Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
20twenty
New Contributor

v3 MR2 problem with IP pools

Anybody else found that when a policy uses an IP pool with only 1 IP address in it, no traffic is passed? Fairly fundamental fault which makes this release absolutely useless.
10 REPLIES 10
thors_hammer
New Contributor

Hi! We have the same problem on our fortigate 800. We " fixed" it by using IP-pools with 2 or more IPs or static nat onto the IP of the external interface. But that cannot be the solution...

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3
Not applicable

I have also FW rules with one IP in an address pool, works fine. What firmware version are you using?
thors_hammer
New Contributor

Hi Servit, firmware is 3 MR 2 updated from 2.8 MR11...

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3
thors_hammer

OK, problem ist solved! We had ip-pools with ips that where configured as virtual ips too. We did it to nat systems with inbound and outbound connections to the same src- /dest- address. In 0S 2.8 MR 11 no problem, but in OS 3.0.

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

Hi thors, we have also ip pools with ips that where configured as virtual ips too (mail server, etc). In 2.80 there was the unique way I can find to make the mail server send smtp using the same IP in which it is listen on. How can we do this in v3?
thors_hammer
New Contributor

Hi Jose, just configure the virtual ip for the mail server and create 2 firewall policies: an inbound one: internet to virtual ip and an outbound one: internal mailserver ip to internet. In the outbound policy just check " nat" without using a dynamic ip pool

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

Hi Thors, I' ve tried this in v2.80 and the outbound IP was the IP for the external interface of the FG unit, not the one of VIP created for this server. Have changed it in v3.00?
thors_hammer
New Contributor

Hi Jose, It seems to be changed, cause our outbound connections are nat' ed to the external virtual ips. In 2.8 for outbound connections the dynamic ip-pools were configured.

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

multiple 30B / 40C / 60(B) / 80C / 100A / 200(A/B) / 600C 4.0 MR3

OK, I will try. Thanks a lot, Thors
Labels
Top Kudoed Authors