be listening to the incoming requests from outside.

Yu can also mention it as 0.0.0.0 as external one and it would act accordingly if you want your VIP to be working in both cases.

 

Thank you.

EMEA TAC

Top Kudoed Authors