Description |
This article describes that after adding the source geography address GEO-USA in the VIP policy to allow users only from the USA to access the local server, the internal users in the same subnet are not able to access the server using its public IP address.
Topology:
Existing configuration:
config firewall address edit "192.168.198.0" set subnet 192.168.198.0 255.255.255.0 next end
config firewall vip edit "access-server" set extip 10.9.1.38 set mappedip "192.168.198.2" set extintf "port1" set portforward enable set protocol icmp next end
config firewall policy edit 4 set name "Access Server" set srcintf "port1" set dstintf "port2" set action accept set srcaddr "GEO-USA" set dstaddr "access-server" set schedule "always" set service "ALL" next edit 3 set name "Internet" set srcintf "port2" set dstintf "port1" set action accept set srcaddr "192.168.198.0" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end |
Scope | FortiGate. |
Solution |
config firewall policy edit 5 set name "Access Server 2" set srcintf "port1" set dstintf "port2" set action accept set srcaddr "192.168.198.0" set dstaddr "access-server" set schedule "always" set service "ALL" next end
di de flow filter clear di de flow filter proto 1 di de flow trace start 100 di de en id=65308 trace_id=32 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.198.3:1->10.9.1.38:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=41." id=65308 trace_id=32 func=init_ip_session_common line=6049 msg="allocate a new session-0007f5df, tun_id=0.0.0.0" id=65308 trace_id=32 func=get_new_addr line=1228 msg="find DNAT: IP-192.168.198.2, port-1" id=65308 trace_id=32 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2" id=65308 trace_id=32 func=get_new_addr line=1228 msg="find SNAT: IP-10.9.1.38(from IPPOOL), port-60417" id=65308 trace_id=32 func=fw_pre_route_handler line=176 msg="VIP-192.168.198.2:1, outdev-unknown" id=65308 trace_id=32 func=__ip_session_run_tuple line=3498 msg="DNAT 10.9.1.38:8->192.168.198.2:1" id=65308 trace_id=32 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.198.2 via port2" id=65308 trace_id=32 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=82, len=3" id=65308 trace_id=32 func=fw_forward_handler line=922 msg="Allowed by Policy-5: SNAT" id=65308 trace_id=32 func=__ip_session_run_tuple line=3485 msg="SNAT 192.168.198.3->192.168.198.1:60417" id=65308 trace_id=33 func=print_pkt_detail line=5868 msg="vd-root:0 received a packet(proto=1, 192.168.198.2:60417->192.168.198.1:0) tun_id=0.0.0.0 from port2. type=0, code=0, id=60417, seq=41." id=65308 trace_id=33 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-0007f5df, reply direction" |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.