Description
Solution
This article shows how the use of a hairpin can allow an application on a server to browse a webpage hosted within itself.
In this example the FortiGate sends server’s queries to its own assigned public IP address, from Internal to Internal interface.
In this example the FortiGate sends server’s queries to its own assigned public IP address, from Internal to Internal interface.
Solution
1. Configure a VIP mapping WAN interface to the remote site's IP address.
2. Configure an IPv4 policy from Internal to WAN redirecting traffic over this port using the VIP.
3. Configure a policy route to force all traffic meant for that service back to the server.
config firewall vip
edit "PublicServer"
set extip [public_ip-address]
set extintf "wan1"
set portforward enable
set mappedip "[server_ip-address]"
set extport [service_port]
set mappedport [service_port]
next
end
2. Configure an IPv4 policy from Internal to WAN redirecting traffic over this port using the VIP.
config firewall policy
edit [policy_ID]
set srcintf "Internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "PublicServer"
set action accept
set schedule "always"
set service "[service]"
set nat enable
next
end
3. Configure a policy route to force all traffic meant for that service back to the server.
config router policy
edit 1
set input-device "Internal"
set src "[server_ip-address]/255.255.255.255"
set dst "[server_ip-address]/255.255.255.255"
set protocol 6
set start-port [service_port]
set end-port [service_port]
set gateway [wan1_DG]
set output-device "Internal"
next
end
Labels: